-> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. +> Enabling Windows Defender Credential Guard on domain controllers is not supported.
+> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes. >[!NOTE] -> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). +> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). Applications will break if they require: - Kerberos DES encryption support @@ -57,20 +70,20 @@ Applications will prompt and expose credentials to risk if they require: - Credential delegation - MS-CHAPv2 -Applications may cause performance issues when they attempt to hook the isolated Credential Guard process. +Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process. -See this video: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) +See this video: [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) ## Security considerations -All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard. +All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard. Computers that meet additional qualifications can provide additional protections to further reduce the attack surface. The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. > [!NOTE] > Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
-> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
+> If you are an OEM, see [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
### Baseline protections @@ -81,10 +94,10 @@ The following tables describe baseline protections, plus protections for improve | Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
|Support for VBS and for management features that simplify configuration of Credential Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT EnterpriseImportant:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. | > [!IMPORTANT] -> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide. +> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide. ### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4 diff --git a/windows/access-protection/credential-guard/credential-guard-scripts.md b/windows/access-protection/credential-guard/credential-guard-scripts.md index ec3e0f5c91..cd00d7fe8c 100644 --- a/windows/access-protection/credential-guard/credential-guard-scripts.md +++ b/windows/access-protection/credential-guard/credential-guard-scripts.md @@ -1,6 +1,6 @@ --- -title: Scripts for Certificate Issuance Policies in Credential Guard (Windows 10) -description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Credential Guard on Windows 10. +title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows 10) +description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Windows Defender Credential Guard on Windows 10. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -9,7 +9,7 @@ ms.localizationpriority: high author: brianlic-msft --- -# Credential Guard: Scripts for Certificate Authority Issuance Policies +# Windows Defender Credential Guard: Scripts for Certificate Authority Issuance Policies Here is a list of scripts mentioned in this topic. diff --git a/windows/access-protection/credential-guard/credential-guard.md b/windows/access-protection/credential-guard/credential-guard.md index 6ce7661b47..56949895b5 100644 --- a/windows/access-protection/credential-guard/credential-guard.md +++ b/windows/access-protection/credential-guard/credential-guard.md @@ -1,6 +1,6 @@ --- -title: Protect derived domain credentials with Credential Guard (Windows 10) -description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. +title: Protect derived domain credentials with Windows Defender Credential Guard (Windows 10) +description: Introduced in Windows 10 Enterprise, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1 ms.prod: w10 ms.mktglfcycl: explore @@ -10,21 +10,21 @@ ms.localizationpriority: high author: brianlic-msft --- -# Protect derived domain credentials with Credential Guard +# Protect derived domain credentials with Windows Defender Credential Guard **Applies to** - Windows 10 - Windows Server 2016 -Prefer video? See [Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474) in the Deep Dive into Credential Guard video series. +Prefer video? See [Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474) in the Deep Dive into Windows Defender Credential Guard video series. -Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. +Introduced in Windows 10 Enterprise and Windows Server 2016, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. -By enabling Credential Guard, the following features and solutions are provided: +By enabling Windows Defender Credential Guard, the following features and solutions are provided: - **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. - **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. -- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. +- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Windows Defender Device Guard and other security strategies and architectures. ## Related topics @@ -33,7 +33,7 @@ By enabling Credential Guard, the following features and solutions are provided: - [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](http://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel) - [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert) - [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode) -- [Protecting network passwords with Windows 10 Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard) +- [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard) - [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382) - [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx) - [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx) @@ -42,6 +42,6 @@ By enabling Credential Guard, the following features and solutions are provided: ## See also -**Deep Dive into Credential Guard: Related videos** +**Deep Dive into Windows Defender Credential Guard: Related videos** -[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) \ No newline at end of file +[Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md index 84a8935184..104805b446 100644 --- a/windows/access-protection/hello-for-business/hello-planning-guide.md +++ b/windows/access-protection/hello-for-business/hello-planning-guide.md @@ -127,11 +127,11 @@ Hybrid and on-premises deployments include Active Directory as part of their inf ### Public Key Infrastructure -The Windows Hello for Business deployment depends on an enterprise public key infrastructure a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller is a legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources. +The Windows Hello for Business deployment depends on an enterprise public key infrastructure a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources. ### Cloud -Some deployment combinations require an Azure account and some require Azure Active Directory for user identities. These cloud requirements can may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiate the components that are needed from the those that are optional. +Some deployment combinations require an Azure account and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiate the components that are needed from the those that are optional. ## Planning a Deployment @@ -188,7 +188,7 @@ If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet. -If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusive uses Active Directory for user information with the exception of the multifactor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user’s credential remain on the on-premises network. +If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multifactor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user’s credential remain on the on-premises network. ### Multifactor Authentication @@ -204,13 +204,13 @@ If box **1a** on your planning worksheet reads **hybrid**, then you have a few o You can directly use the Azure MFA cloud service for the second factor of authentication. Users contacting the service must authenticate to Azure prior to using the service. -If your Azure AD Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service. Otherwise, your Azure AD Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Azure Active and use the Azure MFA cloud service. If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet. +If your Azure AD Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service. Otherwise, your Azure AD Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Azure Active Directory and use the Azure MFA cloud service. If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet. You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet. Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises AD FS server that synchronizes user information with the on-premises Active Directory. The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet. -The last option is for you to use AD FS with a third-party adapter to as the second factor of authentication. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet. +The last option is for you to use AD FS with a third-party adapter as the second factor of authentication. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet. If box **1a** on your planning worksheet reads **on-premises**, then you have two second factor authentication options. You must use Windows Server 2016 AD FS with your choice of the on-premises Azure MFA server or with a third-party MFA adapter. @@ -261,7 +261,7 @@ Review the trust type portion of this section if box **4d** on your planning wor ### Public Key Infrastructure -Public key infrastructure prerequisites already exist on your planning worksheet. These conditions are the minimum requirements for any hybrid our on-premises deployment. Additional conditions may be needed based on your trust type. +Public key infrastructure prerequisites already exist in your planning worksheet. These conditions are the minimum requirements for any hybrid or on-premises deployment. Additional conditions may be needed based on your trust type. If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet. Cloud only deployments do not use a public key infrastructure. diff --git a/windows/access-protection/remote-credential-guard.md b/windows/access-protection/remote-credential-guard.md index 0ae8111073..f57a685f07 100644 --- a/windows/access-protection/remote-credential-guard.md +++ b/windows/access-protection/remote-credential-guard.md @@ -1,40 +1,40 @@ --- -title: Protect Remote Desktop credentials with Remote Credential Guard (Windows 10) -description: Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device. +title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10) +description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: brianlic-msft --- -# Protect Remote Desktop credentials with Remote Credential Guard +# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard **Applies to** - Windows 10 - Windows Server 2016 -Introduced in Windows 10, version 1607, Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device. +Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device. You can use Remote Credential Guard in the following ways: - Administrator credentials are highly privileged and must be protected. By using Remote Credential Guard to connect, you can be assured that your credentials are not passed over the network to the target device. -- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware. +- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Windows Defender Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware. -## Comparing Remote Credential Guard with a server protected with Credential Guard +## Comparing Windows Defender Remote Credential Guard with a server protected with Credential Guard -Use the following diagrams to help understand how Remote Credential Guard works, what it helps protect against, and how it compares with using a server protected with Credential Guard. As the diagram shows, Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass the Hash, and prevents usage of a credential after disconnection. +Use the following diagrams to help understand how Windows Defender Remote Credential Guard works, what it helps protect against, and how it compares with using a server protected with Credential Guard. As the diagram shows, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass the Hash, and prevents usage of a credential after disconnection. - + -## Comparing Remote Credential Guard with other options for Remote Desktop connections +## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options Use the following table to compare different security options for Remote Desktop connections. > [!NOTE] > This table compares different options than are shown in the previous diagram. -| Remote Desktop | Remote Credential Guard | Restricted Admin mode | +| Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode | |---|---|---| | Protection: Provides **less protection** than other modes in this table. | Protection: Provides **moderate protection**, compared to other modes in this table. | Protection: Provides **the most protection** of the modes in this table. However, it also requires you to be in the local “Administrators” group on the remote computer. | | Version support: The remote computer can be running **any operating system that supports credential delegation**, which was introduced in Windows Vista. | Version support: The remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | Version support: The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only Windows Defender Device Guard is supported in this configuration.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). | @@ -47,22 +47,25 @@ Use the following table to compare different security options for Remote Desktop ## Hardware and software requirements -The Remote Desktop client and server must meet the following requirements in order to use Remote Credential Guard: +To use Windows Defender Remote Credential Guard, the Remote Desktop client and server must meet the following requirements: -- They must be joined to an Active Directory domain - - Both devices must either joined to the same domain or the Remote Desktop server must be joined to a domain with a trust relationship to the client device's domain. -- They must use Kerberos authentication. -- They must be running at least Windows 10, version 1607 or Windows Server 2016. -- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard. +- In order to connect using credentials other than signed-in credentials, the Remote Desktop client device must be running at least Windows 10, version 1703. -## Enable Remote Credential Guard +> [!NOTE] +> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain. -You must enable Remote Credential Guard on the target device by using the registry. +- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication +- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016. +- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard. + +## Enable Windows Defender Remote Credential Guard + +You must enable Windows Defender Remote Credential Guard on the target device by using the registry. 1. Open Registry Editor. -2. Enable Remote Credential Guard: +2. Enable Windows Defender Remote Credential Guard: - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa. - - Add a new DWORD value named **DisableRestrictedAdmin**. Set the value of this registry setting to 0 to turn on Remote Credential Guard. + - Add a new DWORD value named **DisableRestrictedAdmin**. Set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard. 3. Close Registry Editor. You can add this by running the following from an elevated command prompt: @@ -71,26 +74,26 @@ You can add this by running the following from an elevated command prompt: reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD ``` -## Using Remote Credential Guard +## Using Windows Defender Remote Credential Guard -You can use Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection. +You can use Windows Defender Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection. -### Turn on Remote Credential Guard by using Group Policy +### Turn on Windows Defender Remote Credential Guard by using Group Policy 1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**. 2. Double-click **Restrict delegation of credentials to remote servers**. -  +  3. Under **Use the following restricted mode**: - - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Prefer Remote Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used. + - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Windows Defender Remote Credential Guard, choose **Prefer Windows Defender Remote Credential Guard**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used. - > **Note:** Neither Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. + > **Note:** Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. - - If you want to require Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [Hardware and software requirements](#hardware-and-software-requirements) listed earlier in this topic. + - If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [Hardware and software requirements](#hardware-and-software-requirements) listed earlier in this topic. - - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Remote Credential Guard with other options for Remote Desktop connections](#comparing-remote-credential-guard-with-other-options-for-remote-desktop-connections), earlier in this topic. + - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other options for Remote Desktop connections](#comparing-remote-credential-guard-with-other-options-for-remote-desktop-connections), earlier in this topic. 4. Click **OK**. @@ -99,26 +102,26 @@ You can use Remote Credential Guard on the client device by setting a Group Poli 6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied. -### Use Remote Credential Guard with a parameter to Remote Desktop Connection +### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection -If you don't use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Remote Credential Guard for that connection. +If you don't use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection. ``` mstsc.exe /remoteGuard ``` -## Considerations when using Remote Credential Guard +## Considerations when using Windows Defender Remote Credential Guard -- Remote Credential Guard does not include device claims. For example, if you’re trying to access a file server from the remote and the file server requires device claim, access will be denied. +- Windows Defender Remote Credential Guard does not include device claims. For example, if you’re trying to access a file server from the remote and the file server requires device claim, access will be denied. -- Remote Credential Guard cannot be used to connect to a device that is joined to Azure Active Directory. +- Windows Defender Remote Credential Guard cannot be used to connect to a device that is joined to Azure Active Directory. - Remote Desktop Credential Guard only works with the RDP protocol. - No credentials are sent to the target device, but the target device still acquires the Kerberos Service Tickets on its own. -- Remote Desktop Gateway is not compatible with Remote Credential Guard. +- Remote Desktop Gateway is not compatible with Windows Defender Remote Credential Guard. - You cannot use saved credentials or credentials that are different than yours. You must use the credentials of the user who is logged into the device. diff --git a/windows/access-protection/windows-firewall/basic-firewall-policy-design.md b/windows/access-protection/windows-firewall/basic-firewall-policy-design.md index bbc34eda26..e462485fa4 100644 --- a/windows/access-protection/windows-firewall/basic-firewall-policy-design.md +++ b/windows/access-protection/windows-firewall/basic-firewall-policy-design.md @@ -35,15 +35,15 @@ Many network administrators do not want to tackle the difficult task of determin With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network. ->**Caution:** Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. +>**Caution:** Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft. -By default, in new installations, Windows Firewall is turned on in Windows Server 2012, Windows 8, and later. +By default, in new installations, Windows Defender Firewall with Advanced Security is turned on in Windows Server 2012, Windows 8, and later. -If you turn off the Windows Firewall with Advanced Security service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting. +If you turn off the Windows Defender Firewall service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting. -Compatible third-party firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft. +Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Defender Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft. -An organization typically uses this design as a first step toward a more comprehensive Windows Firewall with Advanced Security design that adds server isolation and domain isolation. +An organization typically uses this design as a first step toward a more comprehensive Windows Defender Firewall design that adds server isolation and domain isolation. After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization. @@ -57,7 +57,7 @@ For more information about this design: - To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md). -- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). +- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). - To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md). diff --git a/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md index 0c3612bef6..a5da7eb1c8 100644 --- a/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md +++ b/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md @@ -49,4 +49,4 @@ By using the Active Directory Users and Computers snap-in, Woodgrove Bank create Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device. -**Next: **[Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) +**Next: **[Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) diff --git a/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md index 6a1a244f5c..b1c4462af5 100644 --- a/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md +++ b/windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md @@ -31,10 +31,10 @@ For more info about this design: - To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md). -- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). +- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). - To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md). - For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md). -**Next: **[Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) +**Next: **[Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) diff --git a/windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md index 747345df41..edc76c960f 100644 --- a/windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md +++ b/windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md @@ -29,9 +29,9 @@ In this topic: ## To convert a rule from request to require mode -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). -2. In the navigation pane, click **Connection Security Rules**. +2. In the right navigation pane, click **Connection Security Rules**. 3. In the details pane, double-click the connection security rule that you want to modify. diff --git a/windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md index af8be53831..2688b42949 100644 --- a/windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md +++ b/windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md @@ -21,6 +21,6 @@ This checklist includes tasks for configuring a GPO with firewall defaults and s | Task | Reference | | - | - | -| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)| -| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) | -| Configure the firewall to record a log file. | [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)| +| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)| +| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) | +| Configure the firewall to record a log file. | [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md)| diff --git a/windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md index 207e94a1a5..bf5a3ef044 100644 --- a/windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md +++ b/windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md @@ -25,7 +25,7 @@ For most GPO deployment tasks, you must determine which devices must receive and ## About exclusion groups -A Windows Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers. +A Windows Defender Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers. You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones. @@ -33,11 +33,11 @@ You can also use a membership group for one zone as an exclusion group for anoth | Task | Reference | | - | - | -| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| +| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| | Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.
If some devices in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that cannot be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| | Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) | | Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) | | Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) | | If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) | -| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | +| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | \ No newline at end of file diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md index 0e170e2c53..64462fc07c 100644 --- a/windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md @@ -19,13 +19,13 @@ This parent checklist includes cross-reference links to important concepts about >**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. -The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). +The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). **Checklist: Implementing a basic firewall policy design** | Task | Reference | | - | - | -| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Basic Firewall Policy Design](basic-firewall-policy-design.md)
[Firewall Policy Design Example](firewall-policy-design-example.md)
[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| +| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Basic Firewall Policy Design](basic-firewall-policy-design.md)
[Firewall Policy Design Example](firewall-policy-design-example.md)
[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| | Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| | If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| | Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md index 6a65e70ac2..6eafbc017b 100644 --- a/windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -23,7 +23,7 @@ This parent checklist includes cross-reference links to important concepts about | Task | Reference | | - | - | -| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) | +| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) | | Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| | | Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)| | Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md index 1c370cc0c7..4d8969d702 100644 --- a/windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md @@ -19,13 +19,13 @@ This parent checklist includes cross-reference links to important concepts about >**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. -The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). +The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). **Checklist: Implementing a domain isolation policy design** | Task | Reference | | - | - | -| Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Domain Isolation Policy Design](domain-isolation-policy-design.md)
[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) | +| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Domain Isolation Policy Design](domain-isolation-policy-design.md)
[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) | | Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)| | Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)| | Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)| diff --git a/windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md index 533859a661..f05114fabb 100644 --- a/windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -25,7 +25,7 @@ This parent checklist includes cross-reference links to important concepts about | Task | Reference | | - | - | -| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Server Isolation Policy Design](server-isolation-policy-design.md)
[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
[Planning Server Isolation Zones](planning-server-isolation-zones.md) | +| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Server Isolation Policy Design](server-isolation-policy-design.md)
[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
[Planning Server Isolation Zones](planning-server-isolation-zones.md) | | Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)| | Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)| | Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/access-protection/windows-firewall/configure-authentication-methods.md b/windows/access-protection/windows-firewall/configure-authentication-methods.md index cee5bff4da..9b01cccb54 100644 --- a/windows/access-protection/windows-firewall/configure-authentication-methods.md +++ b/windows/access-protection/windows-firewall/configure-authentication-methods.md @@ -26,15 +26,15 @@ To complete these procedures, you must be a member of the Domain Administrators **To configure authentication methods** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security] (open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). -2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. +2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**. 3. On the **IPsec Settings** tab, click **Customize**. 4. In the **Authentication Method** section, select the type of authentication that you want to use from among the following: - 1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Firewall with Advanced Security or by Group Policy as the default. + 1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Defender Firewall or by Group Policy as the default. 2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials. diff --git a/windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md index 4c7f4c94ea..53f6cd4935 100644 --- a/windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md +++ b/windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md @@ -23,9 +23,9 @@ To complete these procedures, you must be a member of the Domain Administrators **To configure quick mode settings** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). -2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. +2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**. 3. On the **IPsec Settings** tab, click **Customize**. diff --git a/windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md index dd11e2d12d..ceb70e603a 100644 --- a/windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md +++ b/windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md @@ -23,9 +23,9 @@ To complete these procedures, you must be a member of the Domain Administrators **To configure key exchange settings** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). -2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. +2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**. 3. On the **IPsec Settings** tab, click **Customize**. diff --git a/windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md index cdc97d2167..51751f2455 100644 --- a/windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md +++ b/windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md @@ -19,7 +19,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr **To modify an authentication request rule to also require encryption** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Connection Security Rules**. @@ -27,7 +27,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr 4. On the **Name** page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click **OK**. -5. In the navigation pane, right-click **Windows Firewall with Advanced Security – LDAP://CN={***guid***}**, and then click **Properties**. +5. In the navigation pane, right-click **Windows Defender Firewall – LDAP://CN={***guid***}**, and then click **Properties**. 6. Click the **IPsec Settings** tab. @@ -42,11 +42,11 @@ To complete this procedure, you must be a member of the Domain Administrators gr 10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md). **Note** - Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell. + Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Defender Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell. - Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you can create or modify the rules by using Windows PowerShell. + Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Defender Firewall user interface. Instead, you can create or modify the rules by using Windows PowerShell. - For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) + For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) 11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support. diff --git a/windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md index 086d294c27..435bb8f776 100644 --- a/windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md @@ -1,6 +1,6 @@ --- -title: Configure the Windows Firewall Log (Windows 10) -description: Configure the Windows Firewall Log +title: Configure the Windows Defender Firewall Log (Windows 10) +description: Configure the Windows Defender Firewall Log ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18 ms.prod: w10 ms.mktglfcycl: deploy @@ -10,13 +10,13 @@ ms.pagetype: security author: brianlic-msft --- -# Configure the Windows Firewall Log +# Configure the Windows Defender Firewall with Advanced Security Log **Applies to** - Windows 10 - Windows Server 2016 -To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in. +To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in. **Administrative credentials** @@ -24,13 +24,13 @@ To complete these procedures, you must be a member of the Domain Administrators In this topic: -- [To configure the Windows Firewall log](#to-configure-the-windows-firewall-log) +- [To configure the Windows Defender Firewall with Advanced Security log](#to-configure-the-windows-firewall-log) -## To configure the Windows Firewall log +## To configure the Windows Defender Firewall with Advanced Security log -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). -2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**. +2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**. 3. For each network location type (Domain, Private, Public), perform the following steps. @@ -40,14 +40,14 @@ In this topic: 3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location. - >**Important:** The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file. + >**Important:** The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file. 4. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones. 5. No logging occurs until you set one of following two options: - - To create a log entry when Windows Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**. + - To create a log entry when Windows Defender Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**. - - To create a log entry when Windows Firewall allows an inbound connection, change **Log successful connections** to **Yes**. + - To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**. 6. Click **OK** twice. diff --git a/windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index 057dd20255..4ca087720c 100644 --- a/windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -1,6 +1,6 @@ --- -title: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked (Windows 10) -description: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked +title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows 10) +description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Bbocked ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b ms.prod: w10 ms.mktglfcycl: deploy @@ -9,13 +9,13 @@ ms.pagetype: security author: brianlic-msft --- -# Configure Windows Firewall to Suppress Notifications When a Program Is Blocked +# Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked **Applies to** - Windows 10 - Windows Server 2016 -To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console. +To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console. >**Caution:** If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users’ programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail. @@ -25,11 +25,11 @@ We recommend that you do not enable these settings until you have created and te To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. -## To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules +## To configure Windows Defender Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). -2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**. +2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**. 3. For each network location type (Domain, Private, Public), perform the following steps. diff --git a/windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md index e48455f5e9..00b30c104b 100644 --- a/windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md +++ b/windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md @@ -18,17 +18,16 @@ author: brianlic-msft In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies. **Important** -Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list. +Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Defender Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list. - **Administrative credentials** To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. **To create a rule that exempts specified hosts from authentication** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Connection Security Rules**. diff --git a/windows/access-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/access-protection/windows-firewall/create-an-authentication-request-rule.md index 42617dc699..2b9f10a74c 100644 --- a/windows/access-protection/windows-firewall/create-an-authentication-request-rule.md +++ b/windows/access-protection/windows-firewall/create-an-authentication-request-rule.md @@ -23,7 +23,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr To create the authentication request rule -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**. diff --git a/windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md index 83983389da..e9d89fe583 100644 --- a/windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md +++ b/windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network. +To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network. **Administrative credentials** @@ -29,7 +29,7 @@ This topic describes how to create a port rule that allows inbound ICMP network To create an inbound ICMP rule -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Inbound Rules**. diff --git a/windows/access-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/access-protection/windows-firewall/create-an-inbound-port-rule.md index 212bf9a8fc..e7d860e7e1 100644 --- a/windows/access-protection/windows-firewall/create-an-inbound-port-rule.md +++ b/windows/access-protection/windows-firewall/create-an-inbound-port-rule.md @@ -15,7 +15,8 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. +To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Defender Firewall +with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. **Administrative credentials** @@ -29,7 +30,7 @@ This topic describes how to create a standard port rule for a specified protocol **To create an inbound port rule** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security] (open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Inbound Rules**. diff --git a/windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md index 62c8e83e1b..73ff4dd9d1 100644 --- a/windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md +++ b/windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. +To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. >**Note:** This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](create-an-inbound-port-rule.md) procedure in addition to the steps in this procedure. @@ -25,7 +25,7 @@ To complete these procedures, you must be a member of the Domain Administrators To create an inbound firewall rule for a program or service -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Inbound Rules**. diff --git a/windows/access-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/access-protection/windows-firewall/create-an-outbound-port-rule.md index 9a06f49266..5118794bc7 100644 --- a/windows/access-protection/windows-firewall/create-an-outbound-port-rule.md +++ b/windows/access-protection/windows-firewall/create-an-outbound-port-rule.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. +By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. **Administrative credentials** @@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators To create an outbound port rule -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Outbound Rules**. @@ -37,7 +37,7 @@ To create an outbound port rule 6. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an outbound rule, you typically configure only the remote port number. - If you select another protocol, then only packets whose protocol field in the IP header match this rule are blocked by Windows Firewall. Network traffic for protocols is allowed as long as other rules that match do not block it. + If you select another protocol, then only packets whose protocol field in the IP header match this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match do not block it. To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. diff --git a/windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index 2e7e5c2e1e..a45c1e27a4 100644 --- a/windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port. +By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port. **Administrative credentials** @@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators To create an outbound firewall rule for a program or service -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Outbound Rules**. diff --git a/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md index a7cf60c649..b1042decfd 100644 --- a/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md +++ b/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. +To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. **Administrative credentials** @@ -35,7 +35,7 @@ In this topic: ## To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Inbound Rules**. diff --git a/windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index df45d7bcb2..7f241a26ff 100644 --- a/windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -1,6 +1,6 @@ --- -title: Designing a Windows Firewall with Advanced Security Strategy (Windows 10) -description: Designing a Windows Firewall with Advanced Security Strategy +title: Designing a Windows Defender Firewall with Advanced Security Strategy (Windows 10) +description: Designing a Windows Defender Firewall Strategy ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71 ms.prod: w10 ms.mktglfcycl: deploy @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Designing a Windows Firewall with Advanced Security Strategy +# Designing a Windows Defender Firewall with Advanced Security Strategy **Applies to** - Windows 10 diff --git a/windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md index 01ed85051c..9bf8f022de 100644 --- a/windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md +++ b/windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md @@ -136,4 +136,4 @@ With the other information that you have gathered in this section, this informat The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan. -**Next: **[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) +**Next: **[Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) diff --git a/windows/access-protection/windows-firewall/documenting-the-zones.md b/windows/access-protection/windows-firewall/documenting-the-zones.md index 9c120835e8..626dcb014a 100644 --- a/windows/access-protection/windows-firewall/documenting-the-zones.md +++ b/windows/access-protection/windows-firewall/documenting-the-zones.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here: +Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here: | Host name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | Group | | - | - | - | - | - | - | diff --git a/windows/access-protection/windows-firewall/domain-isolation-policy-design.md b/windows/access-protection/windows-firewall/domain-isolation-policy-design.md index 6f15c8338f..c574eb7ab3 100644 --- a/windows/access-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/access-protection/windows-firewall/domain-isolation-policy-design.md @@ -55,7 +55,7 @@ For more info about this design: - To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md). -- Before completing the design, gather the info described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). +- Before completing the design, gather the info described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). - To help you make the decisions required in this design, see [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md). diff --git a/windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md index 59e8325dac..7533422632 100644 --- a/windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md +++ b/windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. +Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. **Administrative credentials** @@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators To deploy predefined firewall rules that allow inbound network traffic for common network functions -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Inbound Rules**. diff --git a/windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md index 137de67aa2..a21658eba7 100644 --- a/windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md +++ b/windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. +By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. **Administrative credentials** @@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators To deploy predefined firewall rules that block outbound network traffic for common network functions -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Outbound Rules**. diff --git a/windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md index c7fe4f7637..46b8f6f71f 100644 --- a/windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -1,6 +1,6 @@ --- -title: Evaluating Windows Firewall with Advanced Security Design Examples (Windows 10) -description: Evaluating Windows Firewall with Advanced Security Design Examples +title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows 10) +description: Evaluating Windows Defender Firewall with Advanced Security Design Examples ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd ms.prod: w10 ms.mktglfcycl: deploy @@ -9,15 +9,15 @@ ms.pagetype: security author: brianlic-msft --- -# Evaluating Windows Firewall with Advanced Security Design Examples +# Evaluating Windows Defender Firewall with Advanced Security Design Examples **Applies to** - Windows 10 - Windows Server 2016 -The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization. +The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization. -- [Firewall Policy Design Example](firewall-policy-design-example.md) +- [Firewall Policy with Advanced Security Design Example](firewall-policy-design-example.md) - [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) diff --git a/windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md index 21100a9674..59b17edc20 100644 --- a/windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md +++ b/windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md @@ -23,8 +23,8 @@ To complete this procedure, you must be a member of the Domain Administrators gr To exempt ICMP network traffic from authentication -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). -2. On the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. +2. On the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**. 3. On the **IPsec settings** tab, change **Exempt ICMP from IPsec** to **Yes**, and then click **OK**. diff --git a/windows/access-protection/windows-firewall/firewall-policy-design-example.md b/windows/access-protection/windows-firewall/firewall-policy-design-example.md index 8dad2b48f7..c78fdb7508 100644 --- a/windows/access-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/access-protection/windows-firewall/firewall-policy-design-example.md @@ -25,7 +25,7 @@ A key line-of-business program called WGBank consists of a client program runnin ## Design requirements -The network administrators want to implement Windows Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted. +The network administrators want to implement Windows Defender Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted. The following illustration shows the traffic protection needs for this design example. @@ -82,7 +82,7 @@ The following groups were created by using the Active Directory Users and Comput The two device types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for devices that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only devices that are running server versions of Windows can apply that GPO. Each of the GPOs also have security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs. - - Client devices receive a GPO that configures Windows Firewall with Advanced Security to enforce the default Windows Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound. + - Client devices receive a GPO that configures Windows Defender Firewall to enforce the default Windows Defender Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound. - Server devices receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update are not included, because it is not needed on server devices. @@ -90,15 +90,15 @@ The following groups were created by using the Active Directory Users and Comput - **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group do not receive the default firewall GPO. Devices are added to this group if there is a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it is a member of this group. -- **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO. +- **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO. -- **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end devices that run SQL Server. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Devices in this group also receive the default firewall GPO. +- **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end devices that run SQL Server. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Devices in this group also receive the default firewall GPO. - **CG\_FIREWALL\_BOUNDARY\_WGBANKFE**. This group contains the computer accounts for the servers that host Web services that can be accessed from the Internet. Members of this group receive a GPO that adds an inbound firewall rule to allow inbound HTTP and HTTPS network traffic from any address, including the Internet. Devices in this group also receive the default firewall GPO. -- **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Devices in this group also receive the default firewall GPO. +- **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server devices. Members of this group receive a GPO that configures Windows Defender Firewall with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Devices in this group also receive the default firewall GPO. -- **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO. +- **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO. In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there. diff --git a/windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md index 0c507fdc73..fdbe2852e0 100644 --- a/windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md +++ b/windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed: +Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed: - **Names and number of forests**. The forest (not the domain) is the security boundary in an Active Directory implementation. You must understand the current Active Directory architecture to determine the most effective strategy for deploying your firewall and connection security rules using Group Policy. It also enables you to understand which devices can be isolated and how best to accomplish the required degree of isolation. @@ -27,6 +27,6 @@ Active Directory is another important item about which you must gather informati - **OU structure**. OUs are logical constructs and can therefore be molded to fit many different requirements and goals. The OU structure is an ideal place to examine how Group Policy is currently used and how the OUs are laid out. You do not have to redesign an already implemented OU structure in order to effectively deploy firewall and connection security policy, but an understanding of the structure helps you know what WMI or group filtering is required to apply each GPO to the correct devices. -- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Firewall with Advanced Security connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other. +- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Defender Firewall connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other. **Next: **[Gathering Information about Your Devices](gathering-information-about-your-devices.md) diff --git a/windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index 67dcea5661..46a4a1d89c 100644 --- a/windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Perhaps the most important aspect of planning for Windows Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Firewall with Advanced Security solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project: +Perhaps the most important aspect of planning for Windows Defender Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Defender Firewall solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project: - **Network segmentation**. This includes IP addressing maps, showing how your routers separate each network segment. It includes information about how the routers are configured, and what security filters they impose on network traffic flowing through them. @@ -31,7 +31,7 @@ The goal is to have enough information to be able to identify an asset by its ne Do not use a complex and poorly documented network as a starting point for the design, because it can leave too many unidentified areas that are likely to cause problems during implementation. -This guidance helps obtain the most relevant information for planning Windows Firewall with Advanced Security implementation, but it does not try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation. +This guidance helps obtain the most relevant information for planning Windows Defender Firewall implementation, but it does not try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation. ## Network segmentation @@ -100,7 +100,7 @@ When you examine traffic flow, look closely at how all managed and unmanaged dev - How do servers and clients communicate with each other? -- Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Firewall on your devices to "lock down" specific ports, such as UDP 500, IKE negotiations fail. +- Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Defender Firewall on your devices to "lock down" specific ports, such as UDP 500, IKE negotiations fail. Some of the more common applications and protocols are as follows: @@ -108,6 +108,6 @@ Some of the more common applications and protocols are as follows: - **Remote procedure call (RPC)**. RPC operates by listening on a port known as the *endpoint mapper*, TCP port 135. The response to a query on this port is an instruction to begin communication on another port in the ephemeral range (ports numbered over 1024). In a network that is segmented by firewalls, RPC communication presents a configuration challenge because it means opening the RPC listener port and all ports greater than 1024. Opening so many ports increases the attack surface of the whole network and reduces the effectiveness of the firewalls. Because many applications depend on RPC for basic functionality, any firewall and connection security policy must take RPC requirements into account. -- **Other traffic**. Windows Firewall with Advanced Security can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured. +- **Other traffic**. Windows Defender Firewall can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured. **Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md) diff --git a/windows/access-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/access-protection/windows-firewall/gathering-information-about-your-devices.md index 3643e51814..cdb060488d 100644 --- a/windows/access-protection/windows-firewall/gathering-information-about-your-devices.md +++ b/windows/access-protection/windows-firewall/gathering-information-about-your-devices.md @@ -49,6 +49,6 @@ You can use Windows PowerShell to create a script file that can collect the syst Whether you use an automatic, manual, or hybrid option to gather the information, one of the biggest issues that can cause problems to the design is capturing the changes between the original inventory scan and the point at which the implementation is ready to start. After the first scan has been completed, make support staff aware that all additional changes must be recorded and the updates noted in the inventory. -This inventory will be critical for planning and implementing your Windows Firewall with Advanced Security design. +This inventory will be critical for planning and implementing your Windows Defender Firewall design. **Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md) diff --git a/windows/access-protection/windows-firewall/gathering-other-relevant-information.md b/windows/access-protection/windows-firewall/gathering-other-relevant-information.md index 85e9be98dc..f66f69ec44 100644 --- a/windows/access-protection/windows-firewall/gathering-other-relevant-information.md +++ b/windows/access-protection/windows-firewall/gathering-other-relevant-information.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Firewall with Advanced Security policies in your organization. +This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization. ## Capacity considerations @@ -35,7 +35,7 @@ Because IPsec uses mathematically intensive cryptographic techniques, it can con ## Group Policy deployment groups and WMI filters -You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Firewall with Advanced Security GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It is not necessary to use this technique if your network consists of devices. +You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Defender Firewall GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It is not necessary to use this technique if your network consists of devices. ## Different Active Directory trust environments diff --git a/windows/access-protection/windows-firewall/gathering-the-information-you-need.md b/windows/access-protection/windows-firewall/gathering-the-information-you-need.md index a11fbf67c8..6955fdcf1b 100644 --- a/windows/access-protection/windows-firewall/gathering-the-information-you-need.md +++ b/windows/access-protection/windows-firewall/gathering-the-information-you-need.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation. +Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation. Review each of the following topics for guidance about the kinds of information that you must gather: diff --git a/windows/access-protection/windows-firewall/gpo-domiso-boundary.md b/windows/access-protection/windows-firewall/gpo-domiso-boundary.md index 00fb043b7a..f608fcdc53 100644 --- a/windows/access-protection/windows-firewall/gpo-domiso-boundary.md +++ b/windows/access-protection/windows-firewall/gpo-domiso-boundary.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. +This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. This GPO supports the ability for devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. It is intended to only apply to server devices that are running at least Windows Server 2008. diff --git a/windows/access-protection/windows-firewall/gpo-domiso-encryption.md b/windows/access-protection/windows-firewall/gpo-domiso-encryption.md index b5d3c6801e..b86a8385ac 100644 --- a/windows/access-protection/windows-firewall/gpo-domiso-encryption.md +++ b/windows/access-protection/windows-firewall/gpo-domiso-encryption.md @@ -12,7 +12,7 @@ ms.pagetype: security # GPO\_DOMISO\_Encryption\_WS2008 -This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. +This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008. diff --git a/windows/access-protection/windows-firewall/gpo-domiso-firewall.md b/windows/access-protection/windows-firewall/gpo-domiso-firewall.md index d1349941e1..fea48288ad 100644 --- a/windows/access-protection/windows-firewall/gpo-domiso-firewall.md +++ b/windows/access-protection/windows-firewall/gpo-domiso-firewall.md @@ -15,7 +15,8 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008. +This GPO is authored by using the Windows Defender Firewall +with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008. ## Firewall settings @@ -53,7 +54,7 @@ This GPO provides the following rules: - Remote Volume Management - - Windows Firewall Remote Management + - Windows Defender Firewall Remote Management - Windows Management Instrumentation (WMI) diff --git a/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md index a6ab80ad09..6e47c03677 100644 --- a/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ b/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista. +This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista. Because client devices can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile. diff --git a/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md index 91cd4e3890..6270e8529e 100644 --- a/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ b/windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md @@ -15,9 +15,9 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008. +This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008. -Because so many of the settings and rules for this GPO are common to those in the GPO for at least Windows Vista, you can save time by exporting the Windows Firewall with Advanced Security piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here: +Because so many of the settings and rules for this GPO are common to those in the GPO for at least Windows Vista, you can save time by exporting the Windows Defender Firewall piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here: - This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server is not expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the device to the Public profile with a different set of rules (in the case of a server running Windows Server 2008). diff --git a/windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 092982bd0a..96bd9ea465 100644 --- a/windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -1,6 +1,6 @@ --- -title: Identifying Your Windows Firewall with Advanced Security Deployment Goals (Windows 10) -description: Identifying Your Windows Firewall with Advanced Security Deployment Goals +title: Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals (Windows 10) +description: Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba ms.prod: w10 ms.mktglfcycl: deploy @@ -9,52 +9,21 @@ ms.pagetype: security author: brianlic-msft --- -# Identifying Your Windows Firewall with Advanced Security Deployment Goals +# Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals **Applies to** - Windows 10 - Windows Server 2016 -Correctly identifying your Windows Firewall with Advanced Security deployment goals is essential for the success of your Windows Firewall with Advanced Security design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Firewall with Advanced Security by using an iterative approach. You can take advantage of the predefined Windows Firewall with Advanced Security deployment goals presented in this guide that are relevant to your scenarios. +Correctly identifying your Windows Defender Firewall with Advanced Security deployment goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall deployment goals presented in this guide that are relevant to your scenarios. -The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Firewall with Advanced Security deployment goals. +The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall deployment goals: -
| Deployment goal tasks | -Reference links | -
|---|---|
Evaluate predefined Windows Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. |
-Predefined deployment goals: -
|
-
Map one goal or a combination of the predefined deployment goals to an existing Windows Firewall with Advanced Security design. |
-
|
-
Based on the status of your current infrastructure, document your deployment goals for your Windows Firewall with Advanced Security design into a deployment plan. |
-
|
-
- [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
- [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
- [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
- [Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
- [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
- [Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
- [Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)
-**Next:** [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) +**Next:** [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) diff --git a/windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 6099d183c9..63e24245d4 100644 --- a/windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -1,6 +1,6 @@ --- -title: Implementing Your Windows Firewall with Advanced Security Design Plan (Windows 10) -description: Implementing Your Windows Firewall with Advanced Security Design Plan +title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows 10) +description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9 ms.prod: w10 ms.mktglfcycl: deploy @@ -9,15 +9,15 @@ ms.pagetype: security author: brianlic-msft --- -# Implementing Your Windows Firewall with Advanced Security Design Plan +# Implementing Your Windows Defender Firewall with Advanced Security Design Plan **Applies to** - Windows 10 - Windows Server 2016 -The following are important factors in the implementation of your Windows Firewall with Advanced Security design plan: +The following are important factors in the implementation of your Windows Defender Firewall design plan: -- **Group Policy**. The Windows Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the devices on your network. +- **Group Policy**. The Windows Defender Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the devices on your network. - **Perimeter firewall**. Most organizations use a perimeter firewall to help protect the devices on the network from potentially malicious network traffic from outside of the organization's network boundaries. If you plan a deployment that includes a boundary zone to enable external devices to connect to devices in that zone, then you must allow that traffic through the perimeter firewall to the devices in the boundary zone. @@ -27,14 +27,14 @@ The following are important factors in the implementation of your Windows Firewa - Include the device in the authentication exemption list included in your design. You can choose this option if for any reason the device cannot participate in the isolated domain design. -## How to implement your Windows Firewall with Advanced Security design using this guide +## How to implement your Windows Defender Firewall with Advanced Security design using this guide The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design.  -Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Firewall with Advanced Security design. +Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Defender Firewall with Advanced Security design. - [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md) @@ -44,4 +44,4 @@ Use the following parent checklists in this section of the guide to become famil - [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md) -The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md). +The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md). diff --git a/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md index 9743da28c0..a488a96fe2 100644 --- a/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md +++ b/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md @@ -14,7 +14,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -When you add new devices to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app. +When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app. For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access. @@ -54,7 +54,7 @@ To isolate Windows Store apps on your network, you need to use Group Policy to d - Your Windows Store app is installed on the client device. -- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Windows Store app when you create Windows Firewall rules. +- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Windows Store app when you create Windows Defender Firewall rules. >**Note:** You can install the RSAT on your device running Windows 10 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). @@ -134,9 +134,9 @@ The following table provides a complete list of the possible app capabilities. | **Webcam** | webcam| Provides access to the webcam's video feed.| | **Other devices (represented by GUIDs)** | <GUID>| Includes specialized devices and Windows Portable Devices.| -You can create a Windows Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app. +You can create a Windows Defender Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app. -For example, you could create a Windows Firewall policy to block Internet access for any apps on your network that have the Documents Library capability. +For example, you could create a Windows Defender Firewall policy to block Internet access for any apps on your network that have the Documents Library capability. **To block Internet access for any apps on your network that have the Documents Library capability** @@ -148,7 +148,7 @@ For example, you could create a Windows Firewall policy to block Internet access 4. Right-click the new GPO, and then click **Edit**. -5. In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and click **Windows Firewall with Advanced Security – LDAP://…** +5. In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall with Advanced Security**, and click **Windows Defender Firewall – LDAP://…** 6. Right-click **Outbound Rules**, and then click **New Rule**. @@ -206,7 +206,7 @@ Use the following procedure if you want to block intranet access for a specific 4. Right-click your new GPO, and then click **Edit**. -5. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and then click **Windows Firewall with Advanced Security – LDAP://**… +5. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall**, and then click **Windows Defender Firewall – LDAP://**… 6. Right-click **Outbound Rules**, and then click **New Rule**. @@ -246,4 +246,4 @@ Use the following procedure if you want to block intranet access for a specific ## See also -- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md) +- [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md) diff --git a/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md index 9712af0076..59c2f98643 100644 --- a/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md @@ -1,6 +1,6 @@ --- -title: Open the Group Policy Management Console to Windows Firewall (Windows 10) -description: Open the Group Policy Management Console to Windows Firewall +title: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security (Windows 10) +description: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760 ms.prod: w10 ms.mktglfcycl: deploy @@ -9,13 +9,13 @@ ms.pagetype: security author: brianlic-msft --- -# Open the Group Policy Management Console to Windows Firewall +# Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security **Applies to** - Windows 10 - Windows Server 2016 -To open a GPO to Windows Firewall +To open a GPO to Windows Defender Firewall: 1. Open the Active Directory Users and Computers console. @@ -23,4 +23,4 @@ To open a GPO to Windows Firewall 3. Click the **Group Policy** tab, select your GPO, and then click **Edit**. -4. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Firewall**. +4. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Defender Firewall**. \ No newline at end of file diff --git a/windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md index 8f20a73c1c..5cfa7929ea 100644 --- a/windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md +++ b/windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md @@ -1,6 +1,6 @@ --- -title: Open Windows Firewall with Advanced Security (Windows 10) -description: Open Windows Firewall with Advanced Security +title: Open Windows Defender Firewall with Advanced Security (Windows 10) +description: Open Windows Defender Firewall with Advanced Security ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1 ms.prod: w10 ms.mktglfcycl: deploy @@ -9,29 +9,29 @@ ms.pagetype: security author: brianlic-msft --- -# Open Windows Firewall with Advanced Security +# Open Windows Defender Firewall with Advanced Security **Applies to** - Windows 10 - Windows Server 2016 -This procedure shows you how to open the Windows Firewall with Advanced Security console. +This procedure shows you how to open the Windows Defender Firewall with Advanced Security console. **Administrative credentials** To complete this procedure, you must be a member of the Administrators group. For more information, see Additional considerations. -## Opening Windows Firewall with Advanced Security +## Opening Windows Defender Firewall - [Using the Windows interface](#to-open-windows-firewall-with-advanced-security-using-the-ui) - [Using a command line](#to-open-windows-firewall-with-advanced-security-from-a-command-prompt) -## To open Windows Firewall with Advanced Security using the UI +## To open Windows Defender Firewall using the UI -Click Start, type **Windows Firewall with Advanced Security**, and the press ENTER. +Click Start, type **Windows Defender Firewall**, and the press ENTER. -## To open Windows Firewall with Advanced Security from a command prompt +## To open Windows Defender Firewall from a command prompt 1. Open a command prompt window. @@ -43,4 +43,4 @@ Click Start, type **Windows Firewall with Advanced Security**, and the press ENT **Additional considerations** -Although standard users can start the Windows Firewall with Advanced Security MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators. +Although standard users can start the Windows Defender Firewall MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators. diff --git a/windows/access-protection/windows-firewall/planning-gpo-deployment.md b/windows/access-protection/windows-firewall/planning-gpo-deployment.md index abdff4b8ca..78351be73b 100644 --- a/windows/access-protection/windows-firewall/planning-gpo-deployment.md +++ b/windows/access-protection/windows-firewall/planning-gpo-deployment.md @@ -41,11 +41,11 @@ After you have deployed your GPOs and added some test devices to the groups, con - Examine the GPOs that are both assigned to and filtered from the device. Run the **gpresult** tool at a command prompt. -- Examine the rules deployed to the device. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes. +- Examine the rules deployed to the device. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes. -- Verify that communications are authenticated. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**. +- Verify that communications are authenticated. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**. -- Verify that communications are encrypted when the devices require it. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column. +- Verify that communications are encrypted when the devices require it. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column. - Verify that your programs are unaffected. Run them and confirm that they still work as expected. diff --git a/windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md index fdcf972088..506da52a87 100644 --- a/windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md @@ -37,7 +37,7 @@ The following is a list of the firewall settings that you might consider for inc - **Apply local connection security rules: No**. We recommend that you prevent users from creating and using their own connection security rules. Connection failures caused by conflicting rules can be difficult to troubleshoot. -- **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Firewall service account has write permissions. +- **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Defender Firewall with Advanced Security service account has write permissions. - **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another device on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program cannot receive unexpected traffic on a different port. diff --git a/windows/access-protection/windows-firewall/planning-the-gpos.md b/windows/access-protection/windows-firewall/planning-the-gpos.md index 84b3750822..83b84c2132 100644 --- a/windows/access-protection/windows-firewall/planning-the-gpos.md +++ b/windows/access-protection/windows-firewall/planning-the-gpos.md @@ -31,15 +31,17 @@ A few things to consider as you plan the GPOs: >**Caution:** It is **critical** that you begin with all your GPOs set to request authentication instead of requiring it. Since the GPOs are delivered to the devices over time, applying a require policy to one device breaks its ability to communicate with another device that has not yet received its policy. Using request mode at the beginning enables devices to continue communicating by using plaintext connections if required. After you confirm that your devices are using IPsec where expected, you can schedule a conversion of the rules in the GPOs from requesting to requiring authentication, as required by each zone. -- Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles. +- Windows Defender Firewall* in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles. - >**Note:** Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network. +*Windows Defender Firewall is now called Windows Defender Firewall with Advanced Security in Windows 10. + + > [!NOTE] + > Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Defender Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network. After considering these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs. ## Woodgrove Bank example GPOs - The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which devices receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section. In this section you can find information about the following: diff --git a/windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index 8423e4b94f..3e0692fba7 100644 --- a/windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -1,6 +1,6 @@ --- -title: Planning to Deploy Windows Firewall with Advanced Security (Windows 10) -description: Planning to Deploy Windows Firewall with Advanced Security +title: Planning to Deploy Windows Defender Firewall with Advanced Security (Windows 10) +description: Planning to Deploy Windows Defender Firewall with Advanced Security ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e ms.prod: w10 ms.mktglfcycl: deploy @@ -9,19 +9,19 @@ ms.pagetype: security author: brianlic-msft --- -# Planning to Deploy Windows Firewall with Advanced Security +# Planning to Deploy Windows Defender Firewall with Advanced Security **Applies to** - Windows 10 - Windows Server 2016 -After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization. +After you collect information about your environment and decide on a design by following the guidance in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Defender Firewall with Advanced Security in your organization. -## Reviewing your Windows Firewall with Advanced Security Design +## Reviewing your Windows Defender Firewall with Advanced Security Design -If the design team that created the Windows Firewall with Advanced Security design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points: +If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points: -- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Firewall with Advanced Security Design Guide: +- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide: - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) @@ -45,4 +45,4 @@ If the design team that created the Windows Firewall with Advanced Security desi If at least one set of each does not match between two devices, then the devices cannot successfully communicate. -After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Firewall with Advanced Security design. For more information, see [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md). +After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Defender Firewall design. For more information, see [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md). diff --git a/windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md index 736612379f..28331f84ac 100644 --- a/windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md @@ -1,6 +1,6 @@ --- -title: Planning Your Windows Firewall with Advanced Security Design (Windows 10) -description: Planning Your Windows Firewall with Advanced Security Design +title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows 10) +description: Planning Your Windows Defender Firewall with Advanced Security Design ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f ms.prod: w10 ms.mktglfcycl: deploy @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Planning Your Windows Firewall with Advanced Security Design +# Planning Your Windows Defender Firewall with Advanced Security Design **Applies to** - Windows 10 @@ -76,7 +76,6 @@ When you are ready to examine the options for using certificate-based authentica ## Documenting your design - After you finish selecting the designs that you will use, you must assign each of your devices to the appropriate isolation zone and document the assignment for use by the deployment team. - [Documenting the Zones](documenting-the-zones.md) diff --git a/windows/access-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/access-protection/windows-firewall/procedures-used-in-this-guide.md index 7374820ed8..9d3f5fadb0 100644 --- a/windows/access-protection/windows-firewall/procedures-used-in-this-guide.md +++ b/windows/access-protection/windows-firewall/procedures-used-in-this-guide.md @@ -35,11 +35,11 @@ The procedures in this section appear in the checklists found earlier in this do - [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md) -- [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md) +- [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md) - [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md) -- [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) +- [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) - [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md) @@ -79,14 +79,12 @@ The procedures in this section appear in the checklists found earlier in this do - [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md) -- [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md) +- [Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall.md) -- [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) - -- [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md) +- [Open Windows Defender Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md) - [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md) -- [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) +- [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) - [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md) diff --git a/windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index 42da77aa05..1072f58a99 100644 --- a/windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -17,7 +17,7 @@ author: brianlic-msft The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted. -For devices that share sensitive information over the network, Windows Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it. +For devices that share sensitive information over the network, Windows Defender Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it. The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory. diff --git a/windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index fa2225b9c4..4d303d685c 100644 --- a/windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -17,7 +17,7 @@ author: brianlic-msft Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. -Windows Firewall with Advanced Security enables you to restrict access to devices and users that are members of domain groups authorized to access that device. These groups are called *network access groups (NAGs)*. When a device authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple devices in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Devices that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)). +Windows Defender Firewall with Advanced Security enables you to restrict access to devices and users that are members of domain groups authorized to access that device. These groups are called *network access groups (NAGs)*. When a device authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple devices in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Devices that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)). Restricting access to only users and devices that have a business requirement can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. @@ -41,4 +41,4 @@ The following components are required for this deployment goal: - **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain. -**Next: **[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) +**Next: **[Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) diff --git a/windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index dc34b9ac84..c7e586ce8b 100644 --- a/windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -17,7 +17,7 @@ author: brianlic-msft Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required. -To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method. +To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Defender Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method. >**Note:** Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain. @@ -35,7 +35,7 @@ These goals, which correspond to [Domain Isolation Policy Design](domain-isolati - Devices in the isolated domain can still send outbound network traffic to untrusted devices and receive the responses to the outbound requests. - For example, Woodgrove Bank wants its users at client devices to be able to access Web sites on the Internet. The default Windows Firewall with Advanced Security settings for outbound network traffic allow this. No additional rules are required. + For example, Woodgrove Bank wants its users at client devices to be able to access Web sites on the Internet. The default Windows Defender Firewall settings for outbound network traffic allow this. No additional rules are required. These goals also support optional zones that can be created to add customized protection to meet the needs of subsets of an organization's devices: diff --git a/windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md index 57d1bc1e9d..8323fcc41c 100644 --- a/windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md @@ -27,7 +27,7 @@ To complete these procedures, you must be a member of the Domain Administrators ## To create a firewall rule that grants access to an isolated server -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone. +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone. 2. In the navigation pane, right-click **Inbound Rules**, and then click **New Rule**. diff --git a/windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index c6875dfdd6..102a3a95f7 100644 --- a/windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -133,11 +133,11 @@ Make sure that you install the required certificates on the participating comput Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections: -**Use the Windows Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.** +**Use the Windows Defender Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.** -1. Open the Windows Firewall with Advanced Security console. +1. Open the Windows Defender Firewall with Advanced Security console. -2. In the left pane of the Windows Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule. +2. In the left pane of the Windows Defender Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule. 3. Expand **Monitoring**, and then click **Connection Security Rules** to verify that your IKEv2 rule is active for your currently active profile. @@ -177,7 +177,7 @@ You might not find the exact answer for the issue, but you can find good hints. ## See also -- [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) +- [Windows Defender Firewall with Advanced Security](windows-firewall-with-advanced-security.md) diff --git a/windows/access-protection/windows-firewall/server-isolation-policy-design.md b/windows/access-protection/windows-firewall/server-isolation-policy-design.md index de45c1b7c7..bd4d603e43 100644 --- a/windows/access-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/access-protection/windows-firewall/server-isolation-policy-design.md @@ -45,7 +45,7 @@ For more info about this design: - To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). -- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). +- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). - To help you make the decisions required in this design, see [Planning Server Isolation Zones](planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md). diff --git a/windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md index 618894db96..16618245b9 100644 --- a/windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md @@ -1,6 +1,6 @@ --- -title: Turn on Windows Firewall and Configure Default Behavior (Windows 10) -description: Turn on Windows Firewall and Configure Default Behavior +title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows 10) +description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74 ms.prod: w10 ms.mktglfcycl: deploy @@ -9,23 +9,23 @@ ms.pagetype: security author: brianlic-msft --- -# Turn on Windows Firewall and Configure Default Behavior +# Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior **Applies to** - Windows 10 - Windows Server 2016 -To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node in the Group Policy Management console. +To enable Windows Defender Firewall with Advanced Security and configure its default behavior, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console. **Administrative credentials** To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. -## To enable Windows Firewall and configure the default behavior +## To enable Windows Defender Firewall and configure the default behavior -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). -2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**. +2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**. 3. For each network location type (Domain, Private, Public), perform the following steps. diff --git a/windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md index 82f6355c8a..5fa4bdd089 100644 --- a/windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -1,6 +1,6 @@ --- -title: Understanding the Windows Firewall with Advanced Security Design Process (Windows 10) -description: Understanding the Windows Firewall with Advanced Security Design Process +title: Understanding the Windows Defender Firewall with Advanced Security Design Process (Windows 10) +description: Understanding the Windows Defender Firewall with Advanced Security Design Process ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -8,20 +8,20 @@ ms.pagetype: security author: brianlic-msft --- -# Understanding the Windows Firewall with Advanced Security Design Process +# Understanding the Windows Defender Firewall with Advanced Security Design Process Designing any deployment starts by performing several important tasks: -- [Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) +- [Identifying Your Windows Defender Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) -- [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) +- [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) -- [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) +- [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) -After you identify your deployment goals and map them to a Windows Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics: +After you identify your deployment goals and map them to a Windows Defender Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics: -- [Designing A Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) +- [Designing A Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) -- [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) +- [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) -**Next:** [Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) +**Next:** [Identifying Your Windows Defender Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) diff --git a/windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md index 88ab773159..21a8dd0059 100644 --- a/windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md +++ b/windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md @@ -27,15 +27,14 @@ In these procedures, you confirm that the rules you deployed are working correct >**Note:** In addition to the steps shown in this procedure, you can also use network traffic capture tools such as Microsoft Network Monitor, which can be downloaded from
By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. | +| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. | | Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).| | IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.| | Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).
In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.| | Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The additional protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.| -| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Firewall with Advanced Security allows all solicited network traffic through.| -| Unsolicited network traffic | Network traffic that is not a response to an earlier request, and that the receiving device cannot necessarily anticipate. By default, Windows Firewall with Advanced Security blocks all unsolicited network traffic. | +| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Defender Firewall allows all solicited network traffic through.| +| Unsolicited network traffic | Network traffic that is not a response to an earlier request, and that the receiving device cannot necessarily anticipate. By default, Windows Defender Firewall blocks all unsolicited network traffic. | | Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted.
This is not related to the term zone as used by Domain Name System (DNS). | -**Next:** [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) +**Next:** [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md index 4433aaf633..cb9ac4105d 100644 --- a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -1,6 +1,6 @@ --- -title: Windows Firewall with Advanced Security (Windows 10) -description: Windows Firewall with Advanced Security +title: Windows Defender Firewall with Advanced Security (Windows 10) +description: Windows Defender Firewall with Advanced Security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -8,35 +8,36 @@ ms.pagetype: security author: brianlic-msft --- -# Windows Firewall with Advanced Security +# Windows Defender Firewall with Advanced Security **Applies to** - Windows 10 - Windows Server 2016 -This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. +This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. ## Feature description -Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. Windows Firewall with Advanced Security also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security, so Windows Firewall is also an important part of your network’s isolation strategy. +Windows Defender Firewall with Advanced Security +is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy. ## Practical applications -To help address your organizational network security challenges, Windows Firewall with Advanced Security offers the following benefits: +To help address your organizational network security challenges, Windows Defender Firewall offers the following benefits: -- **Reduces the risk of network security threats.** Windows Firewall with Advanced Security reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack. +- **Reduces the risk of network security threats.** Windows Defender Firewall reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack. -- **Safeguards sensitive data and intellectual property.** With its integration with IPsec, Windows Firewall with Advanced Security provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. +- **Safeguards sensitive data and intellectual property.** With its integration with IPsec, Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. -- **Extends the value of existing investments.** Because Windows Firewall with Advanced Security is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall with Advanced Security is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). +- **Extends the value of existing investments.** Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). ## In this section | Topic | Description | - | - | -| [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Firewall configuration to isolate the network access of Windows Store apps that run on devices. | +| [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Defender Firewall configuration to isolate the network access of Windows Store apps that run on devices. | | [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. | -| [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Firewall. | -| [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Firewall with Advanced Security. | -| [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Firewall with Advanced Security. | +| [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Defender Firewall. | +| [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Defender Firewall with Advanced Security. | +| [Windows Defender Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Defender Firewall with Advanced Security. | diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index 40c24a2981..ffe541cc15 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -7,6 +7,7 @@ ## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) ## [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) ## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) +## [Transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md) ## [Windows libraries](windows-libraries.md) ## [Mobile device management for solution providers](mdm/index.md) diff --git a/windows/client-management/index.md b/windows/client-management/index.md index 68debeba89..fa02e99977 100644 --- a/windows/client-management/index.md +++ b/windows/client-management/index.md @@ -18,15 +18,15 @@ Learn about the administrative tools, tasks and best practices for managing Wind | Topic | Description | |---|---| |[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)| Links to documentation for tools for IT pros and advanced users in the Administrative Tools folder.| -|[Connect to remote AADJ PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)| -|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions| -|[Join Windows 10 Mobile to AAD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.| -|[Manage corporate devices](manage-corporate-devices.md)| Listing of resources to manage all your corporate devices running Windows 10 : desktops, laptops, tablets, and phones | -|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs| -|[Mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.| +|[Create mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.| +|[Connect to remote Azure Active Directory-joined PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)| +|[Join Windows 10 Mobile to Azure AD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.| |[New policies for Windows 10](new-policies-for-windows-10.md)| Listing of new group policy settings available in Windows 10| +|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions| +| [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) | Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. | |[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options| -|[Deploy Windows 10 Mobile](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile| +|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs| +|[Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile| |[Windows libraries](windows-libraries.md)| Considerations and instructions for managing Windows 10 libraries such as My Documents, My Pictures, and My Music.| |[Mobile device management for solution providers](mdm/index.md) | Procedural and reference documentation for solution providers providing mobile device management (MDM) for Windows 10 devices. | |[Change history for Client management](change-history-for-client-management.md) | This topic lists new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. | \ No newline at end of file diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 406f309f85..2d6046fef1 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -200,6 +200,7 @@ #### [ErrorReporting](policy-csp-errorreporting.md) #### [EventLogService](policy-csp-eventlogservice.md) #### [Experience](policy-csp-experience.md) +#### [ExploitGuard](policy-csp-exploitguard.md) #### [Games](policy-csp-games.md) #### [InternetExplorer](policy-csp-internetexplorer.md) #### [Kerberos](policy-csp-kerberos.md) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 82a438d517..979c1f9105 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/06/2017 +ms.date: 08/14/2017 --- # BitLocker CSP @@ -91,8 +91,38 @@ The following diagram shows the BitLocker configuration service provider in tree
Data type is integer. Supported operations are Add, Get, Replace, and Delete.
-**EncryptionMethodByDriveType** -Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)" (Policy EncryptionMethodWithXts_Name).
+**EncryptionMethodByDriveType** +Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
+| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
 |
+  |
+ |
+ |
+ |
+ |
+ |
+
ADMX Info:
+-
+
- GP English name: *Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)* +
- GP name: *EncryptionMethodWithXts_Name* +
- GP path: *Windows Components/Bitlocker Drive Encryption* +
- GP ADMX file name: *VolumeEncryption.admx* +
This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
@@ -140,7 +170,37 @@ The following diagram shows the BitLocker configuration service provider in treeData type is string. Supported operations are Add, Get, Replace, and Delete.
**SystemDrivesRequireStartupAuthentication** -This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup" (ConfigureAdvancedStartup_Name ).
+This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".
+| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
ADMX Info:
+-
+
- GP English name: *Require additional authentication at startup* +
- GP name: *ConfigureAdvancedStartup_Name* +
- GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives* +
- GP ADMX file name: *VolumeEncryption.admx* +
This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.
@@ -204,7 +264,37 @@ The following diagram shows the BitLocker configuration service provider in treeData type is string. Supported operations are Add, Get, Replace, and Delete.
**SystemDrivesMinimumPINLength** -This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup" (GP MinimumPINLength_Name).
+This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".
+| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
ADMX Info:
+-
+
- GP English name:*Configure minimum PIN length for startup* +
- GP name: *MinimumPINLength_Name* +
- GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives* +
- GP ADMX file name: *VolumeEncryption.admx* +
This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
@@ -239,6 +329,36 @@ The following diagram shows the BitLocker configuration service provider in tree **SystemDrivesRecoveryMessage**This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).
+| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
ADMX Info:
+-
+
- GP English name: *Configure pre-boot recovery message and URL* +
- GP name: *PrebootRecoveryInfo_Name* +
- GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives* +
- GP ADMX file name: *VolumeEncryption.admx* +
This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
@@ -290,6 +410,36 @@ The following diagram shows the BitLocker configuration service provider in tree **SystemDrivesRecoveryOptions**This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
+| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
ADMX Info:
+-
+
- GP English name: *Choose how BitLocker-protected operating system drives can be recovered* +
- GP name: *OSRecoveryUsage_Name* +
- GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives* +
- GP ADMX file name: *VolumeEncryption.admx* +
This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.
@@ -357,7 +507,37 @@ The following diagram shows the BitLocker configuration service provider in treeData type is string. Supported operations are Add, Get, Replace, and Delete.
**FixedDrivesRecoveryOptions** -This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (FDVRecoveryUsage_Name).
+This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
+| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
ADMX Info:
+-
+
- GP English name: *Choose how BitLocker-protected fixed drives can be recovered* +
- GP name: *FDVRecoveryUsage_Name* +
- GP path: *Windows Components/Bitlocker Drive Encryption/Fixed Drives* +
- GP ADMX file name: *VolumeEncryption.admx* +
This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
@@ -427,6 +607,36 @@ The following diagram shows the BitLocker configuration service provider in tree **FixedDrivesRequireEncryption**This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
+| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
ADMX Info:
+-
+
- GP English name: *Deny write access to fixed drives not protected by BitLocker* +
- GP name: *FDVDenyWriteAccess_Name* +
- GP path: *Windows Components/Bitlocker Drive Encryption/Fixed Drives* +
- GP ADMX file name: *VolumeEncryption.admx* +
This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
@@ -459,6 +669,36 @@ The following diagram shows the BitLocker configuration service provider in tree **RemovableDrivesRequireEncryption**This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
+| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
ADMX Info:
+-
+
- GP English name: *Deny write access to removable drives not protected by BitLocker* +
- GP name: *RDVDenyWriteAccess_Name* +
- GP path: *Windows Components/Bitlocker Drive Encryption/Removeable Drives* +
- GP ADMX file name: *VolumeEncryption.admx* +
This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
@@ -500,6 +740,31 @@ The following diagram shows the BitLocker configuration service provider in tree ``` +**AllowWarningForOtherDiskEncryption** + +Allows the Admin to disable the warning prompt for other disk encryption on the user machines.
+ +The following list shows the supported values:
+ +- 0 – Disables the warning prompt. +- 1 (default) – Warning prompt allowed. + +Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:
+ +``` syntax +Allows the Admin to disable the warning prompt for other disk encryption on the user machines.
- -The following list shows the supported values:
- -- 0 – Disables the warning prompt. -- 1 (default) – Warning prompt allowed. - -Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:
- -``` syntax -Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device. +> [!Note] +> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information. +
Supported operation is Get. ## Related topics diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 7b74bff2f6..1edda04b19 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -54,7 +54,7 @@ This section describes how this is done. The following diagram shows the server- MSDN provides much information about the Server-Server sync protocol. In particular: - It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](http://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. -- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx. +- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://sws.update.microsoft.com/ServerSyncWebService/serversyncwebservice.asmx. Some important highlights: diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 71cc5e3867..ea9ebb3cb7 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 08/18/2017 --- # Firewall CSP @@ -33,35 +33,45 @@ The following diagram shows the Firewall configuration service provider in tree **MdmStore/Global**
Interior node.
-Supported operations are Get and Replace.
+Supported operations are Get.
**MdmStore/Global/PolicyVersionSupported** -DWORD value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
+Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
Value type in integer. Supported operation is Get.
**MdmStore/Global/CurrentProfiles** -DWORD value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
+Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
Value type in integer. Supported operation is Get.
**MdmStore/Global/DisableStatefulFtp** -This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.
-Boolean value. Supported operations are Get and Replace.
+Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
+Default value is false.
+Data type is bool. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/SaIdleTime** -This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.<
-Value type is integer. Supported operations are Get and Replace.
+This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Default value is 300.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-**MdmStore/Global/TPresharedKeyEncodingBD** -Specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Value type is integer. Supported operations are Get and Replace.
+**MdmStore/Global/PresharedKeyEncoding** +Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the [PRESHARED_KEY_ENCODING_VALUES enumeration](https://msdn.microsoft.com/en-us/library/cc231525.aspx). The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Default value is 1.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/IPsecExempt** -This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Value type is integer. Supported operations are Get and Replace.
+This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in [IPSEC_EXEMPT_VALUES](https://msdn.microsoft.com/en-us/library/cc231523.aspx); therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Default value is 0.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/CRLcheck** -This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Value type is integer. Supported operations are Get and Replace.
+This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:
+-
+
- 0 disables CRL checking +
- 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. +
- 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing +
Default value is 0.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/PolicyVersion**This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.
@@ -72,12 +82,20 @@ The following diagram shows the Firewall configuration service provider in treeValue type is string. Supported operation is Get.
**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** -This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-Boolean value. Supported operations are Get and Replace.
+This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+Boolean value. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/EnablePacketQueue** -This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.
-Value type is integer. Supported operations are Get and Replace.
+This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
+ +-
+
- 0x00 indicates that all queuing is to be disabled +
- 0x01 specifies that inbound encrypted packets are to be queued +
- 0x02 specifies that packets are to be queued after decryption is performed for forwarding +
Default value is 0.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/DomainProfile**Interior node. Supported operation is Get.
@@ -89,58 +107,79 @@ The following diagram shows the Firewall configuration service provider in treeInterior node. Supported operation is Get.
**/EnableFirewall** -This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Value type is integer. Supported operations are Get and Replace.
+Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/DisableStealthMode** -This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Value type is integer. Supported operations are Get and Replace.
+Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/Shielded** -This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.
-Value type is integer. Supported operations are Get and Replace.
+Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
+Default value is false.
+Value type is bool. Supported operations are Get and Replace.
**/DisableUnicastResponsesToMulticastBroadcast** -This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Value type is integer. Supported operations are Get and Replace.
+Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/DisableInboundNotifications** -This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Value type is integer. Supported operations are Get and Replace.
+Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/AuthAppsAllowUserPrefMerge** -This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Value type is integer. Supported operations are Get and Replace.
+Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/GlobalPortsAllowUserPrefMerge** -This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Value type is integer. Supported operations are Get and Replace.
+Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/AllowLocalPolicyMerge** -This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-Value type is integer. Supported operations are Get and Replace.
+Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/AllowLocalIpsecPolicyMerge** -This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-Value type is integer. Supported operations are Get and Replace.
+Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/DefaultOutboundAction** -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Value type is integer. Supported operations are Get and Replace.
+This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+-
+
- 0x00000000 - allow +
- 0x00000001 - block +
Default value is 0 (allow).
+Value type is integer. Supported operations are Add, Get and Replace.
**/DefaultInboundAction** -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
-Value type is integer. Supported operations are Get and Replace.
+This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+-
+
- 0x00000000 - allow +
- 0x00000001 - block +
Default value is 1 (block).
+Value type is integer. Supported operations are Add, Get and Replace.
**/DisableStealthModeIpsecSecuredPacketExemption** -This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-Value type is integer. Supported operations are Get and Replace.
+Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**FirewallRules**A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
**FirewallRules/_FirewallRuleName_**Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
+Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App**Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
@@ -150,6 +189,7 @@ The following diagram shows the Firewall configuration service provider in treeIf not specified, the default is All.
Supported operation is Get.
**FirewallRules/_FirewallRuleName_/App/PackageFamilyName** @@ -170,14 +210,17 @@ The following diagram shows the Firewall configuration service provider in tree **FirewallRules/_FirewallRuleName_/Protocol**0-255 number representing the ip protocol (TCP = 6, UDP = 17)
+If not specified, the default is All.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/LocalPortRanges**Comma separated list of ranges. For example, 100-120,200,300-320.
+If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/RemotePortRanges**Comma separated list of ranges, For example, 100-120,200,300-320.
+If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/LocalAddressRanges** @@ -189,6 +232,7 @@ The following diagram shows the Firewall configuration service provider in treeIf not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/RemoteAddressRanges** @@ -209,6 +253,7 @@ The following diagram shows the Firewall configuration service provider in treeIf not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/Description** @@ -217,13 +262,13 @@ The following diagram shows the Firewall configuration service provider in tree **FirewallRules/_FirewallRuleName_/Enabled**Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. -If not specified - a new rule is disabled by default.
-Boolean value. Supported operations are Add, Get, Replace, and Delete.
+If not specified - a new rule is disabled by default.
+Boolean value. Supported operations are Get and Replace.
**FirewallRules_FirewallRuleName_/Profiles** -Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.
- -Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Specifies the profiles to which the rule belongs: Domain, Private, Public. . See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types.
+If not specified, the default is All.
+Value type is integer. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Action**Specifies the action for the rule.
@@ -235,7 +280,8 @@ If not specified - a new rule is disabled by default.Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+If not specified, the default is allow.
+Value type is integer. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Direction**Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:
@@ -244,27 +290,24 @@ If not specified - a new rule is disabled by default.Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Value type is string. Supported operations are Get and Replace.
**FirewallRules/FirewallRuleName/InterfaceTypes**Comma separated list of interface types. Valid values:
- RemoteAccess
- Wireless +
- Lan
- MobileBroadband -
- All
Value type is string. Supported operations are Add, Get, Replace, and Delete.
- -**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes** -List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+If not specified, the default is All.
+Value type is string. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/EdgeTraversal**Indicates whether edge traversal is enabled or disabled for this rule.
The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
New rules have the EdgeTraversal property disabled by default.
-Boolean value. Supported operations are Add, Get, Replace, and Delete.
+Value type is bool. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList**Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.
@@ -274,10 +317,6 @@ If not specified - a new rule is disabled by default.Provides information about the specific verrsion of the rule in deployment for monitoring purposes.
Value type is string. Supported operation is Get.
-**FirewallRules/_FirewallRuleName_/FriendlyName** -Specifies the friendly name of the rule. The string must not contain the "|" character.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
- **FirewallRules/_FirewallRuleName_/Name**Name of the rule.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index 9456acd05e..7a8de5174f 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 08/18/2017 --- # Firewall CSP @@ -30,6 +30,7 @@ This topic shows the OMA DM device description framework (DDF) for the **FirewalAdded new step-by-step guide to enable ADMX-backed policies.
+Added the following statement:
+-
+
- Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device. +
Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.
-
+
- Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes. +
- Changed some data types from integer to bool. +
- Updated the list of supported operations for some settings. +
- Added default values. +
Added the following new policies for Windows 10, version 1709:
-
+
- ExploitGuard/ExploitProtectionSettings
- LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
- LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
- LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus @@ -1382,6 +1409,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
- LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.
+Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).
-
@@ -1830,7 +1862,7 @@ The following diagram shows the Policy configuration service provider in tree fo
LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
- - LocalPoliciesSecurityOptions/TBUserAccountControl_RunAllAdministratorsInAdminApprovalModeD + LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
-
LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index 70e825b78a..ea9430a79c 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -58,6 +58,33 @@ ms.date: 08/09/2017
- 6 - XTS-AES 128-bit (Desktop only)
- 7 - XTS-AES 256-bit (Desktop only)
+
You can find the following policies in BitLocker CSP: +
-
+
- + BitLocker/EncryptionMethodByDriveType + +
- + BitLocker/FixedDrivesRecoveryOptions + +
- + BitLocker/FixedDrivesRequireEncryption + +
- + BitLocker/RemovableDrivesRequireEncryption + +
- + BitLocker/SystemDrivesMinimumPINLength + +
- + BitLocker/SystemDrivesRecoveryMessage + +
- + BitLocker/SystemDrivesRecoveryOptions + +
- + BitLocker/SystemDrivesRequireStartupAuthentication + +
@@ -68,5 +95,4 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - - + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md new file mode 100644 index 0000000000..cf06c60c3e --- /dev/null +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -0,0 +1,58 @@ +--- +title: Policy CSP - ExploitGuard +description: Policy CSP - ExploitGuard +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 08/11/2017 +--- + +# Policy CSP - ExploitGuard + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +**ExploitGuard/ExploitProtectionSettings** + + ++
+ + + ++ +Home +Pro +Business +Enterprise +Education +Mobile +Mobile Enterprise ++ +Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. + +
The system settings require a reboot; the application settings do not require a reboot. + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index e24b65ed09..627363f336 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -677,7 +677,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete. -**LocalPoliciesSecurityOptions/TBUserAccountControl_RunAllAdministratorsInAdminApprovalModeD** +**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode**
Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.
**Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. | | **Exposure to unsigned code** (most malware is unsigned) | **Code integrity policies, plus catalog files as needed**: Because most malware is unsigned, using a code integrity policy (which in most cases requires signed code) can immediately help protect against a large number of threats. However, many organizations use unsigned line-of-business (LOB) applications, for which the process of signing might be difficult. This has changed in Windows 10, because you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.
**Specialized hardware required?** No security-related hardware features are required for creating and using code integrity policies and catalogs. However, code integrity policies and catalogs are strengthened by the hardware features, as described in later rows of this table. | -| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**: This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.
With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.
**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). | +| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**: This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.
With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.
**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). | | **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**: With this type of VBS protection, when the DMA-based attack makes a memory request, input/output memory management units (IOMMUs) will evaluate the request and deny access.
**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. | -| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**: Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Device Guard security.
**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). | +| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**: Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Windows Defender Device Guard security.
**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). | -In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Credential Guard](/windows/access-protection/credential-guard/credential-guard) and [AppLocker](/windows/device-security/applocker/applocker-overview). +In this guide, you learn about the individual features found within Windows Defender Device Guard as well as how to plan for, configure, and deploy them. Windows Defender Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard) and [AppLocker](/windows/device-security/applocker/applocker-overview). ## New and changed functionality As of Windows 10, version 1703, you can use code integrity policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a code integrity policy to control specific plug-ins, add-ins, and modules](deploy-code-integrity-policies-steps.md#plug-ins). -## Tools for managing Device Guard features +## Tools for managing Windows Defender Device Guard features -You can easily manage Device Guard features by using familiar enterprise and client-management tools that IT pros use every day: +You can easily manage Windows Defender Device Guard features by using familiar enterprise and client-management tools that IT pros use every day: -- **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simpler to implement Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files. +- **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simpler to implement Windows Defender Device Guard features. In addition to these code integrity and hardware-based security features, you can use Group Policy to help you manage your catalog files. - - For a description of catalog files, see the table row describing **Exposure to unsigned code** in [How Device Guard features help protect against threats](#how-device-guard-features-help-protect-against-threats), earlier in this topic. + - For a description of catalog files, see the table row describing **Exposure to unsigned code** in [How Windows Defender Device Guard features help protect against threats](#how-windows-defender-device-guard-features-help-protect-against-threats), earlier in this topic. - For information about using Group Policy as a deployment tool, see:
[Deploy catalog files with Group Policy](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-group-policy)
[Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy) - **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, code integrity policies, and hardware-based security features, as well as provide version control. For more information, see [Deploy catalog files with System Center Configuration Manager](deploy-catalog-files-to-support-code-integrity-policies.md#deploy-catalog-files-with-system-center-configuration-manager). @@ -59,25 +59,25 @@ You can easily manage Device Guard features by using familiar enterprise and cli These options provide the same experience you're used to in order to manage your existing enterprise management solutions. -For more information about the deployment of Device Guard features, see: -- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) -- [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) +For more information about the deployment of Windows Defender Device Guard features, see: +- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) +- [Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) -## Other features that relate to Device Guard +## Other features that relate to Windows Defender Device Guard -### Device Guard with AppLocker +### Windows Defender Device Guard with AppLocker -Although [AppLocker](/windows/device-security/applocker/applocker-overview) is not considered a new Device Guard feature, it complements Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level. +Although [AppLocker](/windows/device-security/applocker/applocker-overview) is not considered a new Windows Defender Device Guard feature, it complements Windows Defender Device Guard functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which code integrity policies would be used alongside AppLocker rules. As a best practice, you should enforce code integrity policies at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level. -> **Note** One example of how Device Guard functionality can be enhanced by AppLocker is when you want to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule. +> **Note** One example of how Windows Defender Device Guard functionality can be enhanced by AppLocker is when you want to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule. -AppLocker and Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. +AppLocker and Windows Defender Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. -### Device Guard with Credential Guard +### Windows Defender Device Guard with Windows Defender Credential Guard -Another Windows 10 feature that employs VBS is [Credential Guard](/windows/access-protection/credential-guard/credential-guard). Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the same type of VBS virtualization container that hosts code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about Credential Guard (which is not a feature within Device Guard), see [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard). +Another Windows 10 feature that employs VBS is [Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard). Windows Defender Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the same type of VBS virtualization container that hosts code integrity. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about Windows Defender Credential Guard (which is not a feature within Windows Defender Device Guard), see [Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard). -Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. +Windows Defender Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Windows Defender Credential Guard, organizations can gain additional protection against such threats. diff --git a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md index 32732cc6a1..dbd9304e45 100644 --- a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md +++ b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md @@ -1,6 +1,6 @@ --- title: Optional - Create a code signing certificate for code integrity policies (Windows 10) -description: This article describes how to create a code signing certificate for code integrity policies, one of the main features that are part of Device Guard in Windows 10. +description: This article describes how to create a code signing certificate for code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -As you deploy code integrity policies (part of Device Guard), you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). +As you deploy code integrity policies (part of Windows Defender Device Guard), you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate: @@ -96,7 +96,7 @@ When the certificate has been exported, import it into the personal store for th ## Related topics -- [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) +- [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) -- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) +- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md index c822167621..3cff963c28 100644 --- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md +++ b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md @@ -1,6 +1,6 @@ --- -title: Planning and getting started on the Device Guard deployment process (Windows 10) -description: To help you plan and begin the initial test stages of a deployment of Microsoft Device Guard, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. +title: Planning and getting started on the Windows Defender Device Guard deployment process (Windows 10) +description: To help you plan and begin the initial test stages of a deployment of Microsoft Windows Defender Device Guard, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -8,19 +8,20 @@ ms.localizationpriority: high author: brianlic-msft --- -# Planning and getting started on the Device Guard deployment process +# Planning and getting started on the Windows Defender Device Guard deployment process **Applies to** - Windows 10 - Windows Server 2016 -This topic provides a roadmap for planning and getting started on the Device Guard deployment process, with links to topics that provide additional detail. Planning for Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you. +This topic provides a roadmap for planning and getting started on the Windows Defender Device Guard deployment process, with links to topics that provide additional detail. Planning for Windows Defender Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you. ## Planning -1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). +1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard(requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-hardware-firmware-and-software-requirements-for- +windows-defender-device-guard). -2. **Group devices by degree of control needed**. Group devices according to the table in [Device Guard deployment in different scenarios: types of devices](requirements-and-deployment-planning-guidelines-for-device-guard.md#device-guard-deployment-in-different-scenarios-types-of-devices). Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment. +2. **Group devices by degree of control needed**. Group devices according to the table in [Windows Defender Device Guard deployment in different scenarios: types of devices](requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-device-guard-deployment-in-different-scenarios-types-of-devices). Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment. 3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one code integrity policy for them. More variety across departments might mean you need to create and manage more code integrity policies. The following questions can help you clarify how many code integrity policies to create: - How standardized is the hardware?
This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment. @@ -32,20 +33,20 @@ This topic provides a roadmap for planning and getting started on the Device Gua - Is there already a list of accepted applications?
A list of accepted applications can be used to help create a baseline code integrity policy.
As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser). - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts? - In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Device Guard code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). + In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Device Guard code integrity policies. You can also fine-tune your control by using Windows Defender Device Guard in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass code integrity policies. For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your code integrity policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your code integrity policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used. - Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Device Guard code integrity policies. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps). + Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Device Guard code integrity policies. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps). -4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files). +4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files). ## Getting started on the deployment process @@ -67,11 +68,11 @@ This topic provides a roadmap for planning and getting started on the Device Gua - [Enforce code integrity policies](deploy-code-integrity-policies-steps.md#enforce-code-integrity-policies) - [Deploy and manage code integrity policies with Group Policy](deploy-code-integrity-policies-steps.md#deploy-and-manage-code-integrity-policies-with-group-policy)
-8. **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). +8. **Enable desired hardware (VBS) security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies, as described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats). > [!WARNING] > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). - For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md). + For information about enabling VBS features, see [Deploy Windows Defender Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md).
\ No newline at end of file diff --git a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md index 9b22432875..ec2f600b51 100644 --- a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -1,6 +1,6 @@ --- -title: Requirements and deployment planning guidelines for Device Guard (Windows 10) -description: To help you plan a deployment of Microsoft Device Guard, this article describes hardware requirements for Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies. +title: Requirements and deployment planning guidelines for Windows Defender Device Guard (Windows 10) +description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -8,31 +8,31 @@ ms.localizationpriority: high author: brianlic-msft --- -# Requirements and deployment planning guidelines for Device Guard +# Requirements and deployment planning guidelines for Windows Defender Device Guard **Applies to** - Windows 10 - Windows Server 2016 -The information in this article is intended for IT professionals, and provides a foundation for [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). +The information in this article is intended for IT professionals, and provides a foundation for [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). ->**Note** If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx). +>**Note** If you are an OEM, see the requirements information at [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx). -## Hardware, firmware, and software requirements for Device Guard +## Hardware, firmware, and software requirements for Windows Defender Device Guard -To deploy Device Guard in a way that uses all of its virtualization-based security (VBS) features, the computers you are protecting must meet certain hardware, firmware, and software requirements. However, computers lacking some of the hardware and firmware requirements will still receive some protection when you deploy code integrity policies—the difference is that those computers will not be as hardened against certain threats. +To deploy Windows Defender Device Guard in a way that uses all of its virtualization-based security (VBS) features, the computers you are protecting must meet certain hardware, firmware, and software requirements. However, computers lacking some of the hardware and firmware requirements will still receive some protection when you deploy code integrity policies—the difference is that those computers will not be as hardened against certain threats. -For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Device Guard, see [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). +For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Windows Defender Device Guard, see [Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). -You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh. +You can deploy Windows Defender Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh. > [!WARNING] > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). -The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. +The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. > **Notes**
-> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
+> • To understand the requirements in the following tables, you will need to be familiar with the main features in Windows Defender Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-windows-defender-device-guard-features-help-protect-against-threats).
> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. ## Baseline protections @@ -44,9 +44,9 @@ The following tables provide more information about the hardware, firmware, and | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).| [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
| Support for VBS and for management features that simplify configuration of Device Guard. | +| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT EnterpriseImportant:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | -> **Important** The following tables list additional qualifications for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Device Guard can provide. +> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide. ## Additional qualifications for improved security @@ -80,32 +80,32 @@ The following tables describe additional hardware and firmware qualifications, a | Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only Windows Defender Device Guard is supported in this configuration.
• UEFI runtime service must meet these requirements:
• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
• PE sections need to be page-aligned in memory (not required for in non-volitile storage).
• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | | Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | -## Device Guard deployment in different scenarios: types of devices +## Windows Defender Device Guard deployment in different scenarios: types of devices -Typically, deployment of Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Device Guard in your organization. +Typically, deployment of Windows Defender Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Windows Defender Device Guard in your organization. -| **Type of device** | **How Device Guard relates to this type of device** | **Device Guard components that you can use to protect this kind of device** | +| **Type of device** | **How Windows Defender Device Guard relates to this type of device** | **Windows Defender Device Guard components that you can use to protect this kind of device** | |------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------| -| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.
• Code integrity policies in enforced mode, with UMCI enabled. | +| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | Windows Defender Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After Windows Defender Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.
• Code integrity policies in enforced mode, with UMCI enabled. | | **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.
• Code integrity policies in enforced mode, with UMCI enabled. | -| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
• Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. | -| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | +| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | Windows Defender Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.
• Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. | +| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Windows Defender Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | -## Device Guard deployment in virtual machines +## Windows Defender Device Guard deployment in virtual machines -Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Device Guard are the same from within the virtual machine. +Windows Defender Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Windows Defender Device Guard are the same from within the virtual machine. -Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Device Guard for a virtual machine: +Windows Defender Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Windows Defender Device Guard for a virtual machine: ` Set-VMSecurity -VMName-VirtualizationBasedSecurityOptOut $true` -### Requirements for running Device Guard in Hyper-V virtual machines +### Requirements for running Windows Defender Device Guard in Hyper-V virtual machines - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. - - Device Guard and [nested virtualization](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. - - Virtual Fibre Channel adapters are not compatible with Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity. - - The AllowFullSCSICommandSet option for pass-through disks is not compatible with Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity. + - Windows Defender Device Guard and [nested virtualization](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. + - Virtual Fibre Channel adapters are not compatible with Windows Defender Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity. + - The AllowFullSCSICommandSet option for pass-through disks is not compatible with Windows Defender Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity. ## Reviewing your applications: application signing and catalog files @@ -124,9 +124,9 @@ To obtain signed applications or embed signatures in your in-house applications, To use catalog signing, you can choose from the following options: -- Use the Device Guard signing portal available in the Windows Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal). +- Use the Windows Defender Device Guard signing portal available in the Windows Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Windows Defender Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal). -- Create your own catalog files, which are described in the next section. For information about how creating catalog files fits into Device Guard deployment, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). +- Create your own catalog files, which are described in the next section. For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). ### Catalog files @@ -136,9 +136,9 @@ Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered After you have created and signed your catalog files, you can configure your code integrity policies to trust the signer or signing certificate of those files. -> **Note** Package Inspector only works on operating systems that support Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT. +> **Note** Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT. -For information about how creating catalog files fits into Device Guard deployment, see [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md). +For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md). ## Code integrity policy formats and signing @@ -150,7 +150,7 @@ When the code integrity policy is deployed, it restricts the software that can r ## Related topics -- [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md) -- [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) +- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md) +- [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) diff --git a/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md index cc479c5bc2..b2a0c2025c 100644 --- a/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md @@ -18,11 +18,13 @@ Describes the best practices, location, values, management, and security conside ## Reference -This policy setting prevents users from adding new Microsoft accounts on a device. +This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. -If you click the **Users can’t add Microsoft accounts** setting option, users will not be able to switch a local account to a Microsoft account, or connect a domain account to a Microsoft account to drive sync, roaming, or other background services. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. Users will still be able to add app-specific Microsoft accounts for use with consumer apps. To block this use, turn off the ability to install consumer apps or the Store. +There are two options if this setting is enabled: -If you click the **Users can’t add or log on with Microsoft accounts** setting option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator to log on to a computer and manage the system. +- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts). + +- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. @@ -36,7 +38,7 @@ By default, this setting is not defined on domain controllers and disabled on st ### Best practices - By disabling or not configuring this policy setting on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This provides a convenient option for your users. -- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. +- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to use the **Settings** app to add new connected accounts. ### Location diff --git a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md index 8203714148..a666d3e71e 100644 --- a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md @@ -1,6 +1,6 @@ --- title: TPM Group Policy settings (Windows 10) -description: This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. +description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd ms.prod: w10 ms.mktglfcycl: deploy @@ -15,22 +15,15 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. +This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. -The TPM Services Group Policy settings are located at: +The Group Policy settings for TPM services are located at: **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** -### Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0 +The following Group Policy settings were introduced in Window 10: -Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if: a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607, and b) the System has a TPM 2.0. - -Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to: -a) disable it from group policy and b) clear the TPM on the system. - -**The following Group Policy settings were introduced in Window 10:** - -### Configure the list of blocked TPM commands +## Configure the list of blocked TPM commands This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows. @@ -48,7 +41,7 @@ For information how to enforce or ignore the default and local lists of blocked - [Ignore the local list of blocked TPM commands](#ignore-the-local-list-of-blocked-tpm-commands) -### Ignore the default list of blocked TPM commands +## Ignore the default list of blocked TPM commands This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. @@ -58,7 +51,7 @@ If you enable this policy setting, the Windows operating system will ignore the If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to the commands that are specified by Group Policy and the local list of blocked TPM commands. -### Ignore the local list of blocked TPM commands +## Ignore the local list of blocked TPM commands This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. @@ -68,7 +61,7 @@ If you enable this policy setting, the Windows operating system will ignore the If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands. -### Configure the level of TPM owner authorization information available to the operating system +## Configure the level of TPM owner authorization information available to the operating system This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password. @@ -106,7 +99,7 @@ If you enable this policy setting, the Windows operating system will store the T If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry. -### Standard User Lockout Duration +## Standard User Lockout Duration This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require authorization to the TPM. @@ -125,7 +118,7 @@ An administrator with the TPM owner password can fully reset the TPM's hardware If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used. -### Standard User Individual Lockout Threshold +## Standard User Individual Lockout Threshold This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. If the number of authorization failures for the user within the duration that is set for the **Standard User Lockout Duration** policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM). @@ -137,7 +130,7 @@ An administrator with the TPM owner password can fully reset the TPM's hardware If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure. -### Standard User Total Lockout Threshold +## Standard User Total Lockout Threshold This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration that is set for the **Standard User Lockout Duration** policy equals this value, all standard users are prevented from sending commands that require authorization to the Trusted Platform Module (TPM). @@ -156,6 +149,21 @@ If you enable this policy setting, TPM owner information will be automatically a If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS. +## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0 + +Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. + +> [!IMPORTANT] +> Setting this policy will take effect only if: +- The TPM was originally prepared using a version of Windows after Windows 10 Version 1607 +- The system has a TPM 2.0. + +> [!NOTE] +> Enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only ways for the disabled setting of this policy to take effect on a system where it was once enabled are to either: +> - Disable it from group policy +> - Clear the TPM on the system + + ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index fd9171827c..f482e0b44e 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -147,6 +147,13 @@ ### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md) ### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md) +##[Windows Defender Application Guard](windows-defender-application-guard\wd-app-guard-overview.md) +###[System requirements for Windows Defender Application Guard](windows-defender-application-guard\reqs-wd-app-guard.md) +###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard\install-wd-app-guard.md) +###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard\configure-wd-app-guard.md) +###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard\test-scenarios-wd-app-guard.md) +###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md) + ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) ### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md) #### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) diff --git a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md index e854d43efb..ebec2a5082 100644 --- a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -8,10 +8,13 @@ ms.mktglfcycl: deploy ms.pagetype: security ms.sitesec: library author: eross-msft +ms.author: lizross +ms.date: 08/14/2017 ms.localizationpriority: high --- # Block untrusted fonts in an enterprise + **Applies to:** - Windows 10 @@ -46,19 +49,44 @@ After you turn this feature on, your employees might experience reduced function - Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office. ## Turn on and use the Blocking Untrusted Fonts feature +Use Group Policy or the registry to turn this feature on, off, or to use audit mode. + +**To turn on and use the Blocking Untrusted Fonts feature through Group Policy** +1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`. + +2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**: + + - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. + + - **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log. + + - **Log events without blocking untrusted fonts**. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts. + +3. Click **OK**. + +**To turn on and use the Blocking Untrusted Fonts feature through the registry** To turn this feature on, off, or to use audit mode: 1. Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`. 2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**. -3. Update the **Value data** of the **MitigationOptions** key, making sure you keep your existing value, like in the important note below: +3. Right click on the **MitigationOptions** key, and then click **Modify**. + + The **Edit QWORD (64-bit) Value** box opens. + +4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below: - **To turn this feature on.** Type **1000000000000**. - - **To turn this feature off.** Type **2000000000000**. - - **To audit with this feature.** Type **3000000000000**. **Important**
Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. -4. Restart your computer. + - **To turn this feature off.** Type **2000000000000**. + + - **To audit with this feature.** Type **3000000000000**. + + >[!Important] + >Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. + +4. Restart your computer. ## View the event log After you turn this feature on, or start using Audit mode, you can look at your event logs for details. @@ -68,27 +96,33 @@ After you turn this feature on, or start using Audit mode, you can look at your 1. Open the event viewer (eventvwr.exe) and go to **Application and Service Logs/Microsoft/Windows/Win32k/Operational**. 2. Scroll down to **EventID: 260** and review the relevant events. --**Event Example 1 - MS Word**
-WINWORD.EXE attempted loading a font that is restricted by font loading policy.
-FontType: Memory
-FontPath:
-Blocked: true-**Note**
Because the **FontType** is *Memory*, there’s no associated **FontPath.** --**Event Example 2 - Winlogon**
-Winlogon.exe attempted loading a font that is restricted by font loading policy.
-FontType: File
-FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`
-Blocked: true-**Note**
Because the **FontType** is *File*, there’s also an associated **FontPath.** --**Event Example 3 - Internet Explorer running in Audit mode**
-Iexplore.exe attempted loading a font that is restricted by font loading policy.
-FontType: Memory
-FontPath:
-Blocked: false-**Note**
In Audit mode, the problem is recorded, but the font isn’t blocked. + + **Event Example 1 - MS Word**
+ WINWORD.EXE attempted loading a font that is restricted by font-loading policy.
+ FontType: Memory
+ FontPath:
+ Blocked: true + + >[!NOTE] + >Because the **FontType** is *Memory*, there’s no associated **FontPath**. + + **Event Example 2 - Winlogon**
+ Winlogon.exe attempted loading a font that is restricted by font-loading policy.
+ FontType: File
+ FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`
+ Blocked: true + + >[!NOTE] + >Because the **FontType** is *File*, there’s also an associated **FontPath**. + + **Event Example 3 - Internet Explorer running in Audit mode**
+ Iexplore.exe attempted loading a font that is restricted by font-loading policy.
+ FontType: Memory
+ FontPath:
+ Blocked: false + + >[!NOTE] + >In Audit mode, the problem is recorded, but the font isn’t blocked. ## Fix apps having problems because of blocked fonts Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems. @@ -101,12 +135,14 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa **To fix your apps by excluding processes** -1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`. Like, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. +1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ `.
For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. -2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature). +2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic. +## Related content +- [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/) diff --git a/windows/threat-protection/index.md b/windows/threat-protection/index.md index 885e4d9279..a98bb34278 100644 --- a/windows/threat-protection/index.md +++ b/windows/threat-protection/index.md @@ -17,6 +17,7 @@ Learn more about how to help protect against threats in Windows 10 and Windows |[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.| |[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.| |[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.| +|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.| |[Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.| |[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.| |[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.| diff --git a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index 2bde953608..fdb8d3eec8 100644 --- a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -10,6 +10,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt --- diff --git a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md index 18e242a4f0..8e92f2d2cd 100644 --- a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md @@ -10,6 +10,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt --- # Manage updates and scans for endpoints that are out of date @@ -92,7 +93,7 @@ See the following for more information and allowed parameters: ## Set the number of days before protection is reported as out-of-date -You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)). +You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source. **Use Group Policy to specify the number of days before protection is considered out-of-date:** diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index d87bb53800..214f619f3f 100644 --- a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -10,6 +10,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt --- # Manage the sources for Windows Defender Antivirus protection updates @@ -63,7 +64,11 @@ The older the updates on an endpoint, the larger the download. However, you must Microsoft Update allows for rapid releases, which means it will download small deltas on a frequent basis. This ensures the best protection, but may increase network bandwidth. -The WSUS, Configuration Manager and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger). +The WSUS, Configuration Manager, and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger). + +> [!IMPORTANT] +> If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 2 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services). +> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date). Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table: @@ -73,7 +78,7 @@ WSUS | You are using WSUS to manage updates for your network. Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use WSUS to manage your updates. File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments. Configuration Manager | You are using System Center Configuration Manager to update your endpoints. -MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. +MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from WSUS or Microsoft Update for [a specified number of days](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date). You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI. diff --git a/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md new file mode 100644 index 0000000000..73bb0a5fb0 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -0,0 +1,46 @@ +--- +title: Configure the Group Policy settings for Windows Defender Application Guard (Windows 10) +description: Learn about the available Group Policy settings for Windows Defender Application Guard. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +localizationpriority: high +--- + +# Configure Windows Defender Application Guard policy settings + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. + +Application Guard uses both network isolation and application-specific settings. + +### Network isolation settings +These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. + +>[!NOTE] +>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. + + +|Policy name|Supported versions|Description| +|-----------|------------------|-----------| +|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| +|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| +|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| + +### Application-specific settings +These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard. + +|Name|Supported versions|Description|Options| +|-----------|------------------|-----------|-------| +|Configure Windows Defender Application Guard clipboard settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard.
**Important**
Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard.| +|Allow Persistence|At least Windows 10 Enterprise|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**Note**
If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**- Open a command-line program and navigate to Windows/System32.
- Type `wdagtool.exe cleanup`.
The container environment is reset, retaining only the employee-generated data. - Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
The container environment is reset, including discarding all employee-generated data.
**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.| + diff --git a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md new file mode 100644 index 0000000000..78a7228f40 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -0,0 +1,44 @@ +--- +title: Frequently asked questions - Windows Defender Application Guard (Windows 10) +description: Learn about the commonly asked questions and answers for Windows Defender Application Guard. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +localizationpriority: high +--- + +# Frequently asked questions - Windows Defender Application Guard + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. + +## Frequently Asked Questions + +| | | +|---|----------------------------| +|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?| +|**A:** |It's not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.| +
+ +| | | +|---|----------------------------| +|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?| +|**A:** |Depending on your organization's settings, employees can copy and paste images and text (.bmp) to and from the isolated container.| +
+ +| | | +|---|----------------------------| +|**Q:** |Why don't employees see their Favorites in the Application Guard Edge session?| +|**A:** |To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.| +
+ +| | | +|---|----------------------------| +|**Q:** |Why aren’t employees able to see their Extensions in the Application Guard Edge session?| +|**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.| diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png new file mode 100644 index 0000000000..6f2bb5afcf Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png new file mode 100644 index 0000000000..f1391f862c Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png new file mode 100644 index 0000000000..e0bedcd7cd Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png new file mode 100644 index 0000000000..357be9c65b Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png new file mode 100644 index 0000000000..25c22912a5 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png new file mode 100644 index 0000000000..48aa702feb Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png new file mode 100644 index 0000000000..56acb4be53 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png new file mode 100644 index 0000000000..c5e7982909 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png new file mode 100644 index 0000000000..01f4eb6359 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png new file mode 100644 index 0000000000..3fe617b8ed Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png b/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png new file mode 100644 index 0000000000..a946325c66 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png b/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png new file mode 100644 index 0000000000..877b707030 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png b/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png new file mode 100644 index 0000000000..5172022256 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md new file mode 100644 index 0000000000..a93a6519fc --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -0,0 +1,56 @@ +--- +title: Prepare and install Windows Defender Application Guard (Windows 10) +description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +localizationpriority: high +--- + +# Prepare and install Windows Defender Application Guard + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +## Prepare to install Windows Defender Application Guard +Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. + +- **Standalone mode.** Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the Application Guard in standalone mode testing scenario. + +- **Enterprise-managed mode.** You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container. + +The following diagram shows the flow between the host PC and the isolated container. + + +## Install Application Guard +Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. + +**To install by using the Control Panel** +1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**. + +  + +2. Select the check box next to **Windows Defender Application Guard** and then click **OK**. + + Application Guard and its underlying dependencies are all installed. + +**To install by using PowerShell** +1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. + +2. Right-click **Windows PowerShell**, and then click **Run as administrator**. + + Windows PowerShell opens with administrator credentials. + +3. Type the following command: + + ``` + Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard + ``` +4. Restart the device. + + Application Guard and its underlying dependencies are all installed. + diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md new file mode 100644 index 0000000000..a03b3514c2 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -0,0 +1,37 @@ +--- +title: System requirements for Windows Defender Application Guard (Windows 10) +description: Learn about the system requirements for installing and running Windows Defender Application Guard. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +localizationpriority: high +--- + +# System requirements for Windows Defender Application Guard + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. + +## Hardware requirements +Your environment needs the following hardware to run Application Guard. + +|Hardware|Description| +|--------|-----------| +|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).| +|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_
**-AND-**
One of the following virtualization extensions for VBS:
VT-x (Intel)
**-OR-**
AMD-V| +|Hardware memory|4 GB minimum, 8 GB recommended| + +## Software requirements +Your environment needs the following hardware to run Application Guard. + +|Software|Description| +|--------|-----------| +|Operating system|Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)| +|Browser|Microsoft Edge and Internet Explorer| +|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)
**-OR-**
[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)
**-OR-**
[Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)
**-OR-**
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md new file mode 100644 index 0000000000..152f404382 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -0,0 +1,159 @@ +--- +title: Testing scenarios using Windows Defender Application Guard in your business or organization (Windows 10) +description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +localizationpriority: high +--- + +# Testing scenarios using Windows Defender Application Guard in your business or organization + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization. + +## Application Guard in standalone mode +You can see how an employee would use standalone mode with Application Guard. + +**To test Application Guard in Standalone mode** + +1. Download the latest Windows Insider Program build (15257 or later). + +2. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide. + +3. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu. + +  + +4. Wait for Application Guard to set up the isolated environment. + + >[!NOTE] + >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. + +5. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues. + +  + +## Application Guard in Enterprise-managed mode +How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode. + +### Install, set up, and turn on Application Guard +Before you can use Application Guard in enterprise mode, you must install a version of Windows 10 that includes the functionality. Then, you must use Group Policy to set up the required settings. + +1. Download the latest Windows Insider Program build (15257 or later). + +2. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide. + +3. Restart the device and then start Microsoft Edge. + +4. Set up the Network Isolation settings in Group Policy: + + a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**. + + b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting. + + c. For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box. + +  + + d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting. + + e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box. + +  + +5. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn On/Off Windows Defender Application Guard (WDAG)** setting. + +6. Click **Enabled**. + +  + + >[!NOTE] + >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. + +7. Start Microsoft Edge and type _www.microsoft.com_. + + After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard. + +  + +8. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists. + + After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. + +  + +### Customize Application Guard +Application Guard lets you specify your configuration, allowing you to create the proper balance between isolation-based security and productivity for your employees. + +Application Guard provides the following default behavior for your employees: + +- No copying and pasting between the host PC and the isolated container. + +- No printing from the isolated container. + +- No data persistence from one isolated container to another isolated container. + +You have the option to change each of these settings to work with your enterprise from within Group Policy. + +**To change the copy and paste options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**. + +2. Click **Enabled**. + +  + +3. Choose how the clipboard works: + + - Copy and paste from the isolated session to the host PC + + - Copy and paste from the host PC to the isolated session + + - Copy and paste both directions + +4. Choose what can be copied: + + - **1.** Only text can be copied between the host PC and the isolated container. + + - **2.** Only images can be copied between the host PC and the isolated container. + + - **3.** Both text and images can be copied between the host PC and the isolated container. + +5. Click **OK**. + +**To change the print options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings. + +2. Click **Enabled**. + +  + +3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing. + +4. Click **OK**. + +**To change the data persistence options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting. + +2. Click **Enabled**. + +  + +3. Open Microsoft Edge and browse to an untrusted, but safe URL. + + The website opens in the isolated session. + +4. Add the site to your **Favorites** list and then close the isolated session. + +5. Log out and back on to your device, opening Microsoft Edge in Application Guard again. + + The previously added site should still appear in your **Favorites** list. + + >[!NOTE] + >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**- Open a command-line program and navigate to Windows/System32.
- Type `wdagtool.exe cleanup`.
The container environment is reset, retaining only the employee-generated data. - Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
The container environment is reset, including discarding all employee-generated data.
```crl.microsoft.com```
```us.vortex-win.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` -Europe |```*.blob.core.windows.net```
```crl.microsoft.com```
```eu.vortex-win.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
+ US |```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com```
```us.vortex-win.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` +Europe |```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com```
```eu.vortex-win.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md index a36ea1a0a9..78c0d14437 100644 --- a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -26,9 +26,9 @@ The **Machines list** shows a list of the machines in your network, the domain o Use the Machines list in these main scenarios: -- **During onboarding** +- **During onboarding**
During the onboarding process, the **Machines list** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis. -- **Day-to-day work** +- **Day-to-day work**
The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them. ## Sort, filter, and download the list of machines from the Machines list diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md index 16465baf1b..25be0c5cdc 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -342,14 +342,14 @@ If you're running into compatibility issues where your app is incompatible with ### Manage the WIP-protection level for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. +We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). |Mode |Description | |-----|------------| -|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index 69ba2f2170..ac8ae9af63 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -1,7 +1,7 @@
---
title: Windows 10 Enterprise FAQ for IT pros (Windows 10)
description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
-keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing branches, deployment tools
+keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing channels, deployment tools
ms.prod: w10
ms.mktglfcycl: plan
ms.localizationpriority: high
@@ -80,9 +80,9 @@ The Windows 10 operating system introduces a new way to build, deploy, and servi
Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
-### What are the servicing branches?
+### What are the servicing channels?
-To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each branch, see [servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches).
+To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](/windows/deployment/update/waas-overview#servicing-channels).
### What tools can I use to manage Windows as a service updates?
@@ -92,13 +92,13 @@ There are many tools are available. You can choose from these:
- Windows Server Update Services
- System Center Configuration Manager
-For more information on pros and cons for these tools, see [Servicing Tools](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches).
+For more information on pros and cons for these tools, see [Servicing Tools](/windows/deployment/update/waas-overview#servicing-tools).
## User experience
### Where can I find information about new features and changes in Windows 10 Enterprise?
-For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](https://tnstage.redmond.corp.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1703?branch=rs2) in the TechNet library.
+For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library.
Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 1be2149594..2619584ebd 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -33,6 +33,8 @@ See the following topics in this guide for detailed information about configurin
- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
+
+
An overview of the processes used by the Update Compliance solution is provided below.
## Update Compliance architecture
diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
index bbbb2a155d..860f86c5bb 100644
--- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
+++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
@@ -9,7 +9,7 @@ author: greg-lindsay
The first blade in the Upgrade Readiness solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases.
-The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version. For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md).
+The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version. For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version).
The following color-coded status changes are reflected on the upgrade overview blade:
@@ -32,7 +32,7 @@ The following color-coded status changes are reflected on the upgrade overview b
- If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber.
- If the current value is a deprecated OS version, the version is displayed in red.
-Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
+Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](upgrade-readiness-get-started.md#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
@@ -65,4 +65,4 @@ Select **Total applications** for a list of applications discovered on user comp
- Percentage of computers in your total computer inventory that opened the application in the past 30 days
- Issues detected, if any
- Upgrade assessment based on analysis of application data
-- Rollup level
\ No newline at end of file
+- Rollup level
diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
index 85acab5a0a..807cd59c14 100644
--- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
+++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
@@ -41,7 +41,7 @@ As mentioned previously, the default target version in Upgrade Readiness is set
The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version.
-You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1607.
+You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, and Windows 10 version 1703.
To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution:
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 4954192798..8d3a787f3c 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -12,11 +12,7 @@ author: greg-lindsay
# Configure VDA for Windows 10 Subscription Activation
-<<<<<<< HEAD
-This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based license.
-=======
This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
->>>>>>> 9cfade7b4735548209a42a177179689a7e522ec6
## Requirements
diff --git a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index db72ab90ec..97e9d04fb9 100644
--- a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -1,6 +1,6 @@
---
-title: Overview of BitLocker and device encryption in Windows 10
-description: This topic provides an overview of how BitLocker and device encryption can help protect data on devices running Windows 10.
+title: Overview of BitLocker Device Encryption in Windows 10
+description: This topic provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows 10.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,13 +8,13 @@ ms.pagetype: security
author: Justinha
---
-# Overview of BitLocker and device encryption in Windows 10
+# Overview of BitLocker Device Encryption in Windows 10
**Applies to**
- Windows 10
-This topic explains how BitLocker and device encryption can help protect data on devices running Windows 10.
-For an architectural overview about how device encryption works with Secure Boot, see [Secure boot and device encryption overview](https://docs.microsoft.com/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview).
+This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10.
+For an architectural overview about how BitLocker Device Encryption works with Secure Boot, see [Secure boot and BitLocker Device Encryption overview](https://docs.microsoft.com/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview).
For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives; in Windows 10, BitLocker will even protect individual files, with data loss prevention capabilities. Windows consistently improves data protection by improving existing options and by providing new strategies.
@@ -25,14 +25,14 @@ Table 2 lists specific data-protection concerns and how they are addressed in Wi
| Windows 7 | Windows 10 |
|---|---|
-| When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.