deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into App-v-revision

Browse Source
This commit is contained in:
Heidi Lohr 2018-07-02 09:22:49 -07:00
commit 37c31c59c7
34 changed files with 905 additions and 636 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
.openpublishing.redirection.json
View File

@ -1,6 +1,11 @@
{
"redirections": [
{
"source_path": "windows/deployment/update/waas-windows-insider-for-business.md",
"redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-get-started",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set",
"redirect_document_id": true
@ -11,6 +16,16 @@
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md",
"redirect_url": "/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agress.md",
"redirect_url": "/windows/security/threat-protectionsecurity-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-application-control.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control",
"redirect_document_id": true
@ -13680,6 +13695,15 @@
"redirect_url": "/windows/privacy/windows-diagnostic-data",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/upgrade/windows-10-downgrade-paths.md",
"redirect_url": "/windows/deployment/upgrade/windows-10-edition-downgrades",
"redirect_document_id": true
},
{
"source_path": "education/windows/windows-automatic-redeployment.md",
"redirect_url": "/education/windows/autopilot-reset",
"redirect_document_id": true
},
]
}

7
devices/surface-hub/manage-windows-updates-for-surface-hub.md
View File

@ -111,9 +111,10 @@ Once the Windows 10 Team Anniversary Update is installed, you can remove these a
To ensure the device is always available for use during business hours, Surface Hub performs its administrative functions during a specified maintenance window. During the maintenance window, the Surface Hub automatically installs updates through Windows Update or WSUS, and reboots the device if needed.
Surface Hub follows these guidelines to apply updates:
- Install the update during the next maintenance window. If a meeting is scheduled to start during a maintenance window, or the Surface Hub sensors detect that the device is being used, the pending update will be postponed to the following maintenance window.
- If the next maintenance window is past the updates prescribed grace period, the device will calculate the next available slot during business hours using the estimated install time from the updates metadata. It will continue to postpone the update if a meeting is scheduled, or the Surface Hub sensors detect that the device is being used.
- If a pending update is past the updates prescribed grace period, the update will be immediately installed. If a reboot is needed, the Surface Hub will automatically reboot during the next maintenance window.
- Install the update during the next maintenance window. If a meeting is scheduled to start during a maintenance window, or the Surface Hub sensors detect that the device is being used, the pending update will be postponed to the following maintenance window.
- If the next maintenance window is past the updates prescribed grace period, the device will calculate the next available slot during business hours using the estimated install time from the updates metadata. It will continue to postpone the update if a meeting is scheduled, or the Surface Hub sensors detect that the device is being used.
- If the next maintenance window is **not** past the update's grace period, the Surface Hub will continue to postpone the update.
- If a reboot is needed, the Surface Hub will automatically reboot during the next maintenance window.
> [!NOTE]
> Allow time for updates when you first setup your Surface Hub. For example, a backlog of virus definitions may be available, which should be immediately installed.

6
education/windows/autopilot-reset.md
View File

@ -8,9 +8,9 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
author: CelesteDG
author: greg-lindsay
ms.author: celested
ms.date: 03/08/2018
ms.date: 06/27/2018
---
# Reset devices with Autopilot Reset
@ -102,7 +102,7 @@ To make sure WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsof
reagentc /enable
```
If Windows Automatic Reployment fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance.
If Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance.
## Related topics

4
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1652,9 +1652,11 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Recent changes:</p>
<ul>
<li>System/AllowFontProviders is not supported in Windows Holographic for Business</li>
<li>System/AllowFontProviders is not supported in Windows Holographic for Business.</li>
<li>Security/RequireDeviceEncryption is suported in the Home SKU.</li>
<li>Removed LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers. This policy is not supported.</li>
<li>Start/StartLayout - added a table of SKU support information.</li>
<li>Start/ImportEdgeAssets - added a table of SKU support information.</li>
</ul>
</td></tr>
</tbody>

9
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -3097,15 +3097,6 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-textinput.md#textinput-allowlinguisticdatacollection" id="textinput-allowlinguisticdatacollection">TextInput/AllowLinguisticDataCollection</a>
</dd>
<dd>
<a href="./policy-csp-textinput.md#textinput-configurejapaneseimeversion" id="textinput-configurejapaneseimeversion">TextInput/ConfigureJapaneseIMEVersion</a>
</dd>
<dd>
<a href="./policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion" id="textinput-configuresimplifiedchineseimeversion">TextInput/ConfigureSimplifiedChineseIMEVersion</a>
</dd>
<dd>
<a href="./policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion" id="textinput-configuretraditionalchineseimeversion">TextInput/ConfigureTraditionalChineseIMEVersion</a>
</dd>
<dd>
<a href="./policy-csp-textinput.md#textinput-enabletouchkeyboardautoinvokeindesktopmode" id="textinput-enabletouchkeyboardautoinvokeindesktopmode">TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode</a>
</dd>

165
windows/client-management/mdm/policy-csp-textinput.md
View File

@ -57,15 +57,6 @@ ms.date: 06/05/2018
<dd>
<a href="#textinput-allowlinguisticdatacollection">TextInput/AllowLinguisticDataCollection</a>
</dd>
<dd>
<a href="#textinput-configurejapaneseimeversion">TextInput/ConfigureJapaneseIMEVersion</a>
</dd>
<dd>
<a href="#textinput-configuresimplifiedchineseimeversion">TextInput/ConfigureSimplifiedChineseIMEVersion</a>
</dd>
<dd>
<a href="#textinput-configuretraditionalchineseimeversion">TextInput/ConfigureTraditionalChineseIMEVersion</a>
</dd>
<dd>
<a href="#textinput-enabletouchkeyboardautoinvokeindesktopmode">TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode</a>
</dd>
@ -688,162 +679,6 @@ This setting supports a range of values between 0 and 1.
<hr/>
<!--Policy-->
<a href="" id="textinput-configurejapaneseimeversion"></a>**TextInput/ConfigureJapaneseIMEVersion**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, next major version. This is only a placeholder. Do not use in production code.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="textinput-configuresimplifiedchineseimeversion"></a>**TextInput/ConfigureSimplifiedChineseIMEVersion**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, next major version. This is only a placeholder. Do not use in production code.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="textinput-configuretraditionalchineseimeversion"></a>**TextInput/ConfigureTraditionalChineseIMEVersion**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, next major version. This is only a placeholder. Do not use in production code.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="textinput-enabletouchkeyboardautoinvokeindesktopmode"></a>**TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode**

2
windows/configuration/provisioning-packages/provisioning-how-it-works.md
View File

@ -43,7 +43,7 @@ When multiple provisioning packages are available for device provisioning, the c
1. Microsoft
2. Silicon Vender
2. Silicon Vendor
3. OEM

8
windows/deployment/TOC.md
View File

@ -22,8 +22,8 @@
### [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md)
### [Windows 10 in S mode](windows-10-pro-in-s-mode.md)
### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
#### [Windows 10 downgrade paths](upgrade/windows-10-downgrade-paths.md)
### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
### [Windows 10 edition downgrade](upgrade/windows-10-edition-downgrades.md)
### [Windows 10 volume license media](windows-10-media.md)
### [Windows 10 deployment test lab](windows-10-poc.md)
@ -223,12 +223,6 @@
#### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)
### [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md)
### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md)
#### [Onboard to Windows Update for Business](update/wufb-onboard.md)
##### [Windows Update for Business basics](update/wufb-basics.md)
##### [Setting up automatic update](update/wufb-autoupdate.md)
##### [Managing feature and quality updates](update/wufb-manageupdate.md)
##### [Enforcing compliance deadlines](update/wufb-compliancedeadlines.md)
##### [Managing drivers, environments with both Windows Update for Business and WSUS, and Download Optmization](update/wufb-managedrivers.md)
#### [Configure Windows Update for Business](update/waas-configure-wufb.md)
#### [Integrate Windows Update for Business with management solutions](update/waas-integrate-wufb.md)
#### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md)

10
windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
View File

@ -107,13 +107,13 @@ Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequ
After the task sequence finishes, the computer will be fully upgraded to Windows 10.
## Upgrade to Windows 10 with the next version of System Center Configuration Manager
## Upgrade to Windows 10 with System Center Configuration Manager Current Branch
With the next release of System Center Configuration Manager (currently planned for Q4 of 2015), new built-in functionality will be provided to make it even easier to upgrade existing Windows 7, Windows 8, and Windows 8.1 PCs to Windows 10.
With System Center Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10.
**Note**  
For more details about the next version of Configuration Manager, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released.
For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released.
 
@ -139,7 +139,7 @@ To create an upgrade task sequence, perform the following steps:
![figure 3](../images/upgradecfg-fig3-upgrade.png)
Figure 3. The Configuration Manager vNext upgrade task sequence.
Figure 3. The Configuration Manager upgrade task sequence.
### Create a device collection
@ -190,7 +190,7 @@ In this section, you create a deployment for the Windows 10 Enterprise x64 Upda
In this section, you start the Windows 10 Upgrade task sequence on PC0003 (currently running Windows 7 SP1).
1. On PC0003, start the **Software Center**.
2. Select the **Windows vNext Upgrade** task sequence, and then click **Install.**
2. Select the **Windows 10 Enterprise x64 Upgrade** task sequence, and then click **Install.**
When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.

51
windows/deployment/upgrade/windows-10-downgrade-paths.md → windows/deployment/upgrade/windows-10-edition-downgrades.md
View File

@ -1,39 +1,44 @@
---
title: Windows 10 downgrade paths (Windows 10)
title: Windows 10 edition downgrade (Windows 10)
description: You can downgrade Windows 10 if the downgrade path is supported.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
ms.localizationpriority: high
ms.pagetype: mobile
author: greg-lindsay
ms.date: 06/15/2018
ms.date: 06/30/2018
---
# Windows 10 downgrade paths
# Windows 10 edition downgrade
**Applies to**
- Windows 10
## Downgrading Windows 10
This topic provides a summary of supported Windows 10 in-place edition downgrade paths. A valid product key for the destination edition is required to perform the downgrade. You might need to downgrade the edition of Windows 10, for example, if an Enterprise license is expired.
This topic provides a summary of supported Windows 10 downgrade paths. You might need to downgrade the edition of Windows 10, for example, if an Enterprise license is expired. To perform a downgrade, you can use the same methods as when performing an [edition upgrade](windows-10-edition-upgrades.md). For example, you might downgrade an Enterprise edition by manually entering a valid Pro license key.
To perform a downgrade, you can use the same methods as when performing an [edition upgrade](windows-10-edition-upgrades.md). If the downgrade path is supported, then your apps and settings can be migrated from the current edition to the downgraded edition. If a path is not supported, then a clean install is required.
If a downgrade is supported, then your apps and settings can be migrated from the current edition to the downgraded edition. If a path is not supported, then a clean install is required.
Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. The only downgrade method available for this path is through the rollback of a previous upgrade. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades.
Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. The only downgrade method available for this the rollback of a previous upgrade. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used.
### Scenario example
>**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
Downgrading from Enterprise
- Original edition: **Professional OEM**
- Upgrade edition: **Enterprise**
- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
>**Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown below.
You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supercede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/en-us/download/details.aspx?id=11091).
### Supported Windows 10 downgrade paths
>[!NOTE]
>Edition changes that are considered upgrades (Ex: Pro to Enterprise) are not shown here.<br>
>Switching between different editions of Pro is also not strictly considered an edition downgrade, but is included here for clarity.
>Edition changes that are considered upgrades (Ex: Pro to Enterprise, Pro to Pro for Workstations) are not shown here.
>For more information see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).<br>
✔ = Supported downgrade path<br>
&nbsp;S&nbsp; = Supported; Not considered a downgrade or an upgrade<br>
[blank] = Not supported or not a downgrade<br>
<br>
<table border="0" cellpadding="1">
@ -68,8 +73,8 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a
<td>Pro</td>
<td></td>
<td></td>
<td align="center"></td>
<td align="center"></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -87,8 +92,8 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a
<tr>
<td>Pro Education</td>
<td></td>
<td align="center"></td>
<td align="center"></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -102,7 +107,7 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a
<td align="center"></td>
<td></td>
<td></td>
<td></td>
<td>S</td>
</tr>
<tr>
<td>Enterprise LTSC</td>
@ -120,12 +125,17 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a
<td align="center"></td>
<td align="center"></td>
<td align="center"></td>
<td align="center"></td>
<td align="center">S</td>
<td></td>
<td></td>
</tr>
</table>
>**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
>**Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above.
Some slightly more complex scenarios are not represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.
## Related Topics
@ -133,8 +143,3 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a
[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)<br>
[Windows 10 edition upgrade](windows-10-edition-upgrades.md)<br>
[Windows 10 upgrade paths](windows-10-upgrade-paths.md)

5
windows/deployment/upgrade/windows-10-edition-upgrades.md
View File

@ -8,7 +8,7 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
ms.date: 04/30/2018
ms.date: 06/28/2018
---
# Windows 10 edition upgrade
@ -20,6 +20,8 @@ ms.date: 04/30/2018
With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md).
Edition changes that are considered downgrades are not shown here. For more information, see [Windows 10 edition downgrade](windows-10-edition-downgrades.md).
The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
![not supported](../images/x_blk.png) (X) = not supported</br>
@ -56,7 +58,6 @@ X = unsupported <BR>
| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
| **Enterprise LTSC > Enterprise** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
| **Mobile > Mobile Enterprise** | ![supported, no reboot](../images/check_blu.png) |![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) |
> [!NOTE]

2
windows/deployment/windows-10-architecture-posters.md
View File

@ -17,7 +17,7 @@ You can download the following posters for architectural information about deplo
Learn about the options and steps for a new installation of Windows 10.
- [Deploy Windows 10 - In-place upgrade](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf)
Learn about the steps to upgrade from a previous version of Windows.
- [Deploy Windows 10 - Windows Autopilot](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/Deploy-WindowsAutopilot.pdf)
- [Deploy Windows 10 - Windows Autopilot](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf)
Learn how you can set up and pre-configure Windows 10 devices.
- [Deploy Windows 10 - Windows servicing](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/master/windows/media/ModernSecureDeployment/WindowsServicing.pdf)
Learn how to keep Windows up to date.

2
windows/privacy/TOC.md
View File

@ -14,4 +14,6 @@
### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md)
### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
## [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)

2
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -25,7 +25,7 @@ To frame a discussion about diagnostic data, it is important to understand Micro
- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
- **Security.** We encrypt diagnostic data in transit from your device and protect that data at our secure data centers.
- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection.
- **Strong legal protections.** We respect customers local privacy laws and fight for legal protection of their privacy as a fundamental human right.
- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting.
- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.

254
windows/privacy/manage-windows-endpoints.md
View File

@ -5,10 +5,10 @@ keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
author: brianlic-msft
ms.author: brianlic
ms.date: 11/21/2017
ms.localizationpriority: high
author: danihalfin
ms.author: daniha
ms.date: 6/26/2018
---
# Manage Windows 10 connection endpoints
@ -482,250 +482,10 @@ If you disable this endpoint, Windows Defender won't be able to update its malwa
|----------------|----------|------------|----------------------------------|
|Various|HTTPS|go.microsoft.com| 1709 |
## Endpoints for other Windows editions
## Other Windows 10 editions
In addition to the endpoints listed for Windows 10 Enterprise, the following endpoints are available on other editions of Windows 10, version 1709.
## Windows 10 Home
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. |
| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| *.dscd.akamai.net | HTTP | Used to download content. |
| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. |
| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
| cdn.onenote.net | HTTP | Used for OneNote Live Tile. |
| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portals shared infrastructure, including Office Online. |
| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. |
| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. |
| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
| login.live.com | HTTPS | Used to authenticate a device. |
| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. |
| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. |
| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. |
| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. |
| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. |
| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. |
| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. |
| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. |
| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
## Windows 10 Pro
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.*.akamai.net | HTTP | Used to download content. |
| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. |
| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. |
| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. |
| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. |
| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portals shared infrastructure, including Office Online. |
| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cs12.<span class="anchor" id="_Hlk500262422"></span>wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portals shared infrastructure, including Office Online. |
| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| fs.microsoft.com | HTTPS | Used to download fonts on demand |
| g.live.com | HTTP | Used by a redirection service to automatically update URLs. |
| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
| login.live.com | HTTPS | Used to authenticate a device. |
| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| oem.twimg.com | HTTP | Used for the Twitter Live Tile. |
| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. |
| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. |
| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. |
| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
## Windows 10 Education
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| *.dscd.akamai.net | HTTP | Used to download content. |
| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.dspw65.akamai.net | HTTP | Used to download content. |
| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamai.net | HTTP | Used to download content. |
| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. |
| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portals shared infrastructure, including Office Online. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. |
| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
| login.live.com/* | HTTPS | Used to authenticate a device. |
| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. |
| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
## Related links

273
windows/privacy/windows-endpoints-1709-non-enterprise-editions.md Normal file
View File

@ -0,0 +1,273 @@
---
title: Windows 10, version 1709, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
author: danihalfin
ms.author: daniha
ms.date: 6/26/2018
---
# Windows 10, version 1709, connection endpoints for non-Enterprise editions
**Applies to**
- Windows 10 Home, version 1709
- Windows 10 Professional, version 1709
- Windows 10 Education, version 1709
In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1709.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Home
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. |
| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| *.dscd.akamai.net | HTTP | Used to download content. |
| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. |
| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
| cdn.onenote.net | HTTP | Used for OneNote Live Tile. |
| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portals shared infrastructure, including Office Online. |
| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. |
| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. |
| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
| login.live.com | HTTPS | Used to authenticate a device. |
| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. |
| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. |
| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. |
| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. |
| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. |
| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. |
| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. |
| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. |
| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
## Windows 10 Pro
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.*.akamai.net | HTTP | Used to download content. |
| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. |
| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. |
| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. |
| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. |
| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portals shared infrastructure, including Office Online. |
| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cs12.<span class="anchor" id="_Hlk500262422"></span>wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portals shared infrastructure, including Office Online. |
| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| fs.microsoft.com | HTTPS | Used to download fonts on demand |
| g.live.com | HTTP | Used by a redirection service to automatically update URLs. |
| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
| login.live.com | HTTPS | Used to authenticate a device. |
| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| oem.twimg.com | HTTP | Used for the Twitter Live Tile. |
| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. |
| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. |
| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. |
| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
## Windows 10 Education
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| *.dscd.akamai.net | HTTP | Used to download content. |
| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.dspw65.akamai.net | HTTP | Used to download content. |
| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamai.net | HTTP | Used to download content. |
| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. |
| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portals shared infrastructure, including Office Online. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. |
| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
| login.live.com/* | HTTPS | Used to authenticate a device. |
| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. |
| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |

148
windows/privacy/windows-endpoints-1803-non-enterprise-editions.md Normal file
View File

@ -0,0 +1,148 @@
---
title: Windows 10, version 1803, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
author: danihalfin
ms.author: daniha
ms.date: 6/26/2018
---
# Windows 10, version 1803, connection endpoints for non-Enterprise editions
**Applies to**
- Windows 10 Home, version 1803
- Windows 10 Professional, version 1803
- Windows 10 Education, version 1803
In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Family
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ HTTP Enables connections to Windows Update. |
| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| arc.msn.com/v3/Delivery/Placement | HTTPS | Used to retrieve Windows Spotlight metadata. |
| client-office365-tas.msedge.net* | HTTPS | Used to connect to the Office 365 portals shared infrastructure, including Office Online. |
| config.edge.skype.com/config/* | HTTPS | Used to retrieve Skype configuration values. |
| ctldl.windowsupdate.com/msdownload/update* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. |
|dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). |
| fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. |
| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application. |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. |
| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. |
| ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. |
| settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. |
| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration.  |
| sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. |
| storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. |
| tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
## Windows 10 Pro
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. |
| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. |
| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic |
## Windows 10 Education
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. |
| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. |
| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portals shared infrastructure, including Office Online. |
| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  |
| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. |
| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. |
| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. |
| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. |
| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application |
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. |
| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. |
| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. |
| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |

23
windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/16/2017
ms.date: 06/29/2018
---
# TPM Group Policy settings
@ -52,22 +52,28 @@ This policy setting allows you to enforce or ignore the computer's local list of
The local list of blocked TPM commands is configured outside of Group Policy by typing **tpm.msc** at the command prompt to open the TPM Management Console, or scripting using the **Win32\_Tpm** interface. (The default list of blocked TPM commands is preconfigured by Windows.)
If you enable this policy setting, the Windows operating system will ignore the computer's local list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the default list.
If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands.
## Configure the level of TPM owner authorization information available to the operating system
Beginning with Windows 10 version 1607 and Windows Server 2016, this policy setting is no longer used by Windows, but it continues to appear in GPEdit.msc for compatibility with previous versions.
>[!IMPORTANT]
>Beginning with Windows 10 version 1607 and Windows Server 2016, this policy setting is no longer used by Windows, but it continues to appear in GPEdit.msc for compatibility with previous versions. Beginning with Windows 10 version 1703, the default value is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization.
This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password.
This policy setting configured which TPM authorization values are stored in the registry of the local computer. Certain authorization values are required in order to allow Windows to perform certain actions.
|TPM 1.2 value | TPM 2.0 value | Purpose | Kept at level 0?| Kept at level 2?| Kept at level 4? |
|--------------|---------------|---------|-----------------|-----------------|------------------|
| OwnerAuthAdmin | StorageOwnerAuth | Create SRK | No | Yes | Yes |
| OwnerAuthEndorsement | EndorsementAuth | Create or use EK (1.2 only: Create AIK) | No | Yes | Yes |
| OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | No |
There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
- **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used.
- **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
- **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows.
- **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
- **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
@ -88,11 +94,10 @@ The following table shows the TPM owner authorization values in the registry.
| 2 | Delegated |
| 4 | Full |
A value of 5 means discard the **Full** TPM owner authorization for TPM 1.2 but keep it for TPM 2.0.
 
If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose.
If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not
On Windows 10 prior to version 1607, if you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not
configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
## Standard User Lockout Duration

35
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -198,7 +198,7 @@ Path Publisher
Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name.
### Import a list of apps
For this example, were going to add an AppLocker XML file to the **Protected apps** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
For this example, were going to add an AppLocker XML file to the **Protected apps** list. Youll use this option if you want to add multiple apps at the same time. The first example shows how to create a Packaged App rule for Store apps. The second example shows how to create an Executable rule by using a path for unsigned apps. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create a list of protected apps using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
@ -273,6 +273,39 @@ For this example, were going to add an AppLocker XML file to the **Protected
12. After youve created your XML file, you need to import it by using Microsoft Intune.
**To create an Executable rule and xml file for unsigned apps**
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, click **Application Control Policies** > **AppLocker** > **Executable Rules**.
3. Right-click **Executable Rules** > **Create New Rule**.
![Local security snap-in, showing the Executable Rules](images/create-new-path-rule.png)
4. On the **Before You Begin** page, click **Next**.
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
6. On the **Conditions** page, click **Path** and then click **Next**.
![Create Packaged app Rules wizard, showing the Publisher](images/path-condition.png)
7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, were using "C:\Program Files".
![Create Packaged app Rules wizard, showing the Select applications page](images/select-path.png)
8. On the **Exceptions** page, add any exceptions and then click **Next**.
9. On the **Name** page, type a name and description for the rule and then click **Create**.
10. In the left pane, right-click **AppLocker** > **Export policy**.
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
The policy is saved and youll see a message that says 1 rule was exported from the policy.
12. After youve created your XML file, you need to import it by using Microsoft Intune.
**To import a list of protected apps using Microsoft Intune**
1. In **Protected apps**, click **Import apps**.

35
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
View File

@ -193,7 +193,7 @@ In this example, you'd get the following info:
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
### Add an AppLocker policy file
Now were going to add an AppLocker XML file to the **App Rules** list. Youll use this option if you want to add multiple apps at the same time. The first example shows how to create a Packaged App rule for Store apps. The second example shows how to create an Executable rule by using a path for unsigned apps. For more info, see [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview).
Now were going to add an AppLocker XML file to the **App Rules** list. Youll use this option if you want to add multiple apps at the same time. For more info, see [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview).
**To create a Packaged App rule rule and xml file**
1. Open the Local Security Policy snap-in (SecPol.msc).
@ -260,39 +260,6 @@ Now were going to add an AppLocker XML file to the **App Rules** list. You
```
12. After youve created your XML file, you need to import it by using Microsoft Intune.
**To create an Executable rule and xml file for unsigned apps**
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, click **Application Control Policies** > **AppLocker** > **Executable Rules**.
3. Right-click **Executable Rules** > **Create New Rule**.
![Local security snap-in, showing the Executable Rules](images/create-new-path-rule.png)
4. On the **Before You Begin** page, click **Next**.
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
6. On the **Conditions** page, click **Path** and then click **Next**.
![Create Packaged app Rules wizard, showing the Publisher](images/path-condition.png)
7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, were using "C:\Program Files".
![Create Packaged app Rules wizard, showing the Select applications page](images/select-path.png)
8. On the **Exceptions** page, add any exceptions and then click **Next**.
9. On the **Name** page, type a name and description for the rule and then click **Create**.
10. In the left pane, right-click **AppLocker** > **Export policy**.
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
The policy is saved and youll see a message that says 1 rule was exported from the policy.
12. After youve created your XML file, you need to import it by using Microsoft Intune.
**To import your Applocker policy file app rule using Microsoft Intune**
1. From the **App Rules** area, click **Add**.

BIN
windows/security/information-protection/windows-information-protection/images/path-condition.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 35 KiB

6
windows/security/threat-protection/TOC.md
View File

@ -761,12 +761,14 @@
##### [Interactive logon: Require smart card](security-policy-settings/interactive-logon-require-smart-card.md)
##### [Interactive logon: Smart card removal behavior](security-policy-settings/interactive-logon-smart-card-removal-behavior.md)
##### [Microsoft network client: Digitally sign communications (always)](security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md)
##### [Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
##### [SMBv1 Microsoft network client: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md)
##### [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
##### [Microsoft network client: Send unencrypted password to third-party SMB servers](security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)
##### [Microsoft network server: Amount of idle time required before suspending session](security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)
##### [Microsoft network server: Attempt S4U2Self to obtain claim information](security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)
##### [Microsoft network server: Digitally sign communications (always)](security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md)
##### [Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
##### [SMBv1 Microsoft network server: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md)
##### [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
##### [Microsoft network server: Disconnect clients when logon hours expire](security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)
##### [Microsoft network server: Server SPN target name validation level](security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md)
##### [Network access: Allow anonymous SID/Name translation](security-policy-settings/network-access-allow-anonymous-sidname-translation.md)

4
windows/security/threat-protection/auditing/event-4624.md
View File

@ -214,7 +214,7 @@ This event generates when a logon session is created (on destination machine). I
**Process Information:**
- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
@ -222,7 +222,7 @@ This event generates when a logon session is created (on destination machine). I
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
**Network Information:**

4
windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
View File

@ -1,5 +1,5 @@
---
title: Introduction to Windows Defender Device Guard - virtualization-based security and code integrity policies (Windows 10)
title: Windows Defender Device Guard - virtualization-based security and code integrity policies (Windows 10)
description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating systems security.
keywords: virtualization, security, malware
ms.prod: w10
@ -9,7 +9,7 @@ author: mdsakibMSFT
ms.date: 04/19/2018
---
# Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control
# Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control
**Applies to**
- Windows 10

63
windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
View File

@ -1,56 +1,51 @@
---
title: Microsoft network client Digitally sign communications (always) (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
description: For SMBv3 and SMBv2, describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
author: justinha
ms.date: 06/28/2018
---
# Microsoft network client: Digitally sign communications (always)
**Applies to**
- Windows 10
- Windows Server
Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting.
Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.
## Reference
The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data access failure.
If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2.
Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
| | Server Required | Server Not Required |
|---|-------------------|-----------------------|
| **Client Required** | Signed | Signed |
| **Client Not Required** | Signed <sup>1</sup> | Not Signed<sup>2</sup> |
</br>
<sup>1</sup> Default for domain controller SMB traffic</br>
<sup>2</sup> Default for all other SMB traffic
There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
- [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
- [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
- [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
Performance of SMB signing is improved in SMBv2. For more details, see [Potential impact](#potential-impact).
### Possible values
- Enabled
- Disabled
- Not defined
### Best practices
1. Configure the following security policy settings as follows:
- Disable **Microsoft network client: Digitally sign communications (always)**.
- Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
- Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
- Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
Enable **Microsoft network client: Digitally sign communications (always)**.
### Location
@ -62,8 +57,8 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Not defined|
| Default Domain Policy| Disabled|
| Default Domain Controller Policy | Disabled|
| Stand-Alone Server Default Settings | Disabled|
| DC Effective Default Settings | Disabled|
| Member Server Effective Default Settings | Disabled|
@ -83,28 +78,20 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data.
Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data.
SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
### Countermeasure
Configure the settings as follows:
Enable **Microsoft network client: Digitally sign communications (always)**.
- Disable **Microsoft network client: Digitally sign communications (always)**.
- Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
- Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
- Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
>[!NOTE]  
>An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
 
### Potential impact
Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks.
Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you are using a 1 Gb Ethernet network or slower storage speed with a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing may be greater.
## Related topics

64
windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
View File

@ -1,59 +1,51 @@
---
title: Microsoft network server Digitally sign communications (always) (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting.
description: For SMBv3 and SMBv2, describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting.
ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
ms.date: 06/21/2018
---
# Microsoft network server: Digitally sign communications (always)
**Applies to**
- Windows 10
- Windows Server
Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting.
Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.
## Reference
The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings can cause data access failure.
For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md). Devices that have this policy set will not be able to communicate with devices that do not have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers. Server-side packet signing can be enabled on devices by setting [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2.
If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled.
| | Server Required | Server Not Required |
|---|-------------------|-----------------------|
| **Client Required** | Signed | Signed |
| **Client Not Required** | Signed <sup>1</sup> | Not Signed<sup>2</sup> |
</br>
<sup>1</sup> Default for domain controller SMB traffic</br>
<sup>2</sup> Default for all other SMB traffic
Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
- [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
- [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
- [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
Performance of SMB signing is improved in SMBv2. For more details, see [Potential impact](#potential-impact).
### Possible values
- Enabled
- Disabled
- Not defined
### Best practices
1. Configure the following security policy settings as follows:
- Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
- Disable **Microsoft network server: Digitally sign communications (always)**.
- Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
- Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
Enable **Microsoft network server: Digitally sign communications (always)**.
### Location
@ -65,11 +57,11 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not defined|
| Default Domain Policy| Disabled|
| Default Domain Controller Policy | Enabled|
| Stand-Alone Server Default Settings | Not defined|
| Stand-Alone Server Default Settings | Disabled|
| DC Effective Default Settings | Enabled|
| Member Server Effective Default Settings| Not defined|
| Member Server Effective Default Settings| Disabled|
| Client Computer Effective Default Settings | Disabled|
 
## Policy management
@ -88,26 +80,18 @@ This section describes how an attacker might exploit a feature or its configurat
Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data.
SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. If either side fails the authentication process, data transmission does not take place.
### Countermeasure
Configure the settings as follows:
Enable **Microsoft network server: Digitally sign communications (always)**.
- Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
- Disable **Microsoft network server: Digitally sign communications (always)**.
- Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
- Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
>[!NOTE]  
>An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
 
### Potential impact
Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks.
Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you are using a 1 Gb Ethernet network or slower storage speed with a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing may be greater.
## Related topics

14
windows/security/threat-protection/security-policy-settings/security-options.md
View File

@ -6,8 +6,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/01/2017
author: justinha
ms.date: 06/28/2018
---
# Security Options
@ -66,13 +66,15 @@ For info about setting security policies, see [Configure security policy setting
| [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting. |
| [Interactive logon: Require smart card](interactive-logon-require-smart-card.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting.|
| [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.|
| [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting. |
| [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting. |
| [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. |
| [SMBv1 Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv1 only. |
| [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting for SMBv1 only. |
| [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. |
| [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. |
| [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)| Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. |
| [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting.|
| [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting. |
| [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.|
| [SMBv1 Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv1 only.|
| [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting for SMBv1 only. |
| [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. |
| [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)| Describes the best practices, location, and values, policy management and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. |
| [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.|

113
windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md Normal file
View File

@ -0,0 +1,113 @@
---
title: SMBv1 Microsoft network client Digitally sign communications (always) (Windows 10)
description: For SMBv1 only, describes the best practices, location, values, policy management and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 06/19/2018
---
# SMBv1 Microsoft network client: Digitally sign communications (always)
**Applies to**
- Windows 10
This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](https://support.microsoft.com/help/4034314/smbv1-is-not-installed-by-default-in-windows).
The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
## Reference
The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
- [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)
- [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
- [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
### Possible values
- Enabled
- Disabled
- Not defined
### Best practices
1. Configure the following security policy settings as follows:
- Disable **Microsoft network client: Digitally sign communications (always)**.
- Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
- Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
- Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Disabled|
| DC Effective Default Settings | Disabled|
| Member Server Effective Default Settings | Disabled|
| Client Computer Effective Default Settings | Disabled|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data.
SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
### Countermeasure
Configure the settings as follows:
- Disable **Microsoft network client: Digitally sign communications (always)**.
- Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
- Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
- Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
 
### Potential impact
Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks.
## Related topics
- [Security Options](security-options.md)

30
windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md → windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft network client Digitally sign communications (if server agrees) (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Microsoft network client Digitally sign communications (if server agrees) security policy setting.
title: SMBv1 Microsoft network client Digitally sign communications (if server agrees) (Windows 10)
description: For SMBv1 only, describes the best practices, location, values, and security considerations for the Microsoft network client Digitally sign communications (if server agrees) security policy setting.
ms.assetid: e553f700-aae5-425c-8650-f251c90ba5dd
ms.prod: w10
ms.mktglfcycl: deploy
@ -8,14 +8,16 @@ ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
ms.date: 06/19/2018
---
# Microsoft network client: Digitally sign communications (if server agrees)
# SMBv1 Microsoft network client: Digitally sign communications (if server agrees)
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting.
This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](https://support.microsoft.com/help/4034314/smbv1-is-not-installed-by-default-in-windows).
The rest of this topic describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-always.md).
## Reference
@ -31,9 +33,9 @@ Using SMB packet signing can impose up to a 15 percent performance degradation o
There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
- [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
- [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
- [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
- [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)
- [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md)
- [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
### Possible values
@ -45,10 +47,10 @@ There are three other policy settings that relate to packet-signing requirements
1. Configure the following security policy settings as follows:
- Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
- Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
- Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
- Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
- Enable **Microsoft Network Client: Digitally Sign Communications (If Server Agrees)**.
- Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
- Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
@ -92,10 +94,10 @@ SMB is the resource-sharing protocol that is supported by many Windows operating
Configure the settings as follows:
- Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
- Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
- Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
- Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
- Enable **Microsoft network client: Digitally sign communications (if server agrees)**.
- Enable [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
- Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.

116
windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md Normal file
View File

@ -0,0 +1,116 @@
---
title: SMB v1 Microsoft network server Digitally sign communications (always) (Windows 10)
description: For SMB v1 only, describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting.
ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 06/19/201
---
# SMB v1 Microsoft network server: Digitally sign communications (always)
**Applies to**
- Windows 10
This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMB v1 is not installed by default](https://support.microsoft.com/help/4034314/smbv1-is-not-installed-by-default-in-windows).
The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. Fore more information, see [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
## Reference
The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md). Devices that have this policy set will not be able to communicate with devices that do not have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers. Server-side packet signing can be enabled on devices by setting [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled.
Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
- [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md)
- [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
- [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
### Possible values
- Enabled
- Disabled
- Not defined
### Best practices
1. Configure the following security policy settings as follows:
- Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
- Disable **Microsoft network server: Digitally sign communications (always)**.
- Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
- Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Enabled|
| Stand-Alone Server Default Settings | Not defined|
| DC Effective Default Settings | Enabled|
| Member Server Effective Default Settings| Not defined|
| Client Computer Effective Default Settings | Disabled|
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data.
SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
### Countermeasure
Configure the settings as follows:
- Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
- Disable **Microsoft network server: Digitally sign communications (always)**.
- Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
- Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
 
### Potential impact
Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks.
## Related topics
- [Security Options](security-options.md)

30
windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees.md → windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
View File

@ -1,21 +1,23 @@
---
title: Microsoft network server Digitally sign communications (if client agrees) (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (if client agrees) security policy setting.
title: SMBv1 Microsoft network server Digitally sign communications (if client agrees) (Windows 10)
description: For SMBv1 only, describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (if client agrees) security policy setting.
ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
ms.date: 06/19/2018
---
# Microsoft network server: Digitally sign communications (if client agrees)
# SMBv1 Microsoft network server: Digitally sign communications (if client agrees)
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting.
This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](https://support.microsoft.com/help/4034314/smbv1-is-not-installed-by-default-in-windows).
The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-always.md).
## Reference
@ -32,9 +34,9 @@ Using SMB packet signing can impose up to a 15 percent performance degradation o
There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
- [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
- [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
- [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
- [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)
- [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
- [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md)
### Possible values
@ -46,9 +48,9 @@ There are three other policy settings that relate to packet-signing requirements
1. Configure the following security policy settings as follows:
- Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
- Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
- Enable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
- Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
- Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
- Enable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
- Enable **Microsoft Network Server: Digitally Sign Communications (If Client Agrees)**.
2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
@ -92,9 +94,9 @@ SMB is the resource-sharing protocol that is supported by many Windows operating
Configure the settings as follows:
- Disable [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
- Disable [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
- Enable [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
- Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
- Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
- Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
- Enable **Microsoft network server: Digitally sign communications (if client agrees)**.
In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.

21
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 06/13/2018
ms.date: 06/29/2018
---
@ -82,6 +82,10 @@ Windows 10, version 1803 has five new Attack surface reduction rules:
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
In addition, the following rule is available for beta testing:
- Block Office communication applications from creating child processes
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
Rule name | GUID
@ -98,6 +102,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version.
@ -123,7 +128,7 @@ This rule blocks the following file types from being run or launched from an ema
### Rule: Block Office applications from creating child processes
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, Outlook, and Access.
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
@ -175,10 +180,16 @@ This rule blocks the following file types from being run or launched unless they
- Executable files (such as .exe, .dll, or .scr)
>[!NOTE]
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
### Rule: Use advanced protection against ransomware
This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
>[!NOTE]
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
@ -203,6 +214,12 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
### Rule: Block Office communication applications from creating child processes
Office communication apps will not be allowed to create child processes. This includes Outlook.
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
## Review Attack surface reduction events in Windows Event Viewer
You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited):

4
windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 06/15/2018
ms.date: 06/29/2018
---
# Customize Attack surface reduction
@ -76,6 +76,8 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.

3
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 06/29/2018
---
@ -64,6 +64,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.