mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-15 23:07:23 +00:00
huypub
GitHub
commit
381a2cce53
@ -245,6 +245,7 @@
|
||||
#### [RestrictedGroups](policy-csp-restrictedgroups.md)
|
||||
#### [Search](policy-csp-search.md)
|
||||
#### [Security](policy-csp-security.md)
|
||||
#### [ServiceControlManager](policy-csp-servicecontrolmanager.md)
|
||||
#### [Settings](policy-csp-settings.md)
|
||||
#### [SmartScreen](policy-csp-smartscreen.md)
|
||||
#### [Speech](policy-csp-speech.md)
|
||||
|
||||
@ -115,6 +115,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
|
||||
<li>[Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)</li>
|
||||
<li>[Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)</li>
|
||||
<li>[Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)</li>
|
||||
<li>[ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)</li>
|
||||
<li>[System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)</li>
|
||||
<li>[System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)</li>
|
||||
<li>[Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)</li>
|
||||
@ -1868,16 +1869,17 @@ How do I turn if off? | The service can be stopped from the "Services" console o
|
||||
|
||||
|New or updated topic | Description|
|
||||
|--- | ---|
|
||||
|[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:<br>DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.|
|
||||
|[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)|Added new CSP in Windows 10, version 1903.|
|
||||
|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added the following new policies:<br> DODelayCacheServerFallbackBackground, DODelayCacheServerFallbackForeground.<br><br>Updated description of the following policies:<br>DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DOMinDiskSizeAllowedToPeer.|
|
||||
|[Policy CSP - Experience](policy-csp-experience.md)|Added the following new policy:<br>ShowLockOnUserTile.|
|
||||
|[Policy CSP - InternetExplorer](policy-csp-internetexplorer.md)|Added the following new policies:<br>AllowEnhancedSuggestionsInAddressBar, DisableActiveXVersionListAutoDownload, DisableCompatView, DisableFeedsBackgroundSync, DisableGeolocation, DisableWebAddressAutoComplete, NewTabDefaultPage.|
|
||||
|[Policy CSP - Power](policy-csp-power.md)|Added the following new policies:<br>EnergySaverBatteryThresholdOnBattery, EnergySaverBatteryThresholdPluggedIn, SelectLidCloseActionOnBattery, SelectLidCloseActionPluggedIn, SelectPowerButtonActionOnBattery, SelectPowerButtonActionPluggedIn, SelectSleepButtonActionOnBattery, SelectSleepButtonActionPluggedIn, TurnOffHybridSleepOnBattery, TurnOffHybridSleepPluggedIn, UnattendedSleepTimeoutOnBattery, UnattendedSleepTimeoutPluggedIn.|
|
||||
|[Policy CSP - Search](policy-csp-search.md)|Added the following new policy:<br>AllowFindMyFiles.|
|
||||
|[Policy CSP - ServiceControlManager](policy-csp-servicecontrolmanager.md)|Added the following new policy:<br>SvchostProcessMitigation.|
|
||||
|[Policy CSP - System](policy-csp-system.md)|Added the following new policies:<br>AllowCommercialDataPipeline, TurnOffFileHistory.|
|
||||
|[Policy CSP - Update](policy-csp-update.md)|Added the following new policies:<br>AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.|
|
||||
|[Policy CSP - WindowsLogon](policy-csp-windowslogon.md)|Added the following new policies:<br>AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.|
|
||||
|[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:<br>DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.|
|
||||
|
||||
### April 2019
|
||||
|
||||
|
||||
@ -3000,6 +3000,13 @@ The following diagram shows the Policy configuration service provider in tree fo
|
||||
</dd>
|
||||
</dl>
|
||||
|
||||
### ServiceControlManager policies
|
||||
<dl>
|
||||
<dd>
|
||||
<a href="./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation" id="servicecontrolmanager-svchostprocessmitigation">ServiceControlManager/SvchostProcessMitigation</a>
|
||||
</dd>
|
||||
</dl>
|
||||
|
||||
### Settings policies
|
||||
|
||||
<dl>
|
||||
@ -4219,6 +4226,7 @@ The following diagram shows the Policy configuration service provider in tree fo
|
||||
- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses)
|
||||
- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
|
||||
- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
|
||||
- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
|
||||
- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
|
||||
- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
|
||||
- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
|
||||
@ -4963,6 +4971,7 @@ The following diagram shows the Policy configuration service provider in tree fo
|
||||
- [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb)
|
||||
- [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries)
|
||||
- [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready)
|
||||
- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
|
||||
- [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips)
|
||||
- [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar)
|
||||
- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist)
|
||||
|
||||
@ -0,0 +1,112 @@
|
||||
---
|
||||
title: Policy CSP - ServiceControlManager
|
||||
description: Policy CSP - ServiceControlManager
|
||||
ms.author: Heidi.Lohr
|
||||
ms.topic: article
|
||||
ms.prod: w10
|
||||
ms.technology: windows
|
||||
author: Heidilohr
|
||||
ms.date: 05/21/2019
|
||||
---
|
||||
|
||||
# Policy CSP - ServiceControlManager
|
||||
|
||||
|
||||
<hr/>
|
||||
|
||||
<!--Policies-->
|
||||
## ServiceControlManager policies
|
||||
|
||||
<dl>
|
||||
<dd>
|
||||
<a href="#servicecontrolmanager-svchostprocessmitigation">ServiceControlManager/SvchostProcessMitigation</a>
|
||||
</dd>
|
||||
</dl>
|
||||
|
||||
<hr/>
|
||||
|
||||
<!--Policy-->
|
||||
<a href="" id="servicecontrolmanager-svchostprocessmitigation"></a>**ServiceControlManager/SvchostProcessMitigation**
|
||||
|
||||
<!--SupportedSKUs-->
|
||||
<table>
|
||||
<tr>
|
||||
<th>Home</th>
|
||||
<th>Pro</th>
|
||||
<th>Business</th>
|
||||
<th>Enterprise</th>
|
||||
<th>Education</th>
|
||||
<th>Mobile</th>
|
||||
<th>Mobile Enterprise</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|
||||
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|
||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
|
||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
|
||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
|
||||
<td></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<!--/SupportedSKUs-->
|
||||
<!--Scope-->
|
||||
[Scope](./policy-configuration-service-provider.md#policy-scope):
|
||||
|
||||
> [!div class = "checklist"]
|
||||
> * Device
|
||||
|
||||
<hr/>
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
This policy setting enables process mitigation options on svchost.exe processes.
|
||||
|
||||
If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.
|
||||
|
||||
This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code.
|
||||
|
||||
If you disable or do not configure this policy setting, the stricter security settings will not be applied.
|
||||
|
||||
<!--/Description-->
|
||||
> [!TIP]
|
||||
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
|
||||
|
||||
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
|
||||
|
||||
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
|
||||
|
||||
<!--ADMXBacked-->
|
||||
ADMX Info:
|
||||
- GP English name: *Enable svchost.exe mitigation options*
|
||||
- GP name: *SvchostProcessMitigationEnable*
|
||||
- GP path: *System/Service Control Manager Settings/Security Settings*
|
||||
- GP ADMX file name: *ServiceControlManager.admx*
|
||||
|
||||
<!--/ADMXBacked-->
|
||||
<!--SupportedValues-->
|
||||
Supported values:
|
||||
- disabled - Do not add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes.
|
||||
- enabled - Add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes.
|
||||
<!--/SupportedValues-->
|
||||
<!--Example-->
|
||||
|
||||
<!--/Example-->
|
||||
<!--Validation-->
|
||||
|
||||
<!--/Validation-->
|
||||
<!--/Policy-->
|
||||
|
||||
<!--/Policies-->
|
||||
|
||||
<hr/>
|
||||
|
||||
Footnotes:
|
||||
|
||||
- 1 - Added in Windows 10, version 1607.
|
||||
- 2 - Added in Windows 10, version 1703.
|
||||
- 3 - Added in Windows 10, version 1709.
|
||||
- 4 - Added in Windows 10, version 1803.
|
||||
- 5 - Added in Windows 10, version 1809.
|
||||
- 6 - Added in Windows 10, version 1903.
|
||||
@ -15,13 +15,13 @@ ms.topic: article
|
||||
|
||||
# Windows Autopilot for white glove deployment
|
||||
|
||||
**Applies to: Windows 10, version 1903**
|
||||
**Applies to: Windows 10, version 1903** (preview)
|
||||
|
||||
Windows Autopilot enables organizations to easily provision new devices - leveraging the preinstalled OEM image and drivers with a simple process that can be performed by the end user to help get their device business-ready.
|
||||
|
||||
|
||||
|
||||
Windows Autopilot can also provide a <I>white glove</I> service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
|
||||
Windows Autopilot can also provide a <I>white glove</I> service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
|
||||
|
||||
With **Windows Autopilot for white glove deployment**, the provisioning process is split. The time-consuming portions are performed by IT, partners, or OEMs. The end user simply completes a few neceesary settings and polices and then they can begin using their device.
|
||||
|
||||
@ -34,7 +34,7 @@ Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove
|
||||
In addition to [Windows Autopilot requirements](windows-autopilot-requirements.md), Windows Autopilot for white glove deployment adds the following:
|
||||
|
||||
- Windows 10, version 1903 or later is required.
|
||||
- An Intune subscription with additional flighted features that are not yet available publicly is currently required. Note: This feature will change soon from flighted to preview. Prior to this feature switching to preview status, attempts to perform white glove deployment without t flighted features will fail with an Intune enrollment error.
|
||||
- An Intune subscription.
|
||||
- Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported. The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements.
|
||||
- Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device.
|
||||
|
||||
@ -49,12 +49,12 @@ If these scenarios cannot be completed, Windows Autopilot for white glove deploy
|
||||
|
||||
To enable white glove deployment, an additional Autopilot profile setting must be configured:
|
||||
|
||||
>[!TIP]
|
||||
>To see the white glove deployment Autopilot profile setting, use this URL to access the Intune portal: https://portal.azure.com/?microsoft_intune_enrollment_enableWhiteGlove=true. This is a temporary requirement.
|
||||
|
||||
|
||||
|
||||
The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. **Note**: other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
|
||||
The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed.
|
||||
|
||||
>[!NOTE]
|
||||
>Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
|
||||
|
||||
## Scenarios
|
||||
|
||||
@ -82,16 +82,16 @@ Regardless of the scenario, the process to be performed by the technician is the
|
||||
|
||||
|
||||
- Click **Provision** to begin the provisioning process.
|
||||
|
||||
If the pre-provisioning process completes successfully:
|
||||
- A green status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
|
||||
|
||||
- Click **Reseal** to shut the device down. At that point, the device can be shipped to the end user.
|
||||
|
||||
If the pre-provisioning process fails:
|
||||
- A red status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
|
||||
- Diagnostic logs can be gathered from the device, and then it can be reset to start the process over again.
|
||||
|
||||
|
||||
|
||||
### User flow
|
||||
|
||||
If the pre-provisioning process completed successfully and the device was resealed, it can be delivered to the end user to complete the normal Windows Autopilot user-driven process. They will perform a standard set of steps:
|
||||
|
||||
@ -82,7 +82,7 @@ The special identity groups are described in the following tables:
|
||||
|
||||
- [This Organization](#this-organization)
|
||||
|
||||
- [Window Manager\\Window Manager Group](#window-manager\\window-manager-group)
|
||||
- [Window Manager\\Window Manager Group](#window-manager-window-manager-group)
|
||||
|
||||
## Anonymous Logon
|
||||
|
||||
|
||||
@ -34,8 +34,8 @@ ms.date: 10/08/2018
|
||||
- [Key Trust](#key-trust)
|
||||
- [Managed Environment](#managed-environment)
|
||||
- [On-premises Deployment](#on-premises-deployment)
|
||||
- [Pass-through Authentication](#passthrough-authentication)
|
||||
- [Password Hash Synchronization](#password-hash-synchronization)
|
||||
- [Pass-through Authentication](#pass-through-authentication)
|
||||
- [Password Hash Synchronization](#password-hash-sync)
|
||||
- [Primary Refresh Token](#primary-refresh-token)
|
||||
- [Storage Root Key](#storage-root-key)
|
||||
- [Trust Type](#trust-type)
|
||||
@ -212,9 +212,9 @@ The key trust model uses the user's Windows Hello for Business identity to authe
|
||||
Managed environments are for non-federated environments where Azure Active Directory manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services.
|
||||
|
||||
### Related topics
|
||||
[Federated Environment](#federated-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Synchronization](#password-hash-synchronization)
|
||||
[Federated Environment](#federated-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Synchronization](#password-hash-sync)
|
||||
|
||||
[Return to Top](#Technology-and-Terms)
|
||||
[Return to Top](#technology-and-terms)
|
||||
## On-premises Deployment
|
||||
The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust.
|
||||
|
||||
@ -229,13 +229,13 @@ The Windows Hello for Business on-premises deployment is for organizations that
|
||||
Provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
|
||||
|
||||
### Related topics
|
||||
[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Password Hash Synchronization](#password-hash-synchronization)
|
||||
[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Password Hash Synchronization](#password-hash-sync)
|
||||
|
||||
|
||||
### More information
|
||||
- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn)
|
||||
|
||||
[Return to Top](#hello-how-it-works-technology.md)
|
||||
[Return to Top](hello-how-it-works-technology.md)
|
||||
## Password Hash Sync
|
||||
The simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
|
||||
|
||||
@ -253,7 +253,7 @@ The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a si
|
||||
|
||||
The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied.
|
||||
|
||||
[Return to Top](#Technology-and-Terms)
|
||||
[Return to Top](#technology-and-terms)
|
||||
## Storage Root Key
|
||||
The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
|
||||
|
||||
|
||||
@ -98,7 +98,7 @@
|
||||
#### [Managed security service provider support](mssp-support.md)
|
||||
|
||||
### [Microsoft Threat Protection](threat-protection-integration.md)
|
||||
#### [Protect users, data, and devices with conditional access](conditional-access.md)
|
||||
#### [Protect users, data, and devices with Conditional Access](conditional-access.md)
|
||||
#### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md)
|
||||
#### [Information protection in Windows overview](information-protection-in-windows-overview.md)
|
||||
|
||||
@ -360,7 +360,7 @@
|
||||
#### [Configure managed security service provider (MSSP) support](configure-mssp-support.md)
|
||||
|
||||
### Configure Microsoft Threat Protection integration
|
||||
#### [Configure conditional access](configure-conditional-access.md)
|
||||
#### [Configure Conditional Access](configure-conditional-access.md)
|
||||
#### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md)
|
||||
####[Configure information protection in Windows](information-protection-in-windows-config.md)
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Enable conditional access to better protect users, devices, and data
|
||||
description: Enable conditional access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant.
|
||||
title: Enable Conditional Access to better protect users, devices, and data
|
||||
description: Enable Conditional Access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant.
|
||||
keywords: conditional access, block applications, security level, intune,
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Enable conditional access to better protect users, devices, and data
|
||||
# Enable Conditional Access to better protect users, devices, and data
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
@ -26,26 +26,26 @@ ms.topic: article
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink)
|
||||
|
||||
Conditional access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications.
|
||||
Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications.
|
||||
|
||||
With conditional access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications.
|
||||
With Conditional Access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications.
|
||||
|
||||
You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state.
|
||||
|
||||
The implementation of conditional access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies.
|
||||
The implementation of Conditional Access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies.
|
||||
|
||||
The compliance policy is used with conditional access to allow only devices that fulfill one or more device compliance policy rules to access applications.
|
||||
The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device compliance policy rules to access applications.
|
||||
|
||||
## Understand the conditional access flow
|
||||
Conditional access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated.
|
||||
## Understand the Conditional Access flow
|
||||
Conditional Access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated.
|
||||
|
||||
The flow begins with machines being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune.
|
||||
|
||||
Depending on how you configure policies in Intune, conditional access can be set up so that when certain conditions are met, the policy is applied.
|
||||
Depending on how you configure policies in Intune, Conditional Access can be set up so that when certain conditions are met, the policy is applied.
|
||||
|
||||
For example, you can configure Intune to apply conditional access on devices that have a high risk.
|
||||
For example, you can configure Intune to apply Conditional Access on devices that have a high risk.
|
||||
|
||||
In Intune, a device compliance policy is used in conjunction with Azure AD conditional access to block access to applications. In parallel, an automated investigation and remediation process is launched.
|
||||
In Intune, a device compliance policy is used in conjunction with Azure AD Conditional Access to block access to applications. In parallel, an automated investigation and remediation process is launched.
|
||||
|
||||
A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated.
|
||||
|
||||
@ -54,23 +54,23 @@ To resolve the risk found on a device, you'll need to return the device to a com
|
||||
There are three ways to address a risk:
|
||||
1. Use Manual or automated remediation.
|
||||
2. Resolve active alerts on the machine. This will remove the risk from the machine.
|
||||
3. You can remove the machine from the active policies and consequently, conditional access will not be applied on the machine.
|
||||
3. You can remove the machine from the active policies and consequently, Conditional Access will not be applied on the machine.
|
||||
|
||||
Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure conditional access](configure-conditional-access.md).
|
||||
Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure Conditional Access](configure-conditional-access.md).
|
||||
|
||||
When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted.
|
||||
|
||||
The following example sequence of events explains conditional access in action:
|
||||
The following example sequence of events explains Conditional Access in action:
|
||||
|
||||
1. A user opens a malicious file and Microsoft Defender ATP flags the device as high risk.
|
||||
2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat.
|
||||
3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune conditional access policy. In Azure AD, the corresponding policy is applied to block access to applications.
|
||||
3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune Conditional Access policy. In Azure AD, the corresponding policy is applied to block access to applications.
|
||||
4. The manual or automated investigation and remediation is completed and the threat is removed. Microsoft Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications.
|
||||
5. Users can now access applications.
|
||||
|
||||
|
||||
## Related topic
|
||||
- [Configure conditional access in Microsoft Defender ATP](configure-conditional-access.md)
|
||||
- [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Configure conditional access in Microsoft Defender ATP
|
||||
title: Configure Conditional Access in Microsoft Defender ATP
|
||||
description:
|
||||
keywords:
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
@ -18,11 +18,11 @@ ms.topic: article
|
||||
ms.date: 09/03/2018
|
||||
---
|
||||
|
||||
# Configure conditional access in Microsoft Defender ATP
|
||||
# Configure Conditional Access in Microsoft Defender ATP
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
This section guides you through all the steps you need to take to properly implement conditional access.
|
||||
This section guides you through all the steps you need to take to properly implement Conditional Access.
|
||||
|
||||
### Before you begin
|
||||
>[!WARNING]
|
||||
@ -43,12 +43,12 @@ There are steps you'll need to take in Microsoft Defender Security Center, the I
|
||||
> [!NOTE]
|
||||
> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
|
||||
|
||||
Take the following steps to enable conditional access:
|
||||
Take the following steps to enable Conditional Access:
|
||||
- Step 1: Turn on the Microsoft Intune connection from Microsoft Defender Security Center
|
||||
- Step 2: Turn on the Microsoft Defender ATP integration in Intune
|
||||
- Step 3: Create the compliance policy in Intune
|
||||
- Step 4: Assign the policy
|
||||
- Step 5: Create an Azure AD conditional access policy
|
||||
- Step 5: Create an Azure AD Conditional Access policy
|
||||
|
||||
|
||||
### Step 1: Turn on the Microsoft Intune connection
|
||||
@ -85,17 +85,17 @@ Take the following steps to enable conditional access:
|
||||
4. Include or exclude your Azure AD groups to assign them the policy.
|
||||
5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance.
|
||||
|
||||
### Step 5: Create an Azure AD conditional access policy
|
||||
1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional access** > **New policy**.
|
||||
### Step 5: Create an Azure AD Conditional Access policy
|
||||
1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional Access** > **New policy**.
|
||||
2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**.
|
||||
3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes.
|
||||
|
||||
4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes.
|
||||
|
||||
5. Select **Grant** to apply conditional access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes.
|
||||
5. Select **Grant** to apply Conditional Access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes.
|
||||
|
||||
6. Select **Enable policy**, and then **Create** to save your changes.
|
||||
|
||||
For more information, see [Enable Microsoft Defender ATP with conditional access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
|
||||
For more information, see [Enable Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
|
||||
|
||||
@ -40,8 +40,8 @@ Microsoft Defender ATP provides a comprehensive server protection solution, incl
|
||||
## Azure Information Protection
|
||||
Keep sensitive data secure while enabling productivity in the workplace through data data discovery and data protection.
|
||||
|
||||
## Conditional access
|
||||
Microsoft Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources.
|
||||
## Conditional Access
|
||||
Microsoft Defender ATP's dynamic machine risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources.
|
||||
|
||||
|
||||
## Microsoft Cloud App Security
|
||||
@ -56,7 +56,7 @@ The Skype for Business integration provides s a way for analysts to communicate
|
||||
|
||||
|
||||
## Related topic
|
||||
- [Protect users, data, and devices with conditional access](conditional-access.md)
|
||||
- [Protect users, data, and devices with Conditional Access](conditional-access.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -100,7 +100,7 @@ Query data using Advanced hunting in Microsoft Defender ATP.
|
||||
>[!NOTE]
|
||||
>Available from Windows 10, version 1803 or later.
|
||||
|
||||
- [Conditional access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) <br> Enable conditional access to better protect users, devices, and data.
|
||||
- [Conditional Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) <br> Enable conditional access to better protect users, devices, and data.
|
||||
|
||||
- [Microsoft Defender ATP Community center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection)<BR>
|
||||
The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product.
|
||||
|
||||
@ -0,0 +1,86 @@
|
||||
---
|
||||
title: Create and manage roles for role-based access control
|
||||
description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation
|
||||
keywords: user roles, roles, access rbac
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Create and manage roles for role-based access control
|
||||
**Applies to:**
|
||||
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink)
|
||||
|
||||
## Create roles and assign the role to an Azure Active Directory group
|
||||
The following steps guide you on how to create roles in Windows Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
|
||||
|
||||
1. In the navigation pane, select **Settings > Roles**.
|
||||
|
||||
2. Click **Add role**.
|
||||
|
||||
3. Enter the role name, description, and permissions you'd like to assign to the role.
|
||||
|
||||
- **Role name**
|
||||
- **Description**
|
||||
- **Permissions**
|
||||
- **View data** - Users can view information in the portal.
|
||||
- **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
|
||||
- **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
|
||||
- **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
|
||||
|
||||
>[!NOTE]
|
||||
>This setting is only available in the Windows Defender ATP administrator (default) role.
|
||||
|
||||
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
|
||||
|
||||
4. Click **Next** to assign the role to an Azure AD group.
|
||||
|
||||
5. Use the filter to select the Azure AD group that you'd like to add to this role.
|
||||
|
||||
6. Click **Save and close**.
|
||||
|
||||
7. Apply the configuration settings.
|
||||
|
||||
|
||||
After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created.
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>The Windows Defender ATP administrator (default) role has administrator permissions with exclusive access to all machine groups. Administrator permissions cannot be assigned to any other role.
|
||||
|
||||
|
||||
## Edit roles
|
||||
|
||||
1. Select the role you'd like to edit.
|
||||
|
||||
2. Click **Edit**.
|
||||
|
||||
3. Modify the details or the groups that are assigned to the role.
|
||||
|
||||
4. Click **Save and close**.
|
||||
|
||||
## Delete roles
|
||||
|
||||
1. Select the role you'd like to delete.
|
||||
|
||||
2. Click the drop-down button and select **Delete role**.
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
- [User basic permissions to access the portal](../microsoft-defender-atp/basic-permissions.md)
|
||||
- [Create and manage machine groups](../microsoft-defender-atp/machine-groups.md)
|
||||
Loading…
x
Reference in New Issue
Block a user