From 9178e4ce729b15b09e800c8c4e43e737fe806cc6 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 10 May 2019 09:52:59 -0700 Subject: [PATCH 01/21] Added 19H1 new policy doc and policy --- .../policy-configuration-service-provider.md | 9 ++ .../mdm/policy-csp-servicecontrolmanager.md | 115 ++++++++++++++++++ 2 files changed, 124 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-servicecontrolmanager.md diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a27926a537..58bba60460 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2927,6 +2927,13 @@ The following diagram shows the Policy configuration service provider in tree fo +### ServiceControlManager policies +
+
+ ServiceControlManager/SvchostProcessMitigation +
+
+ ### Settings policies
@@ -4112,6 +4119,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) - [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) - [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) +- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) - [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) - [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) - [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) @@ -4833,6 +4841,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb) - [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries) - [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready) +- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) - [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips) - [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar) - [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md new file mode 100644 index 0000000000..a2558d44fc --- /dev/null +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -0,0 +1,115 @@ +--- +title: Policy CSP - ServiceControlManager +description: Policy CSP - ServiceControlManager +ms.author: Heidi.Lohr +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: Heidilohr +ms.date: 05/10/2019 +--- + +# Policy CSP - ServiceControlManager + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + + +
+ + +## ServiceControlManager policies + +
+
+ ServiceControlManager/SvchostProcessMitigation +
+
+ +
+ + +**ServiceControlManager/SvchostProcessMitigation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting enables process mitigation options on svchost.exe processes. + +If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. + +This includes Microsoft to sign a policy requiring all binaries loaded on SVCHOST processes and a policy disallowing dynamically generated code. + +If you disable or do not configure this policy setting, the stricter security settings will not be applied. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable svchost.exe mitigation options* +- GP name: *SvchostProcessMitigationEnable* +- GP path: *System/Service Control Manager Settings/Security Settings* +- GP ADMX file name: *ServiceControlManager.admx* + + + +Supported values: +- disabled - Do not add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes. +- enabled - Add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes. + + + + + + + + + + + +
+ +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file From 5f13583ff5b73766b3cf8ae44a172f4cf1b48936 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Tue, 14 May 2019 10:44:54 -0500 Subject: [PATCH 02/21] Update user-roles-windows-defender-advanced-threat-protection.md --- ...-roles-windows-defender-advanced-threat-protection.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index ab60042a21..c68c954776 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -59,6 +59,10 @@ The following steps guide you on how to create roles in Windows Defender Securit After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created. +>[!NOTE] +>The Windows Defender ATP administrator (default) role has administrator permissions. The administrator permissions cannot be assigned >to any other role. On>groups assigned the Windows Defender ATP administrator role have access to all machine groups. + + ## Edit roles 1. Select the role you'd like to edit. @@ -76,6 +80,7 @@ After creating roles, you'll need to create a machine group and provide access t 2. Click the drop-down button and select **Delete role**. -##Related topic + +## Related topic - [User basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md) -- [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) From 9d4c6f334383da0079c3ca9ac277acbb521a3600 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Tue, 14 May 2019 10:49:36 -0500 Subject: [PATCH 03/21] Update user-roles-windows-defender-advanced-threat-protection.md --- .../user-roles-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index c68c954776..70a52291c3 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -60,7 +60,7 @@ After creating roles, you'll need to create a machine group and provide access t >[!NOTE] ->The Windows Defender ATP administrator (default) role has administrator permissions. The administrator permissions cannot be assigned >to any other role. On>groups assigned the Windows Defender ATP administrator role have access to all machine groups. +>The Windows Defender ATP administrator (default) role has administrator permissions. The administrator permissions cannot be assigned to any other role. On groups assigned the Windows Defender ATP administrator role have access to all machine groups. ## Edit roles From 959f88dbd27966614e2401cbea3fdfec98a035b0 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 17 May 2019 12:50:09 -0700 Subject: [PATCH 04/21] Updated SKU --- .../client-management/mdm/policy-csp-servicecontrolmanager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index a2558d44fc..ec32296079 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -44,7 +44,7 @@ ms.date: 05/10/2019 cross mark - cross mark + check mark6 check mark6 check mark6 check mark6 From 5480ba46fe2edcc6eac8281bb918b6a8e805eeda Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 17 May 2019 14:52:36 -0700 Subject: [PATCH 05/21] Update SKU --- .../client-management/mdm/policy-csp-servicecontrolmanager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index ec32296079..a2558d44fc 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -44,7 +44,7 @@ ms.date: 05/10/2019 cross mark - check mark6 + cross mark check mark6 check mark6 check mark6 From 7e5a521e9daf4492560ad8268a507d2d0679214a Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 17 May 2019 15:21:38 -0700 Subject: [PATCH 06/21] Added dev comment --- .../client-management/mdm/policy-csp-servicecontrolmanager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index a2558d44fc..b879cef048 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -68,7 +68,7 @@ This policy setting enables process mitigation options on svchost.exe processes. If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. -This includes Microsoft to sign a policy requiring all binaries loaded on SVCHOST processes and a policy disallowing dynamically generated code. +This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code. If you disable or do not configure this policy setting, the stricter security settings will not be applied. From 0ab4221d704838e08108f0fdc2fb6a8e41128842 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 27 May 2019 12:05:21 -0500 Subject: [PATCH 07/21] Update windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../user-roles-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index 70a52291c3..58b35c2ec2 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -60,7 +60,7 @@ After creating roles, you'll need to create a machine group and provide access t >[!NOTE] ->The Windows Defender ATP administrator (default) role has administrator permissions. The administrator permissions cannot be assigned to any other role. On groups assigned the Windows Defender ATP administrator role have access to all machine groups. +>The Windows Defender ATP administrator (default) role has administrator permissions. The administrator permissions cannot be assigned to any other role. On groups assigned, the Windows Defender ATP administrator role has access to all machine groups. ## Edit roles From ffcc924230dc23cedf5dc50a941d1368838ef701 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 27 May 2019 12:05:34 -0500 Subject: [PATCH 08/21] Update windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../user-roles-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index 58b35c2ec2..27c96c095f 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -81,6 +81,6 @@ After creating roles, you'll need to create a machine group and provide access t -## Related topic +## Related topics - [User basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md) - [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) From 1497bf3aab2e94b45bfb6b795701c7739c120e2f Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Tue, 28 May 2019 08:29:04 -0500 Subject: [PATCH 09/21] Update user-roles-windows-defender-advanced-threat-protection.md --- .../user-roles-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index 27c96c095f..d20e9fe3e2 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -60,7 +60,7 @@ After creating roles, you'll need to create a machine group and provide access t >[!NOTE] ->The Windows Defender ATP administrator (default) role has administrator permissions. The administrator permissions cannot be assigned to any other role. On groups assigned, the Windows Defender ATP administrator role has access to all machine groups. +>The Windows Defender ATP administrator (default) role has administrator permissions. Administrator permissions cannot be assigned to any other role. Only those who are assigned the Windows Defender ATP administrator role, has access to all machine groups. ## Edit roles From 4b680098dc03cf665eb03aec49cec1bbc10b74ec Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 28 May 2019 14:45:08 -0700 Subject: [PATCH 10/21] Updated what's new --- .../mdm/new-in-windows-mdm-enrollment-management.md | 4 +++- .../client-management/mdm/policy-csp-servicecontrolmanager.md | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 568389f6f7..6fecea0699 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -115,6 +115,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
  • [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
  • [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
    • +
  • [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
  • [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
  • [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
  • [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
    • @@ -1868,16 +1869,17 @@ How do I turn if off? | The service can be stopped from the "Services" console o |New or updated topic | Description| |--- | ---| +|[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:
    DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.| |[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)|Added new CSP in Windows 10, version 1903.| |[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added the following new policies:
    DODelayCacheServerFallbackBackground, DODelayCacheServerFallbackForeground.

    Updated description of the following policies:
    DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DOMinDiskSizeAllowedToPeer.| |[Policy CSP - Experience](policy-csp-experience.md)|Added the following new policy:
    ShowLockOnUserTile.| |[Policy CSP - InternetExplorer](policy-csp-internetexplorer.md)|Added the following new policies:
    AllowEnhancedSuggestionsInAddressBar, DisableActiveXVersionListAutoDownload, DisableCompatView, DisableFeedsBackgroundSync, DisableGeolocation, DisableWebAddressAutoComplete, NewTabDefaultPage.| |[Policy CSP - Power](policy-csp-power.md)|Added the following new policies:
    EnergySaverBatteryThresholdOnBattery, EnergySaverBatteryThresholdPluggedIn, SelectLidCloseActionOnBattery, SelectLidCloseActionPluggedIn, SelectPowerButtonActionOnBattery, SelectPowerButtonActionPluggedIn, SelectSleepButtonActionOnBattery, SelectSleepButtonActionPluggedIn, TurnOffHybridSleepOnBattery, TurnOffHybridSleepPluggedIn, UnattendedSleepTimeoutOnBattery, UnattendedSleepTimeoutPluggedIn.| |[Policy CSP - Search](policy-csp-search.md)|Added the following new policy:
    AllowFindMyFiles.| +|[Policy CSP - ServiceControlManager](policy-csp-servicecontrolmanager.md)|Added the following new policy:
    SvchostProcessMitigation.| |[Policy CSP - System](policy-csp-system.md)|Added the following new policies:
    AllowCommercialDataPipeline, TurnOffFileHistory.| |[Policy CSP - Update](policy-csp-update.md)|Added the following new policies:
    AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.| |[Policy CSP - WindowsLogon](policy-csp-windowslogon.md)|Added the following new policies:
    AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.| -|[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:
    DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.| ### April 2019 diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index b879cef048..d8eed119eb 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: Heidilohr -ms.date: 05/10/2019 +ms.date: 05/21/2019 --- # Policy CSP - ServiceControlManager From b56cec66934ee006a0255f22b342e7b09b7ea152 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 29 May 2019 10:16:56 -0700 Subject: [PATCH 11/21] Added new policy to TOC --- windows/client-management/mdm/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 3e6ae32cb4..54ce71766b 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -245,6 +245,7 @@ #### [RestrictedGroups](policy-csp-restrictedgroups.md) #### [Search](policy-csp-search.md) #### [Security](policy-csp-security.md) +#### [ServiceControlManager](policy-csp-servicecontrolmanager.md) #### [Settings](policy-csp-settings.md) #### [SmartScreen](policy-csp-smartscreen.md) #### [Speech](policy-csp-speech.md) From fd36b9c68a09dec9ed667dc362cedd34309959ae Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 29 May 2019 10:40:28 -0700 Subject: [PATCH 12/21] Removed prerelease warning --- .../client-management/mdm/policy-csp-servicecontrolmanager.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index d8eed119eb..18c9500905 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -11,9 +11,6 @@ ms.date: 05/21/2019 # Policy CSP - ServiceControlManager -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
    From c7450ca03b86fb9ac23aff1cd698a239d99e92a1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 29 May 2019 15:27:48 -0700 Subject: [PATCH 13/21] update casing for conditional access --- .../threat-protection/microsoft-defender-atp/TOC.md | 4 ++-- .../microsoft-defender-atp/conditional-access.md | 6 +++--- .../whats-new-in-microsoft-defender-atp.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index cb802c617a..02693d3915 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -98,7 +98,7 @@ #### [Managed security service provider support](mssp-support.md) ### [Microsoft Threat Protection](threat-protection-integration.md) -#### [Protect users, data, and devices with conditional access](conditional-access.md) +#### [Protect users, data, and devices with Conditional Access](conditional-access.md) #### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md) #### [Information protection in Windows overview](information-protection-in-windows-overview.md) @@ -360,7 +360,7 @@ #### [Configure managed security service provider (MSSP) support](configure-mssp-support.md) ### Configure Microsoft Threat Protection integration -#### [Configure conditional access](configure-conditional-access.md) +#### [Configure Conditional Access](configure-conditional-access.md) #### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md) ####[Configure information protection in Windows](information-protection-in-windows-config.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md index f4a0532ef7..b3305f93aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md @@ -1,6 +1,6 @@ --- -title: Enable conditional access to better protect users, devices, and data -description: Enable conditional access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant. +title: Enable Conditional Access to better protect users, devices, and data +description: Enable Conditional Access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant. keywords: conditional access, block applications, security level, intune, search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Enable conditional access to better protect users, devices, and data +# Enable Conditional Access to better protect users, devices, and data **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 619b30d34a..b25652932d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -100,7 +100,7 @@ Query data using Advanced hunting in Microsoft Defender ATP. >[!NOTE] >Available from Windows 10, version 1803 or later. -- [Conditional access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
    Enable conditional access to better protect users, devices, and data. +- [Conditional Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
    Enable conditional access to better protect users, devices, and data. - [Microsoft Defender ATP Community center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection)
    The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. From 9a4579a84928a8ac45fc2bedd3fb1257be675e23 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 29 May 2019 16:08:10 -0700 Subject: [PATCH 14/21] update casing for conditional access --- .../conditional-access.md | 28 +++++++++---------- .../configure-conditional-access.md | 18 ++++++------ .../threat-protection-integration.md | 6 ++-- 3 files changed, 26 insertions(+), 26 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md index b3305f93aa..396e2730fb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md @@ -26,26 +26,26 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink) -Conditional access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications. +Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications. -With conditional access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications. +With Conditional Access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications. You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state. -The implementation of conditional access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. +The implementation of Conditional Access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. -The compliance policy is used with conditional access to allow only devices that fulfill one or more device compliance policy rules to access applications. +The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device compliance policy rules to access applications. -## Understand the conditional access flow -Conditional access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated. +## Understand the Conditional Access flow +Conditional Access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated. The flow begins with machines being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune. -Depending on how you configure policies in Intune, conditional access can be set up so that when certain conditions are met, the policy is applied. +Depending on how you configure policies in Intune, Conditional Access can be set up so that when certain conditions are met, the policy is applied. -For example, you can configure Intune to apply conditional access on devices that have a high risk. +For example, you can configure Intune to apply Conditional Access on devices that have a high risk. -In Intune, a device compliance policy is used in conjunction with Azure AD conditional access to block access to applications. In parallel, an automated investigation and remediation process is launched. +In Intune, a device compliance policy is used in conjunction with Azure AD Conditional Access to block access to applications. In parallel, an automated investigation and remediation process is launched. A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated. @@ -54,23 +54,23 @@ To resolve the risk found on a device, you'll need to return the device to a com There are three ways to address a risk: 1. Use Manual or automated remediation. 2. Resolve active alerts on the machine. This will remove the risk from the machine. -3. You can remove the machine from the active policies and consequently, conditional access will not be applied on the machine. +3. You can remove the machine from the active policies and consequently, Conditional Access will not be applied on the machine. -Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure conditional access](configure-conditional-access.md). +Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure Conditional Access](configure-conditional-access.md). When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted. -The following example sequence of events explains conditional access in action: +The following example sequence of events explains Conditional Access in action: 1. A user opens a malicious file and Microsoft Defender ATP flags the device as high risk. 2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat. -3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune conditional access policy. In Azure AD, the corresponding policy is applied to block access to applications. +3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune Conditional Access policy. In Azure AD, the corresponding policy is applied to block access to applications. 4. The manual or automated investigation and remediation is completed and the threat is removed. Microsoft Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications. 5. Users can now access applications. ## Related topic -- [Configure conditional access in Microsoft Defender ATP](configure-conditional-access.md) +- [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md index 87e9fe515f..e6023b38fc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md @@ -1,5 +1,5 @@ --- -title: Configure conditional access in Microsoft Defender ATP +title: Configure Conditional Access in Microsoft Defender ATP description: keywords: search.product: eADQiWindows 10XVcnh @@ -18,11 +18,11 @@ ms.topic: article ms.date: 09/03/2018 --- -# Configure conditional access in Microsoft Defender ATP +# Configure Conditional Access in Microsoft Defender ATP **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -This section guides you through all the steps you need to take to properly implement conditional access. +This section guides you through all the steps you need to take to properly implement Conditional Access. ### Before you begin >[!WARNING] @@ -43,12 +43,12 @@ There are steps you'll need to take in Microsoft Defender Security Center, the I > [!NOTE] > You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices. -Take the following steps to enable conditional access: +Take the following steps to enable Conditional Access: - Step 1: Turn on the Microsoft Intune connection from Microsoft Defender Security Center - Step 2: Turn on the Microsoft Defender ATP integration in Intune - Step 3: Create the compliance policy in Intune - Step 4: Assign the policy -- Step 5: Create an Azure AD conditional access policy +- Step 5: Create an Azure AD Conditional Access policy ### Step 1: Turn on the Microsoft Intune connection @@ -85,17 +85,17 @@ Take the following steps to enable conditional access: 4. Include or exclude your Azure AD groups to assign them the policy. 5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance. -### Step 5: Create an Azure AD conditional access policy -1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional access** > **New policy**. +### Step 5: Create an Azure AD Conditional Access policy +1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional Access** > **New policy**. 2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**. 3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes. 4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes. -5. Select **Grant** to apply conditional access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes. +5. Select **Grant** to apply Conditional Access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes. 6. Select **Enable policy**, and then **Create** to save your changes. -For more information, see [Enable Microsoft Defender ATP with conditional access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection). +For more information, see [Enable Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md index 1c97445131..14c2504769 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md @@ -40,8 +40,8 @@ Microsoft Defender ATP provides a comprehensive server protection solution, incl ## Azure Information Protection Keep sensitive data secure while enabling productivity in the workplace through data data discovery and data protection. -## Conditional access -Microsoft Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. +## Conditional Access +Microsoft Defender ATP's dynamic machine risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources. ## Microsoft Cloud App Security @@ -56,7 +56,7 @@ The Skype for Business integration provides s a way for analysts to communicate ## Related topic -- [Protect users, data, and devices with conditional access](conditional-access.md) +- [Protect users, data, and devices with Conditional Access](conditional-access.md) From fceb77a74a11a6dcda2076de1cc00a01263cbdf2 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 29 May 2019 18:20:47 -0500 Subject: [PATCH 15/21] Update windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../user-roles-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index d20e9fe3e2..e9e4a5a090 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -60,7 +60,7 @@ After creating roles, you'll need to create a machine group and provide access t >[!NOTE] ->The Windows Defender ATP administrator (default) role has administrator permissions. Administrator permissions cannot be assigned to any other role. Only those who are assigned the Windows Defender ATP administrator role, has access to all machine groups. +>The Windows Defender ATP administrator (default) role has administrator permissions with exclusive access to all machine groups. Administrator permissions cannot be assigned to any other role. ## Edit roles From ac3bc9460a48140b99f82dbbd5df8b579f89a98e Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 29 May 2019 18:28:12 -0500 Subject: [PATCH 16/21] Update windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../user-roles-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index e9e4a5a090..62d5742ecc 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -82,5 +82,5 @@ After creating roles, you'll need to create a machine group and provide access t ## Related topics -- [User basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md) +- [User basic permissions to access the portal](basic-permissions.md) - [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) From 4367b6fdb1785ad0b7a03c99eaa8eb3f3159d884 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 29 May 2019 18:28:27 -0500 Subject: [PATCH 17/21] Update windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../user-roles-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index 62d5742ecc..17cd72f54c 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -83,4 +83,4 @@ After creating roles, you'll need to create a machine group and provide access t ## Related topics - [User basic permissions to access the portal](basic-permissions.md) -- [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) +- [Create and manage machine groups](machine-groups.md) From c30ca570df2f5f1b25497466f9d5777b64145e47 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 29 May 2019 18:40:18 -0500 Subject: [PATCH 18/21] Rename user-roles-windows-defender-advanced-threat-protection.md to user-roles.md --- ...ndows-defender-advanced-threat-protection.md => user-roles.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/security/threat-protection/windows-defender-atp/{user-roles-windows-defender-advanced-threat-protection.md => user-roles.md} (100%) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/windows-defender-atp/user-roles.md From a9e5ac5ee637b31b23d5e7a3a7eaf78b63f283b9 Mon Sep 17 00:00:00 2001 From: Michael Niehaus Date: Wed, 29 May 2019 19:00:29 -0700 Subject: [PATCH 19/21] Update white-glove.md Updated doc to reflect that flighted features are no longer required, feature is now in public preview. Fixed some formatting issues. --- .../windows-autopilot/white-glove.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md index 88ac95d477..5e871a2c28 100644 --- a/windows/deployment/windows-autopilot/white-glove.md +++ b/windows/deployment/windows-autopilot/white-glove.md @@ -15,13 +15,13 @@ ms.topic: article # Windows Autopilot for white glove deployment -**Applies to: Windows 10, version 1903** +**Applies to: Windows 10, version 1903** (preview) Windows Autopilot enables organizations to easily provision new devices - leveraging the preinstalled OEM image and drivers with a simple process that can be performed by the end user to help get their device business-ready. ![OEM](images/wg01.png) -Windows Autopilot can also provide a white glove service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready​. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster. +Windows Autopilot can also provide a white glove service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster. With **Windows Autopilot for white glove deployment**, the provisioning process is split. The time-consuming portions are performed by IT, partners, or OEMs. The end user simply completes a few neceesary settings and polices and then they can begin using their device. @@ -34,7 +34,7 @@ Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove In addition to [Windows Autopilot requirements](windows-autopilot-requirements.md), Windows Autopilot for white glove deployment adds the following: - Windows 10, version 1903 or later is required. -- An Intune subscription with additional flighted features that are not yet available publicly is currently required. Note: This feature will change soon from flighted to preview. Prior to this feature switching to preview status, attempts to perform white glove deployment without t flighted features will fail with an Intune enrollment error. +- An Intune subscription. - Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported. The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements. - Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device. @@ -49,12 +49,12 @@ If these scenarios cannot be completed, Windows Autopilot for white glove deploy To enable white glove deployment, an additional Autopilot profile setting must be configured: ->[!TIP] ->To see the white glove deployment Autopilot profile setting, use this URL to access the Intune portal: https://portal.azure.com/?microsoft_intune_enrollment_enableWhiteGlove=true. This is a temporary requirement. - ![allow white glove](images/allow-white-glove-oobe.png) -The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. **Note**: other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users. +The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. + +>[!NOTE] +>Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users. ## Scenarios @@ -82,16 +82,16 @@ Regardless of the scenario, the process to be performed by the technician is the ![landing](images/landing.png) - Click **Provision** to begin the provisioning process. + If the pre-provisioning process completes successfully: - A green status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps. + ![white-glove-result](images/white-glove-result.png) - Click **Reseal** to shut the device down. At that point, the device can be shipped to the end user. If the pre-provisioning process fails: - A red status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps. - Diagnostic logs can be gathered from the device, and then it can be reset to start the process over again. - ![white-glove-result](images/white-glove-result.png) - ### User flow If the pre-provisioning process completed successfully and the device was resealed, it can be delivered to the end user to complete the normal Windows Autopilot user-driven process. They will perform a standard set of steps: From d564317c9fe04de7427a9601ce5cb6039a6aaa65 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 29 May 2019 20:29:02 -0700 Subject: [PATCH 20/21] fix link errors --- .../access-control/special-identities.md | 2 +- .../hello-how-it-works-technology.md | 12 ++++++------ .../windows-defender-atp/user-roles.md | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 2dfcc827e9..0a07c86b2d 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -82,7 +82,7 @@ The special identity groups are described in the following tables: - [This Organization](#this-organization) -- [Window Manager\\Window Manager Group](#window-manager\\window-manager-group) +- [Window Manager\\Window Manager Group](#window-manager-window-manager-group) ## Anonymous Logon diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index c8fbed37c7..d8188d7782 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -34,8 +34,8 @@ ms.date: 10/08/2018 - [Key Trust](#key-trust) - [Managed Environment](#managed-environment) - [On-premises Deployment](#on-premises-deployment) -- [Pass-through Authentication](#passthrough-authentication) -- [Password Hash Synchronization](#password-hash-synchronization) +- [Pass-through Authentication](#pass-through-authentication) +- [Password Hash Synchronization](#password-hash-sync) - [Primary Refresh Token](#primary-refresh-token) - [Storage Root Key](#storage-root-key) - [Trust Type](#trust-type) @@ -212,9 +212,9 @@ The key trust model uses the user's Windows Hello for Business identity to authe Managed environments are for non-federated environments where Azure Active Directory manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services. ### Related topics -[Federated Environment](#federated-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Synchronization](#password-hash-synchronization) +[Federated Environment](#federated-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Synchronization](#password-hash-sync) -[Return to Top](#Technology-and-Terms) +[Return to Top](#technology-and-terms) ## On-premises Deployment The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust. @@ -235,7 +235,7 @@ Provides a simple password validation for Azure AD authentication services using ### More information - [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn) -[Return to Top](#hello-how-it-works-technology.md) +[Return to Top](hello-how-it-works-technology.md) ## Password Hash Sync The simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. @@ -253,7 +253,7 @@ The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a si The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied. -[Return to Top](#Technology-and-Terms) +[Return to Top](#technology-and-terms) ## Storage Root Key The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken. diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles.md b/windows/security/threat-protection/windows-defender-atp/user-roles.md index 17cd72f54c..d007b7028e 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles.md @@ -82,5 +82,5 @@ After creating roles, you'll need to create a machine group and provide access t ## Related topics -- [User basic permissions to access the portal](basic-permissions.md) -- [Create and manage machine groups](machine-groups.md) +- [User basic permissions to access the portal](../microsoft-defender-atp/basic-permissions.md) +- [Create and manage machine groups](../microsoft-defender-atp/machine-groups.md) From 124d73a741534f395cf0334a80f2687368a796e6 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 29 May 2019 21:10:26 -0700 Subject: [PATCH 21/21] fix link error --- .../hello-for-business/hello-how-it-works-technology.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index d8188d7782..183203f5d6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -229,7 +229,7 @@ The Windows Hello for Business on-premises deployment is for organizations that Provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. ### Related topics -[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Password Hash Synchronization](#password-hash-synchronization) +[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Password Hash Synchronization](#password-hash-sync) ### More information