deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 00:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20221214-whfb-hybrid

Browse Source
This commit is contained in:
Paolo Matarazzo 2022-12-28 11:15:38 -05:00
commit 3d577b4484
41 changed files with 186 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
education/includes/education-content-updates.md
View File

@ -2,6 +2,14 @@
## Week of December 19, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 12/22/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
## Week of December 12, 2022 ## Week of December 12, 2022

128
education/windows/windows-11-se-overview.md
View File

@ -80,70 +80,70 @@ The following table lists all the applications included in Windows 11 SE and the
The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1] The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1]
| Application | Supported version | App Type | Vendor | | Application | Supported version | App Type | Vendor |
|-----------------------------------------|-------------------|----------|------------------------------| |-------------------------------------------|-------------------|----------|-------------------------------------------|
| 3d builder | 15.2.10821.1070 | Win32 | Microsoft | | `3d builder` | `18.0.1931.0` | Win32 | `Microsoft` |
|Absolute Software Endpoint Agent | 7.20.0.1 | Win32 | Absolute Software Corporation| | `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation` |
| AirSecure | 8.0.0 | Win32 | AIR | | `AirSecure` | 8.0.0 | Win32 | `AIR` |
| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies | | `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` |
| Brave Browser | 106.0.5249.65 | Win32 | Brave | | `Brave Browser` | 106.0.5249.119 | Win32 | `Brave` |
| Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb | | `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` |
| CA Secure Browser | 14.0.0 | Win32 | Cambium Development | | `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` |
| Cisco Umbrella | 3.0.110.0 | Win32 | Cisco | | `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` |
| CKAuthenticator | 3.6+ | Win32 | Content Keeper | | `CKAuthenticator` | 3.6+ | Win32 | `Content Keeper` |
| Class Policy | 114.0.0 | Win32 | Class Policy | | `Class Policy` | 114.0.0 | Win32 | `Class Policy` |
| Classroom.cloud | 1.40.0004 | Win32 | NetSupport | | `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
| CoGat Secure Browser | 11.0.0.19 | Win32 | Riverside Insights | | `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
| Dragon Professional Individual | 15.00.100 | Win32 | Nuance Communications | | `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
| DRC INSIGHT Online Assessments | 12.0.0.0 | Store | Data recognition Corporation | | `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` |
| Duo from Cisco | 2.25.0 | Win32 | Cisco | | `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
| e-Speaking Voice and Speech recognition | 4.4.0.8 | Win32 | e-speaking | | `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` |
| Epson iProjection | 3.31 | Win32 | Epson | | `Epson iProjection` | 3.31 | Win32 | `Epson` |
| eTests | 4.0.25 | Win32 | CASAS | | `eTests` | 4.0.25 | Win32 | `CASAS` |
| FortiClient | 7.2.0.4034+ | Win32 | Fortinet | | `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` |
| Free NaturalReader | 16.1.2 | Win32 | Natural Soft | | `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
| Ghotit Real Writer & Reader | 10.14.2.3 | Win32 | Ghotit Ltd | | `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
| GoGuardian | 1.4.4 | Win32 | GoGuardian | | `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
| Google Chrome | 102.0.5005.115 | Win32 | Google | | `Google Chrome` | 102.0.5005.115 | Win32 | `Google` |
| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education | | `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
| Immunet | 7.5.0.20795 | Win32 | Immunet | | `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
| Impero Backdrop Client | 4.4.86 | Win32 | Impero Software | | `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` |
| Inspiration 10 | 10.11 | Win32 | TechEdology Ltd | | `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` |
| JAWS for Windows | 2022.2112.24 | Win32 | Freedom Scientific | | `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` |
| Kite Student Portal | 9.0.0.0 | Win32 | Dynamic Learning Maps | | `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` |
| Kortext | 2.3.433.0 | Store | Kortext | | `Kortext` | 2.3.433.0 | `Store` | `Kortext` |
| Kurzweil 3000 Assistive Learning | 20.13.0000 | Win32 | Kurzweil Educational Systems | | `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` |
| LanSchool Classic | 9.1.0.46 | Win32 | Stoneware, Inc. | | `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` |
| LanSchool Air | 2.0.13312 | Win32 | Stoneware, Inc. | | `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` |
| Lightspeed Smart Agent | 1.9.1 | Win32 | Lightspeed Systems | | `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` |
| MetaMoJi ClassRoom | 3.12.4.0 | Store | MetaMoJi Corporation | | `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` |
| Microsoft Connect | 10.0.22000.1 | Store | Microsoft | | `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` |
| Mozilla Firefox | 99.0.1 | Win32 | Mozilla | | `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` |
| NAPLAN | 2.5.0 | Win32 | NAP | | `NAPLAN` | 2.5.0 | Win32 | `NAP` |
| Netref Student | 22.2.0 | Win32 | NetRef | | `Netref Student` | 22.2.0 | Win32 | `NetRef` |
| NetSupport Manager | 12.01.0014 | Win32 | NetSupport | | `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` |
| NetSupport Notify | 5.10.1.215 | Win32 | NetSupport | | `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` |
| NetSupport School | 14.00.0011 | Win32 | NetSupport | | `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` |
| NextUp Talker | 1.0.49 | Win32 | NextUp Technologies | | `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` |
| NonVisual Desktop Access | 2021.3.1 | Win32 | NV Access | | `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` |
| NWEA Secure Testing Browser | 5.4.356.0 | Win32 | NWEA | | `NWEA Secure Testing Browser` | 5.4.356.0 | Win32 | `NWEA` |
| PaperCut | 22.0.6 | Win32 | PaperCut Software International Pty Ltd | | `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` |
| Pearson TestNav | 1.10.2.0 | Store | Pearson | | `Pearson TestNav` | 1.10.2.0 | `Store` | `Pearson` |
| Questar Secure Browser | 4.8.3.376 | Win32 | Questar, Inc | | `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` |
| ReadAndWriteForWindows | 12.0.60.0 | Win32 | Texthelp Ltd. | | `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` |
| Remote Desktop client (MSRDC) | 1.2.3213.0 | Win32 | Microsoft | | `Remote Desktop client (MSRDC)` | 1.2.3213.0 | Win32 | `Microsoft` |
| Remote Help | 3.8.0.12 | Win32 | Microsoft | | `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` |
| Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus | | `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
| Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser | | `Safe Exam Browser` | 3.3.2.413 | Win32 | `Safe Exam Browser` |
| Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud | | `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
| Smoothwall Monitor | 2.8.0 | Win32 | Smoothwall Ltd | `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` |
| SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access | | `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
| SuperNova Magnifier & Speech | 21.02 | Win32 | Dolphin Computer Access | | `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
| VitalSourceBookShelf | 10.2.26.0 | Win32 | VitalSource Technologies Inc | | `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
| Winbird | 19 | Win32 | Winbird Co., Ltd. | | `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
| WordQ | 5.4.23 | Win32 | Mathetmots | | `WordQ` | 5.4.23 | Win32 | `Mathetmots` |
| Zoom | 5.9.1 (2581) | Win32 | Zoom | | `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` |
| ZoomText Fusion | 2022.2109.10 | Win32 | Freedom Scientific | | `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` |
| ZoomText Magnifier/Reader | 2022.2109.25 | Win32 | Freedom Scientific | | `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` |
## Add your own applications ## Add your own applications

4
windows/client-management/azure-active-directory-integration-with-mdm.md
View File

@ -1,6 +1,6 @@
--- ---
title: Azure Active Directory integration with MDM title: Azure Active Directory integration with MDM
description: Azure Active Directory is the world largest enterprise cloud identity management service. description: Azure Active Directory is the world's largest enterprise cloud identity management service.
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
@ -14,7 +14,7 @@ ms.date: 12/31/2017
# Azure Active Directory integration with MDM # Azure Active Directory integration with MDM
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow. Azure Active Directory is the world's largest enterprise cloud identity management service. Its used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
Once a device is enrolled in MDM, the MDM: Once a device is enrolled in MDM, the MDM:

2
windows/configuration/kiosk-single-app.md
View File

@ -337,7 +337,7 @@ To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then si
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
`HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI` `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.

10
windows/deployment/do/mcc-isp-faq.yml
View File

@ -28,12 +28,18 @@ sections:
- question: What are the prerequisites and hardware requirements? - question: What are the prerequisites and hardware requirements?
answer: | answer: |
- Azure subscription - Azure subscription
- Hardware to host Microsoft Connected Cache: - Hardware to host Microsoft Connected Cache
- Ubuntu 20.04 LTS on a physical server or VM of your choice.
> [!NOTE]
> The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 20.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support?view=iotedge-2020-11#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS.
The following are recommended hardware configurations:
<!--Using include file, mcc-prerequisites.md, for shared content on DO monitoring--> <!--Using include file, mcc-prerequisites.md, for shared content on DO monitoring-->
[!INCLUDE [Microsoft Connected Cache Prerequisites](includes/mcc-prerequisites.md)] [!INCLUDE [Microsoft Connected Cache Prerequisites](includes/mcc-prerequisites.md)]
We have one customer who is able to achieve 40-Gbps egress rate using the following hardware specification: We have one customer who is able to achieve mid-30s Gbps egress rate using the following hardware specification:
- Dell PowerEdge R330 - Dell PowerEdge R330
- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core - 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core
- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s - 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s

2
windows/deployment/do/waas-delivery-optimization-reference.md
View File

@ -64,7 +64,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
| [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | | [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 |
| [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | | [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 |
| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | | [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 |
| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 1809 | | [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 |
| [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | | [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 |
| [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | | [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 |

3
windows/deployment/update/servicing-stack-updates.md
View File

@ -21,6 +21,7 @@ ms.date: 12/31/2017
- Windows 10 - Windows 10
- Windows 11 - Windows 11
- Windows Server
## What is a servicing stack update? ## What is a servicing stack update?
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
@ -61,3 +62,5 @@ Typically, the improvements are reliability and performance improvements that do
## Simplifying on-premises deployment of servicing stack updates ## Simplifying on-premises deployment of servicing stack updates
With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382. With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.

11
windows/deployment/update/wufb-reports-configuration-intune.md
View File

@ -8,7 +8,7 @@ author: mestew
ms.author: mstewart ms.author: mstewart
ms.localizationpriority: medium ms.localizationpriority: medium
ms.topic: article ms.topic: article
ms.date: 12/05/2022 ms.date: 12/22/2022
ms.technology: itpro-updates ms.technology: itpro-updates
--- ---
@ -27,7 +27,7 @@ This article is targeted at configuring devices enrolled to [Microsoft Intune](/
## Create a configuration profile ## Create a configuration profile
Create a configuration profile that will set the required policies for Windows Update for Business reports. There are two profile types that can be used to create a configuration profile for Windows Update for Business reports: Create a configuration profile that will set the required policies for Windows Update for Business reports. There are two profile types that can be used to create a configuration profile for Windows Update for Business reports (select one):
- The [settings catalog](#settings-catalog) - The [settings catalog](#settings-catalog)
- [Template](#custom-oma-uri-based-profile) for a custom OMA URI-based profile - [Template](#custom-oma-uri-based-profile) for a custom OMA URI-based profile
@ -45,9 +45,12 @@ Create a configuration profile that will set the required policies for Windows U
- **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*) - **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*)
- **Setting**: Allow Update Compliance Processing - **Setting**: Allow Update Compliance Processing
- **Value**: Enabled - **Value**: Enabled
1. Recommended settings, but not required:
- **Setting**: Configure Telemetry Opt In Settings Ux
- **Value**: Disabled (*By turning this setting on you are disabling the ability for a user to potentially override the diagnostic data level of devices such that data won't be available for those devices in Windows Update for Business reports*)
- **Setting**: Configure Telemetry Opt In Change Notification - **Setting**: Configure Telemetry Opt In Change Notification
1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports: - **Value**: Disabled (*By turning this setting on you are disabling notifications of diagnostic data changes*)
- **Setting**: Allow device name to be sent in Windows diagnostic data - **Setting**: Allow device name to be sent in Windows diagnostic data (*If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports*)
- **Value**: Allowed - **Value**: Allowed
1. Continue through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. 1. Continue through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.

1
windows/deployment/usmt/usmt-scanstate-syntax.md
View File

@ -203,6 +203,7 @@ The following table indicates which command-line options aren't compatible with
|**/encrypt**|Required*|X|X|| |**/encrypt**|Required*|X|X||
|**/keyfile**|N/A||X|| |**/keyfile**|N/A||X||
|**/l**||||| |**/l**|||||
|**/listfiles**|||X||
|**/progress**|||X|| |**/progress**|||X||
|**/r**|||X|| |**/r**|||X||
|**/w**|||X|| |**/w**|||X||

8
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -29,16 +29,16 @@ sections:
- question: What is Windows Hello for Business cloud Kerberos trust? - question: What is Windows Hello for Business cloud Kerberos trust?
answer: | answer: |
Windows Hello for Business cloud Kerberos trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid cloud Kerberos trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust). Windows Hello for Business *cloud Kerberos trust* is a **trust model** that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
- question: What about virtual smart cards? - question: What about virtual smart cards?
answer: | answer: |
Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart cards remain supported for Windows 7 and Windows 8. Windows Hello for Business is the modern, two-factor credential for Windows. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows deployments use Windows Hello for Business.
- question: What about convenience PIN? - question: What about convenience PIN?
answer: | answer: |
Microsoft is committed to its vision of a <u>world without passwords.</u> We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends that customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business. While *convenience PIN* provides a convenient way to sign in to Windows, it stills uses a password for authentication. Customers using *convenience PINs* should move to **Windows Hello for Business**. New Windows deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
- question: Can I use Windows Hello for Business key trust and RDP? - question: Can I use Windows Hello for Business key trust and RDP?
answer: | answer: |
@ -94,7 +94,7 @@ sections:
- question: Can I use a convenience PIN with Azure Active Directory? - question: Can I use a convenience PIN with Azure Active Directory?
answer: | answer: |
It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users. It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. However, convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users.
- question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera? - question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera?
answer: | answer: |

4
windows/security/identity-protection/hello-for-business/hello-overview.md
View File

@ -45,9 +45,9 @@ Windows stores biometric data that is used to implement Windows Hello securely o
## The difference between Windows Hello and Windows Hello for Business ## The difference between Windows Hello and Windows Hello for Business
- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on an individual's account type. This configuration is referred to as Windows Hello convenience PIN and it's not backed by asymmetric (public/private key) or certificate-based authentication. - Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on an individual's account type. This configuration is referred to as *Windows Hello convenience PIN* and it's not backed by asymmetric (public/private key) or certificate-based authentication.
- **Windows Hello for Business**, which is configured by group policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This behavior makes it more secure than **Windows Hello convenience PIN**. - *Windows Hello for Business*, which is configured by group policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This behavior makes it more secure than *Windows Hello convenience PIN*.
## Benefits of Windows Hello ## Benefits of Windows Hello

5
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -35,6 +35,11 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well. For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
> [!NOTE]
> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users:
> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5).
> - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5).
## Managing workplace-joined PCs and phones ## Managing workplace-joined PCs and phones
For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.

4
windows/security/information-protection/personal-data-encryption/overview-pde.md
View File

@ -48,11 +48,11 @@ ms.date: 12/13/2022
- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting) - [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps). Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate) - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation). Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock) - [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)

14
windows/security/information-protection/tpm/trusted-platform-module-overview.md
View File

@ -20,8 +20,9 @@ ms.date: 12/31/2017
**Applies to** **Applies to**
- Windows 11 - Windows 11
- Windows 10 - Windows 10
- Windows Server 2016 - Windows Server 2022
- Windows Server 2019 - Windows Server 2019
- Windows Server 2016
This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
@ -74,15 +75,14 @@ Some things that you can check on the device are:
- Is SecureBoot supported and enabled? - Is SecureBoot supported and enabled?
> [!NOTE] > [!NOTE]
> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. > Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows 10, version 1607. TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
## Supported versions for device health attestation ## Supported versions for device health attestation
| TPM version | Windows 11 | Windows 10 | Windows Server 2016 | Windows Server 2019 | | TPM version | Windows 11 | Windows 10 | Windows Server 2022 | Windows Server 2019 | Windows Server 2016 |
|-------------|-------------|-------------|---------------------|---------------------| |-------------|-------------|-------------|---------------------|---------------------|---------------------|
| TPM 1.2 | | >= ver 1607 | >= ver 1607 | Yes | | TPM 1.2 | | >= ver 1607 | | Yes | >= ver 1607 |
| TPM 2.0 | Yes | Yes | Yes | Yes | | TPM 2.0 | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** |
## Related topics ## Related topics

4
windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
View File

@ -172,3 +172,7 @@ Resource SACLs are also useful for diagnostic scenarios. For example, administra
This category includes the following subcategories: This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md) - [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) - [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)

2
windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
View File

@ -38,6 +38,6 @@ Basic security audit policy settings are found under Computer Configuration\\Win
## Related topics ## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md) - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)

6
windows/security/threat-protection/auditing/event-4661.md
View File

@ -158,15 +158,15 @@ This event generates only if Success auditing is enabled for the [Audit Handle M
**Access Request Information:** **Access Request Information:**
- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same the **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.” - **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”. This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances. > **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources. - **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources. - **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
- **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below: - **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:

4
windows/security/threat-protection/auditing/event-4691.md
View File

@ -126,9 +126,9 @@ These events are generated for [ALPC Ports](/windows/win32/etw/alpc) access requ
**Access Request Information:** **Access Request Information:**
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. “Table 13. File access codes.” contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources. - **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources. - **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
## Security Monitoring Recommendations ## Security Monitoring Recommendations

2
windows/security/threat-protection/auditing/event-5140.md
View File

@ -133,7 +133,7 @@ This event generates once per session, when first access attempt was made.
**Access Request Information:** **Access Request Information:**
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. Has always “**0x1**” value for this event. - **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights. It always has “**0x1**” value for this event.
- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event. - **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event.

2
windows/security/threat-protection/auditing/event-5145.md
View File

@ -135,7 +135,7 @@ This event generates every time network share object (file or folder) was access
**Access Request Information:** **Access Request Information:**
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. - **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights.
- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. - **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**.

2
windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
View File

@ -82,7 +82,7 @@ Application Guard functionality is turned off by default. However, you can quick
3. Type the following command: 3. Type the following command:
``` ```
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard
``` ```
4. Restart the device. 4. Restart the device.

1
windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
View File

@ -22,6 +22,7 @@ ms.technology: itpro-security
# Account lockout duration # Account lockout duration
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting.

1
windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Account Lockout Policy # Account Lockout Policy
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
Describes the Account Lockout Policy settings and links to information about each policy setting. Describes the Account Lockout Policy settings and links to information about each policy setting.

1
windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
View File

@ -22,6 +22,7 @@ ms.technology: itpro-security
# Account lockout threshold # Account lockout threshold
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting.

1
windows/security/threat-protection/security-policy-settings/account-policies.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Account Policies # Account Policies
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
An overview of account policies in Windows and provides links to policy descriptions. An overview of account policies in Windows and provides links to policy descriptions.

2
windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
View File

@ -94,7 +94,7 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl
**To administer security policies by using the Security Compliance Manager** **To administer security policies by using the Security Compliance Manager**
1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](/archive/blogs/secguide/) blog. 1. Download the most recent version. You can find more info on the [Microsoft Security Baselines](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) blog.
1. Read the relevant security baseline documentation that is included in this tool. 1. Read the relevant security baseline documentation that is included in this tool.
1. Download and import the relevant security baselines. The installation process steps you through baseline selection. 1. Download and import the relevant security baselines. The installation process steps you through baseline selection.
1. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines. 1. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.

1
windows/security/threat-protection/security-policy-settings/audit-policy.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Audit Policy # Audit Policy
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
Provides information about basic audit policies that are available in Windows and links to information about each setting. Provides information about basic audit policies that are available in Windows and links to information about each setting.

1
windows/security/threat-protection/security-policy-settings/enforce-password-history.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Enforce password history # Enforce password history
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting. Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.

1
windows/security/threat-protection/security-policy-settings/maximum-password-age.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Maximum password age # Maximum password age
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting. Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.

1
windows/security/threat-protection/security-policy-settings/minimum-password-age.md
View File

@ -19,6 +19,7 @@ ms.topic: conceptual
# Minimum password age # Minimum password age
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting. Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.

1
windows/security/threat-protection/security-policy-settings/minimum-password-length.md
View File

@ -22,6 +22,7 @@ ms.technology: itpro-security
# Minimum password length # Minimum password length
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
This article describes the recommended practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting. This article describes the recommended practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.

1
windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
View File

@ -22,6 +22,7 @@ ms.date: 12/31/2017
# Password must meet complexity requirements # Password must meet complexity requirements
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting. Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.

1
windows/security/threat-protection/security-policy-settings/password-policy.md
View File

@ -22,6 +22,7 @@ ms.technology: itpro-security
# Password Policy # Password Policy
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
An overview of password policies for Windows and links to information for each policy setting. An overview of password policies for Windows and links to information for each policy setting.

1
windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Reset account lockout counter after # Reset account lockout counter after
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting.

1
windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Advanced security audit policy settings for Windows 10 # Advanced security audit policy settings for Windows 10
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate. Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.

1
windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
View File

@ -20,6 +20,7 @@ ms.technology: itpro-security
# Store passwords using reversible encryption # Store passwords using reversible encryption
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting. Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.

11
windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
View File

@ -398,6 +398,17 @@ The following GPO snippet performs the following tasks:
![configure event channels.](images/capi-gpo.png) ![configure event channels.](images/capi-gpo.png)
The following table also contains the six actions to configure in the GPO:
| Program/Script | Arguments |
|------------------------------------|----------------------------------------------------------------------------------------------------------|
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /e:true |
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ms:102432768 |
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-AppLocker/EXE and DLL" /ms:102432768 |
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ca:"O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-32-573)" |
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /e:true |
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /ms:52432896 |
## <a href="" id="bkmk-appendixd"></a>Appendix D - Minimum GPO for WEF Client configuration ## <a href="" id="bkmk-appendixd"></a>Appendix D - Minimum GPO for WEF Client configuration
Here are the minimum steps for WEF to operate: Here are the minimum steps for WEF to operate:

11
windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
View File

@ -35,8 +35,6 @@ You must have Windows 10, version 1709 or later. The ADMX/ADML template files fo
There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information. There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information.
This can only be done in Group Policy.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. 1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@ -47,6 +45,9 @@ This can only be done in Group Policy.
1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**. 1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
> [!NOTE]
> This can only be done in Group Policy.
2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**. 2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**. 5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
@ -58,5 +59,7 @@ This can only be done in Group Policy.
7. Select **OK** after you configure each setting to save your changes. 7. Select **OK** after you configure each setting to save your changes.
>[!IMPORTANT] To enable the customized notifications and add the contact information in Intune, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy) and [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings).
>You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
> [!IMPORTANT]
> You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.

8
windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
View File

@ -49,7 +49,7 @@ Windows Sandbox has the following properties:
- If you're using a virtual machine, run the following PowerShell command to enable nested virtualization: - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
```powershell ```powershell
Set-VMProcessor -VMName \<VMName> -ExposeVirtualizationExtensions $true Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true
``` ```
3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted. 3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
@ -57,7 +57,11 @@ Windows Sandbox has the following properties:
If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2. If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2.
> [!NOTE] > [!NOTE]
> To enable Sandbox using PowerShell, open PowerShell as Administrator and run **Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online**. > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:
>
> ```powershell
> Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
> ```
4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time. 4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.

2
windows/security/zero-trust-windows-device-health.md
View File

@ -13,7 +13,7 @@ ms.date: 12/31/2017
--- ---
# Zero Trust and Windows device health # Zero Trust and Windows device health
Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever theyre located. Implementing a Zero Trust model for security helps addresses today's complex environments. Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever theyre located. Implementing a Zero Trust model for security helps address today's complex environments.
The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are: The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:

7
windows/whats-new/whats-new-windows-10-version-1809.md
View File

@ -286,9 +286,12 @@ One of the things weve heard from you is that its hard to know when you
## Remote Desktop with Biometrics ## Remote Desktop with Biometrics
Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol.
Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture.
To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. Azure Active Directory and Active Directory users using Windows Hello for Business in a certificate trust model, can use biometrics to authenticate to a remote desktop session.
To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the device you want to connect to, and select **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also select **More choices** to choose alternate credentials. Windows uses biometrics to authenticate the RDP session to the Windows device. You can continue to use Windows Hello for Business in the remote session, but in the remote session you must use the PIN.
See the following example: See the following example: