From b8dbc9f77aa1cc31d0c7eaa7506e244a58b2a12b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20B=C3=BClow=20Knudsen?= Date: Tue, 25 May 2021 10:33:09 -0700 Subject: [PATCH 01/33] Fix wrong RID of WinRMRemoteWMIUsers__ The RID of WinRMRemoteWMIUsers__ is not always 1000. I seen many domains where it is not. --- .../access-control/active-directory-security-groups.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index ec30cea998..9b9c40977d 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -3716,7 +3716,7 @@ This security group was introduced in Windows Server 2012, and it has not chang

Well-Known SID/RID

-

S-1-5-21-<domain>-1000

+

S-1-5-21-<domain>-<variable RID>

Type

@@ -3760,4 +3760,4 @@ This security group was introduced in Windows Server 2012, and it has not chang - [Special Identities](special-identities.md) -- [Access Control Overview](access-control.md) \ No newline at end of file +- [Access Control Overview](access-control.md) From 2af58b3c0500007ee32bdae18efa70245ffc00c8 Mon Sep 17 00:00:00 2001 From: Rick Munck <33725928+jmunck@users.noreply.github.com> Date: Mon, 26 Jul 2021 10:58:58 -0500 Subject: [PATCH 02/33] Update security-compliance-toolkit-10.md Updating Edge baseline version we are posting now --- .../threat-protection/security-compliance-toolkit-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index 2a578d07ab..2ec5067168 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -45,7 +45,7 @@ The Security Compliance Toolkit consists of: - Microsoft 365 Apps for enterprise, Version 2104 - Microsoft Edge security baseline - - Version 88 + - Version 92 - Windows Update security baseline - Windows 10 20H2 and below (October 2020 Update) From f87da7e4ea4093caa59f525b40bd61add5d3c362 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Wed, 28 Jul 2021 16:22:08 +0530 Subject: [PATCH 03/33] added windows 11 , added tpm link and added one column as per user feedback #9853, so i added windows 11 , added tpm link and added one column --- .../tpm/trusted-platform-module-overview.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 3261c5f549..e1638ef797 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -20,6 +20,7 @@ ms.date: 11/29/2018 # Trusted Platform Module Technology Overview **Applies to** +- Windows 11 - Windows 10 - Windows Server 2016 - Windows Server 2019 @@ -28,7 +29,7 @@ This topic for the IT professional describes the Trusted Platform Module (TPM) a ## Feature description -Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can: +[Trusted Platform Module (TPM)](https://docs.microsoft.com/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can: - Generate, store, and limit the use of cryptographic keys. @@ -54,7 +55,7 @@ Certificates can be installed or created on computers that are using the TPM. Af Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process. -Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. +Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 and later editions or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md). @@ -75,14 +76,14 @@ Some things that you can check on the device are: - Is SecureBoot supported and enabled? > [!NOTE] -> Windows 10, Windows Server 2016 and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. +> Windows 11, Windows 10, Windows Server 2016 and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. ## Supported versions for device health attestation -| TPM version | Windows 10 | Windows Server 2016 | Windows Server 2019 | -|-------------|-------------|---------------------|---------------------| -| TPM 1.2 | >= ver 1607 | >= ver 1607 | Yes | -| TPM 2.0 | Yes | Yes | Yes | +| TPM version | Windows 11 | Windows 10 | Windows Server 2016 | Windows Server 2019 | +|-------------|-------------|-------------|---------------------|---------------------| +| TPM 1.2 | | >= ver 1607 | >= ver 1607 | Yes | +| TPM 2.0 | Yes | Yes | Yes | Yes | ## Related topics From 97eb61919de22d42922b189746c7b0b99ee536bc Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 28 Jul 2021 08:24:44 -0700 Subject: [PATCH 04/33] Update trusted-platform-module-overview.md --- .../tpm/trusted-platform-module-overview.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index e1638ef797..503d582aca 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/29/2018 --- # Trusted Platform Module Technology Overview From 27127d6e6bab4d75f43a80e10eb583ae4dd97615 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 29 Jul 2021 11:59:32 +0530 Subject: [PATCH 05/33] Update windows/security/information-protection/tpm/trusted-platform-module-overview.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../tpm/trusted-platform-module-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 503d582aca..dac70009f7 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -28,7 +28,7 @@ This topic for the IT professional describes the Trusted Platform Module (TPM) a ## Feature description -[Trusted Platform Module (TPM)](https://docs.microsoft.com/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can: +[Trusted Platform Module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can: - Generate, store, and limit the use of cryptographic keys. From 22a104016f46f75ad9dfb1b94c7b2e0635181534 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 29 Jul 2021 12:00:07 +0530 Subject: [PATCH 06/33] Update windows/security/information-protection/tpm/trusted-platform-module-overview.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../tpm/trusted-platform-module-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index dac70009f7..248decde2f 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -75,7 +75,7 @@ Some things that you can check on the device are: - Is SecureBoot supported and enabled? > [!NOTE] -> Windows 11, Windows 10, Windows Server 2016 and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. +> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. ## Supported versions for device health attestation From 9a4b46e52674cd808f41de3cf4d3d2624a7fa448 Mon Sep 17 00:00:00 2001 From: Dan Pandre <54847950+DanPandre@users.noreply.github.com> Date: Fri, 30 Jul 2021 15:09:47 -0400 Subject: [PATCH 07/33] Update CurrentBackgroundPath description --- windows/client-management/mdm/surfacehub-csp.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 9755457f60..d7176692d7 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -295,7 +295,7 @@ SurfaceHub

The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Welcome/CurrentBackgroundPath** -

Background image for the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image. +

Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.

The data type is string. Supported operation is Get and Replace. @@ -317,12 +317,12 @@ SurfaceHub

The data type is boolean. Supported operation is Get and Replace. -**InBoxApps/Whiteboard/SigninDisabled** +InBoxApps/Whiteboard/SigninDisabled

Sign-ins from the Whiteboard app are not allowed.

The data type is boolean. Supported operation is Get and Replace. -**InBoxApps/Whiteboard/TelemeteryDisabled** +InBoxApps/Whiteboard/TelemeteryDisabled

Telemetry collection from the Whiteboard app is not allowed.

The data type is boolean. Supported operation is Get and Replace. @@ -572,7 +572,7 @@ SurfaceHub

The data type is boolean. Supported operation is Get and Replace. -**Properties/ProxyServers** +Properties/ProxyServers

Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://).

The data type is string. Supported operation is Get and Replace. From da682650dba634c8555c679fb21ca3632b722478 Mon Sep 17 00:00:00 2001 From: Dan Pandre <54847950+DanPandre@users.noreply.github.com> Date: Fri, 30 Jul 2021 15:11:16 -0400 Subject: [PATCH 08/33] Fix bolding --- windows/client-management/mdm/surfacehub-csp.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index d7176692d7..c6fe3027f0 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -317,12 +317,12 @@ SurfaceHub

The data type is boolean. Supported operation is Get and Replace. -InBoxApps/Whiteboard/SigninDisabled +**InBoxApps/Whiteboard/SigninDisabled**

Sign-ins from the Whiteboard app are not allowed.

The data type is boolean. Supported operation is Get and Replace. -InBoxApps/Whiteboard/TelemeteryDisabled +**InBoxApps/Whiteboard/TelemeteryDisabled**

Telemetry collection from the Whiteboard app is not allowed.

The data type is boolean. Supported operation is Get and Replace. @@ -571,8 +571,8 @@ SurfaceHub

If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.

The data type is boolean. Supported operation is Get and Replace. - -Properties/ProxyServers + +**Properties/ProxyServers**

Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://).

The data type is string. Supported operation is Get and Replace. From 4fb981d4e5c91052220c5a7b20c39b2753c53e47 Mon Sep 17 00:00:00 2001 From: Dan Pandre <54847950+DanPandre@users.noreply.github.com> Date: Fri, 30 Jul 2021 15:18:37 -0400 Subject: [PATCH 09/33] Fix bolding --- windows/client-management/mdm/surfacehub-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index c6fe3027f0..7c0a2bd53f 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -316,12 +316,12 @@ SurfaceHub

Invitations to collaborate from the Whiteboard app are not allowed.

The data type is boolean. Supported operation is Get and Replace. - + **InBoxApps/Whiteboard/SigninDisabled**

Sign-ins from the Whiteboard app are not allowed.

The data type is boolean. Supported operation is Get and Replace. - + **InBoxApps/Whiteboard/TelemeteryDisabled**

Telemetry collection from the Whiteboard app is not allowed. From 2774b33b4171a2521b777459c6a6580d0d1e7df4 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 2 Aug 2021 16:45:58 +0300 Subject: [PATCH 10/33] Add info about 0x80090010 https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9551 --- .../hello-for-business/hello-errors-during-pin-creation.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 717d082664..476aed7683 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -82,6 +82,7 @@ For errors listed in this table, contact Microsoft Support for assistance. |-------------|---------| | 0X80072F0C | Unknown | | 0x80070057 | Invalid parameter or argument is passed. | +| 0x80090010 | NTE_PERM | | 0x80090020 | NTE\_FAIL | | 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. | | 0x8009002D | NTE\_INTERNAL\_ERROR | @@ -110,4 +111,4 @@ For errors listed in this table, contact Microsoft Support for assistance. - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) From 4960f266b9d149bf45af15c8e5da63711c5acb00 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 9 Aug 2021 10:45:43 -0700 Subject: [PATCH 11/33] Created a new section Deploy Managed Installer. --- ...-apps-deployed-with-a-managed-installer.md | 99 +++++++++++++++++-- 1 file changed, 91 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 5028f2de9f..2b1f04c83c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -93,27 +93,86 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS ``` -An example of a valid Managed Installer rule collection using Microsoft Endpoint Config Manager (MEMCM) is shown below. +An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and Powershell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer. ```xml - - + + + + - - + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + ``` - ### Enable service enforcement in AppLocker policy Since many installation processes rely on services, it is typically necessary to enable tracking of services. @@ -214,3 +273,27 @@ Ea Value Length: 7e ## Enabling managed installer logging events Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events. + +## Deploying the Managed Installer + +Once you've completed configuring your chosen Managed Installer, by specifying which to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it. + +1. Using the following command to deploy the policy. + ```powershell + Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue + ``` + +2. Verify policy deployment + ```powershell + Get-AppLockerPolicy -Local + + Version RuleCollections RuleCollectionTypes + ------- --------------- ------------------- + 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} + ``` + Notice the output shows the ManagedInstaller rule is there. + +3. Get the policy XML (optional) using PS: + ```powershell + Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue + ``` \ No newline at end of file From 40db0defb89e68c9f6cddc97f6bb9f537b145272 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 10 Aug 2021 11:57:33 -0700 Subject: [PATCH 12/33] Update configure-authorized-apps-deployed-with-a-managed-installer.md --- ...igure-authorized-apps-deployed-with-a-managed-installer.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 2b1f04c83c..980f12be1b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 07/15/2021 +ms.date: 08/10/2021 ms.technology: mde --- @@ -296,4 +296,4 @@ Once you've completed configuring your chosen Managed Installer, by specifying w 3. Get the policy XML (optional) using PS: ```powershell Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue - ``` \ No newline at end of file + ``` From 79374e0892df854a1538d3555622f25b7bdb0c51 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 10 Aug 2021 12:05:54 -0700 Subject: [PATCH 13/33] Implemented Jordan's suggested edits. --- ...-authorized-apps-deployed-with-a-managed-installer.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 980f12be1b..3d3dfe707c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -283,17 +283,22 @@ Once you've completed configuring your chosen Managed Installer, by specifying w Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue ``` -2. Verify policy deployment +2. Verify Deployment of the Rule set was successful ```powershell + $policyFile= + @" + Raw_AppLocker_Policy_XML + "@ Get-AppLockerPolicy -Local Version RuleCollections RuleCollectionTypes ------- --------------- ------------------- 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} ``` - Notice the output shows the ManagedInstaller rule is there. + Verify the output shows the ManagedInstaller rule set. 3. Get the policy XML (optional) using PS: ```powershell Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue ``` + This command will show the raw XML to verify the individual rules that were set. \ No newline at end of file From 26ecad46c2b81d9cb37340ce6b7e187f76ddef09 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 10 Aug 2021 12:10:16 -0700 Subject: [PATCH 14/33] Made one correction and place policy file declaration in proper location. --- ...horized-apps-deployed-with-a-managed-installer.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 3d3dfe707c..0ab03f97aa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -280,22 +280,22 @@ Once you've completed configuring your chosen Managed Installer, by specifying w 1. Using the following command to deploy the policy. ```powershell + $policyFile= + @" + Raw_AppLocker_Policy_XML + "@ Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue ``` 2. Verify Deployment of the Rule set was successful ```powershell - $policyFile= - @" - Raw_AppLocker_Policy_XML - "@ Get-AppLockerPolicy -Local Version RuleCollections RuleCollectionTypes ------- --------------- ------------------- - 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} + 1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...} ``` - Verify the output shows the ManagedInstaller rule set. + Verify the output shows the ManagedInstaller rule set. 3. Get the policy XML (optional) using PS: ```powershell From 664cd58e1cfefdd7101dc651d54d76aaf36c9ac9 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 11 Aug 2021 12:30:04 -0700 Subject: [PATCH 15/33] Applied addition edit suggestions. --- ...horized-apps-deployed-with-a-managed-installer.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 0ab03f97aa..15639fd8d3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -93,7 +93,7 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS ``` -An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and Powershell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer. +An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and PowerShell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer. ```xml @@ -274,11 +274,11 @@ Ea Value Length: 7e Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events. -## Deploying the Managed Installer +## Deploying the Managed Installer rule collection -Once you've completed configuring your chosen Managed Installer, by specifying which to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it. +Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it. -1. Using the following command to deploy the policy. +1. Use the following command to deploy the policy. ```powershell $policyFile= @" @@ -287,7 +287,7 @@ Once you've completed configuring your chosen Managed Installer, by specifying w Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue ``` -2. Verify Deployment of the Rule set was successful +2. Verify Deployment of the ruleset was successful ```powershell Get-AppLockerPolicy -Local @@ -297,7 +297,7 @@ Once you've completed configuring your chosen Managed Installer, by specifying w ``` Verify the output shows the ManagedInstaller rule set. -3. Get the policy XML (optional) using PS: +3. Get the policy XML (optional) using PowerShell: ```powershell Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue ``` From 295e48f4c5b9363a3730442c7807e7ca8330b591 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Thu, 12 Aug 2021 12:05:05 -0400 Subject: [PATCH 16/33] Minor update --- windows/application-management/apps-in-windows-10.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index bb35b3f5fc..3d8a9d9f4d 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -1,5 +1,5 @@ --- -title: Windows 10 - Apps +title: Learn about the different app types in Windows 10 | Microsoft Docs ms.reviewer: manager: dansimp description: Use this article to understand the different types of apps that run on Windows 10, such as UWP and Win32 apps. @@ -30,7 +30,7 @@ On your Windows 10 devices, you can run the following app types: - **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. But, not all Windows apps are UWP apps. - **Win32 apps**: These apps are traditional Windows applications. -This article lists the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. If you use custom images, your specific apps might be different. +This article lists the provisioned Windows apps and system apps installed on a standard Windows 10 Enterprise device. If you use custom images, your specific apps might be different. Some of the apps show up in multiple areas. That's because their status changed between versions. Make sure to check the version column for the version you're currently running. From ef14f044b2942c6e2cf5f6a26c6b0f805ad7d412 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 12 Aug 2021 22:27:45 +0530 Subject: [PATCH 17/33] updated commands as per user feedback #9892 , so I updated commands --- ...l-policy-to-control-specific-plug-ins-add-ins-and-modules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index 5392e5253b..d4d91d5c31 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -38,7 +38,7 @@ For example, to create a WDAC policy allowing **addin1.dll** and **addin2.dll** ```powershell $rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe' -$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe' +$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP2.exe' New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs ``` From 9180a1f6a39a84a9a5918d8b2f395f3675392ab4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Aug 2021 11:26:38 -0700 Subject: [PATCH 18/33] Update use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md --- ...l-policy-to-control-specific-plug-ins-add-ins-and-modules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index d4d91d5c31..9ffbd067e1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -14,7 +14,7 @@ audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm -ms.date: 05/03/2018 +ms.date: 08/12/2021 ms.technology: mde --- From a7f7baf4bf8b67ba9a73d9d8879388b71dd5d2ca Mon Sep 17 00:00:00 2001 From: "Carlos Mayol (MSFT)" Date: Fri, 13 Aug 2021 16:32:18 -0400 Subject: [PATCH 19/33] Removing ALLOW_ALL for FileRules These rules are enabling any executable regardless of the signers policies. --- .../microsoft-recommended-driver-block-rules.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index d409657e10..82728672e6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -55,8 +55,6 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security - - @@ -315,7 +313,6 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security - @@ -425,7 +422,6 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security - From 1c8bcd351bf3efb659b3d35ff56560b8e1372cee Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 15 Aug 2021 07:55:30 +0500 Subject: [PATCH 20/33] Update deploy-a-windows-10-image-using-mdt.md --- .../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 02c175e81b..39430e41e8 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -316,7 +316,7 @@ On **MDT01**: ### For the HP EliteBook 8560w -For the HP EliteBook 8560w, you use HP SoftPaq Download Manager to get the drivers. The HP SoftPaq Download Manager can be accessed on the [HP Support site](https://go.microsoft.com/fwlink/p/?LinkId=619545). +For the HP EliteBook 8560w, you use HP Image Assistant to get the drivers. The HP Image Assistant can be accessed on the [HP Support site](https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html). In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. From 8f35a79ec111a40f09809f96ebc0d6663957521c Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 16 Aug 2021 00:18:24 +0500 Subject: [PATCH 21/33] Update create-wmi-filters-for-the-gpo.md --- .../windows-firewall/create-wmi-filters-for-the-gpo.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index 9ed555e0c8..e69a6c0c78 100644 --- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -66,7 +66,7 @@ First, create the WMI filter and configure it to look for a specified version (o ... where Version like "6.1%" or Version like "6.2%" ``` - To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network. + To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers and for Windows 10 multi-session, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network. The following clause returns **true** for all devices that are not domain controllers: @@ -109,4 +109,4 @@ After you have created a filter with the correct query, link the filter to the G 3. Under **WMI Filtering**, select the correct WMI filter from the list. -4. Click **Yes** to accept the filter. \ No newline at end of file +4. Click **Yes** to accept the filter. From 3a296d61ee216a413ef6988253c6f50f666a48d1 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 16 Aug 2021 19:29:45 +0530 Subject: [PATCH 22/33] removed old version , added new version added new version of adobe dc acrobat reader, source #9894 --- .../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 02c175e81b..6d3a8ea77d 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -145,8 +145,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica On **MDT01**: -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC1902120058_en_US.exe) to **D:\\setup\\adobe** on MDT01. -2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC1902120058_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01. +2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. 4. Right-click the **Applications** node, and create a new folder named **Adobe**. From cd9d0c1dbff3225b471e9d9e90d1acd03e75c7c2 Mon Sep 17 00:00:00 2001 From: Yuli Khodorkovskiy Date: Mon, 16 Aug 2021 12:40:57 -0400 Subject: [PATCH 23/33] Fix typo in lockout duration doc --- .../security-policy-settings/account-lockout-duration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md index 4df87c418a..859332a9a4 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md @@ -35,7 +35,7 @@ This policy setting is dependent on the **Account lockout threshold** policy set - A user-defined number of minutes from 0 through 99,999 - Not defined -If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If th **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually. +If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If the **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually. It is advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0. From 369b5906eceb71580e0d9251a548cb8849fe4f71 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Aug 2021 10:04:36 -0700 Subject: [PATCH 24/33] Update account-lockout-duration.md --- .../security-policy-settings/account-lockout-duration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md index 859332a9a4..be2c2f115a 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 08/16/2021 ms.technology: mde --- From ad18a586a0d80d3fe2ba335b4dc8343f20c9fa33 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Aug 2021 10:08:00 -0700 Subject: [PATCH 25/33] Update create-wmi-filters-for-the-gpo.md --- .../create-wmi-filters-for-the-gpo.md | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index e69a6c0c78..78d50e3732 100644 --- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/25/2017 +ms.date: 08/16/2021 ms.technology: mde --- @@ -40,17 +40,15 @@ First, create the WMI filter and configure it to look for a specified version (o 1. Open the Group Policy Management console. -2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **WMI Filters**. +2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, and then select **WMI Filters**. -3. Click **Action**, and then click **New**. +3. Select **Action**, and then select **New**. -4. In the **Name** text box, type the name of the WMI filter. - - >**Note:**  Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention. +4. In the **Name** text box, type the name of the WMI filter. Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention. 5. In the **Description** text box, type a description for the WMI filter. For example, if the filter excludes domain controllers, you might consider stating that in the description. -6. Click **Add**. +6. Select **Add**. 7. Leave the **Namespace** value set to **root\\CIMv2**. @@ -92,9 +90,9 @@ First, create the WMI filter and configure it to look for a specified version (o select * from Win32_OperatingSystem where Version like "10.%" and ProductType="3" ``` -9. Click **OK** to save the query to the filter. +9. Select **OK** to save the query to the filter. -10. Click **Save** to save your completed filter. +10. Select **Save** to save your completed filter. > [!NOTE] > If you're using multiple queries in the same WMI filter, these queries must all return **TRUE** for the filter requirements to be met and for the GPO to be applied. @@ -105,8 +103,8 @@ After you have created a filter with the correct query, link the filter to the G 1. Open the Group Policy Management console. -2. In the navigation pane, find and then click the GPO that you want to modify. +2. In the navigation pane, find and then select the GPO that you want to modify. 3. Under **WMI Filtering**, select the correct WMI filter from the list. -4. Click **Yes** to accept the filter. +4. Select **Yes** to accept the filter. From 46c9c72781506e6ffee683915f1e626801a17f63 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 16 Aug 2021 10:16:53 -0700 Subject: [PATCH 26/33] Update microsoft-recommended-driver-block-rules.md --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 82728672e6..60312b011c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -29,7 +29,7 @@ Microsoft has strict requirements for code running in kernel. Consequently, mali - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. > [!Note] > This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. From b5f7a74d60add25029357295fc7510b102654adf Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 16 Aug 2021 12:09:08 -0600 Subject: [PATCH 27/33] Raise acro score Sync pr https://github.com/MicrosoftDocs/windows-docs-pr/pull/5516 --- .../microsoft-recommended-driver-block-rules.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 60312b011c..f85b75d3ad 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -24,15 +24,15 @@ ms.date: - Windows 10 - Windows Server 2016 and above -Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is applied to the following sets of devices: +Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices: - Hypervisor-protected code integrity (HVCI) enabled devices - Windows 10 in S mode (S mode) devices -Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. > [!Note] -> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. +> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It's recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. ```xml From 9246431b81b6a7781d1ab57f52fc0eae8c0fc961 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 16 Aug 2021 15:20:09 -0700 Subject: [PATCH 28/33] Removed a period that followed a question mark --- .../tpm/trusted-platform-module-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 248decde2f..5bbb8174ec 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -60,7 +60,7 @@ The TPM has several Group Policy settings that might be useful in certain enterp ## New and changed functionality -For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module). +For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module) ## Device health attestation From 6fb11f9ca0d09f62be836b12d033efe28c69320b Mon Sep 17 00:00:00 2001 From: Benoit Date: Wed, 18 Aug 2021 11:13:49 +0200 Subject: [PATCH 29/33] Update prepare-for-windows-deployment-with-mdt.md --- ...prepare-for-windows-deployment-with-mdt.md | 31 +++++++++---------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 4250054f65..0f57970c70 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -147,21 +147,9 @@ Switch to **DC01** and perform the following procedures on **DC01**: To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell. -To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. Be sure that you are viewing file extensions and that you save the file with the .ps1 extension. +Copy the following list of OU names and paths into a CSV file and save it as `~\Setup\Scripts\oulist.csv`. -```powershell -$oulist = Import-csv -Path c:\oulist.txt -ForEach($entry in $oulist){ - $ouname = $entry.ouname - $oupath = $entry.oupath - New-ADOrganizationalUnit -Name $ouname -Path $oupath - Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath" -} -``` - -Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt - -```text +```csv OUName,OUPath Contoso,"DC=CONTOSO,DC=COM" Accounts,"OU=Contoso,DC=CONTOSO,DC=COM" @@ -175,11 +163,20 @@ Workstations,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM" Security Groups,"OU=Groups,OU=Contoso,DC=CONTOSO,DC=COM" ``` -Lastly, open an elevated Windows PowerShell prompt on DC01 and run the ou.ps1 script: +Next, copy the following commands into a file and save it as `~\Setup\Scripts\ou.ps1`. Be sure that you are viewing file extensions and that you save the file with the `.ps1` extension. + +```powershell +Import-CSV -Path $home\Setup\Scripts\oulist.csv | ForEach-Object { + New-ADOrganizationalUnit -Name $_.ouname -Path $_.oupath + Write-Host -ForegroundColor Green "OU $($_.ouname) is created in the location $($_.oupath)" +} +``` + +Lastly, open an elevated Windows PowerShell prompt on DC01 and run the `ou.ps1` script: ```powershell Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Set-Location C:\Setup\Scripts +Set-Location $home\Setup\Scripts .\ou.ps1 ``` @@ -262,4 +259,4 @@ When you have completed all the steps in this section to prepare for deployment, The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so you can see how some tasks can be automated with Windows PowerShell. - [Gather.ps1](/samples/browse/?redirectedfrom=TechNet-Gallery). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment. - [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. -- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. \ No newline at end of file +- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. From f5d12be8ebd4963d37717eeaa14623775cee28ed Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Wed, 18 Aug 2021 08:56:40 -0700 Subject: [PATCH 30/33] add link for PCHealthCheck --- windows/whats-new/windows-11-plan.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 5af0900b7e..2aebecdb11 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay ms.author: greglin -ms.date: 06/24/2021 +ms.date: 08/18/2021 ms.reviewer: manager: laurawi ms.localizationpriority: high @@ -39,7 +39,7 @@ If you are looking for ways to optimize your approach to deploying Windows 11, o As a first step, you will need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it is compatible. -Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the **PC Health Check** app to determine their eligibility for Windows 11. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  +Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, end-users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. End-users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.  Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows 11 is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows 11 device support into their solutions. From 475706a412dd106f3f1d0b75cc8c7a8037ef6b96 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Wed, 18 Aug 2021 10:29:01 -0600 Subject: [PATCH 31/33] Fix Acro spelling Sync PR https://github.com/MicrosoftDocs/windows-docs-pr/pull/5523 --- .../prepare-for-windows-deployment-with-mdt.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 0f57970c70..c1039d7404 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -32,7 +32,7 @@ The procedures in this guide use the following names and infrastructure. For the purposes of this topic, we will use three server computers: **DC01**, **MDT01**, and **HV01**. - All servers are running Windows Server 2019. - You can use an earlier version of Windows Server with minor modifications to some procedures. - - Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is requried to perform the procedures in this guide. + - Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is required to perform the procedures in this guide. - **DC01** is a domain controller, DHCP server, and DNS server for contoso.com, representing the fictitious Contoso Corporation. - **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server. - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway. @@ -209,7 +209,7 @@ The final result of either method is shown below. The **MDT_BA** account will be When creating a reference image, you need an account for MDT. The MDT build account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. -To create an MDT build account, open an elevalted Windows PowerShell prompt on DC01 and enter the following (copy and paste the entire command, taking care to notice the scroll bar at the bottom). This command will create the MDT_BA user account and set the password to "pass@word1": +To create an MDT build account, open an elevated Windows PowerShell prompt on DC01 and enter the following (copy and paste the entire command, taking care to notice the scroll bar at the bottom). This command will create the MDT_BA user account and set the password to "pass@word1": ```powershell New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true From 157d7770c48a76c093c027148c1b5bb09cdc83e2 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Wed, 18 Aug 2021 12:08:36 -0700 Subject: [PATCH 32/33] Add AAD cache steps to policy information page --- .../mdm/policy-csp-mixedreality.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 9b9c05d03d..c31db7523d 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -40,6 +40,19 @@ manager: dansimp +Steps to use this policy correctly: + +1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s). +1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s). + 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays + 1. The value can be between min / max allowed. +1. Enroll HoloLens devices and verify both configurations get applied to the device. +1. Let Azure AD user 1 sign-in when internet is available, once user signs-in and Azure AD group membership is confirmed successfully, cache will be created. +1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. +1. Steps 4 and 5 can be repeated for any other Azure AD user N. Key point here is that any Azure AD user must sign-in to device using Internet so at least once we can determine that they are member of Azure AD group to which Kiosk configuration is targeted. + +> [!NOTE] +> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned in “disconnected” environments.

From c9643685bb11934569968b084ae6e46b5595312c Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Wed, 18 Aug 2021 12:13:25 -0700 Subject: [PATCH 33/33] score 80 --- windows/client-management/mdm/policy-csp-mixedreality.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index c31db7523d..cdf909411f 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -47,12 +47,12 @@ Steps to use this policy correctly: 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays 1. The value can be between min / max allowed. 1. Enroll HoloLens devices and verify both configurations get applied to the device. -1. Let Azure AD user 1 sign-in when internet is available, once user signs-in and Azure AD group membership is confirmed successfully, cache will be created. +1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created. 1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. -1. Steps 4 and 5 can be repeated for any other Azure AD user N. Key point here is that any Azure AD user must sign-in to device using Internet so at least once we can determine that they are member of Azure AD group to which Kiosk configuration is targeted. +1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted. > [!NOTE] -> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned in “disconnected” environments. +> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments.