From cec5291c6f58ee577fe3ac8c18c26fc5a5d4d98c Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 25 Jan 2022 13:07:19 +0530 Subject: [PATCH 01/13] Acrolinx enhancement effort --- .../privacy/manage-windows-1803-endpoints.md | 44 ++++++------ .../privacy/manage-windows-1809-endpoints.md | 70 +++++++++---------- 2 files changed, 57 insertions(+), 57 deletions(-) diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md index fdc72f92e7..722d849e3d 100644 --- a/windows/privacy/manage-windows-1803-endpoints.md +++ b/windows/privacy/manage-windows-1803-endpoints.md @@ -41,7 +41,7 @@ We used the following methodology to derive these network endpoints: 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. 5. The test virtual machine was logged in using a local account and wasn't joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. As such no IPV6 traffic is reported here. +6. All traffic was captured in our lab using an IPV4 network. As such no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. @@ -60,8 +60,8 @@ If you [turn off traffic to this endpoint](manage-connections-from-windows-opera The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users will can still open them. +If you disable the Microsoft store, other Store apps can't be installed or updated. +Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. | Source process | Protocol | Destination | |----------------|----------|------------| @@ -70,7 +70,7 @@ Additionally, the Microsoft Store can't revoke malicious Store apps and users wi The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users will can still open them. +Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. | Source process | Protocol | Destination | |----------------|----------|------------| @@ -80,7 +80,7 @@ Additionally, the Microsoft Store can't revoke malicious Store apps and users wi The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. -Additionally, the Microsoft Store can't revoke malicious Store apps and users will can still open them. +Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. | Source process | Protocol | Destination | |----------------|----------|------------| @@ -88,7 +88,7 @@ Additionally, the Microsoft Store can't revoke malicious Store apps and users wi The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office. To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. | Source process | Protocol | Destination | @@ -97,7 +97,7 @@ Additionally, the Microsoft Store can't revoke malicious Store apps and users ca The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. | Source process | Protocol | Destination | @@ -106,7 +106,7 @@ Additionally, the Microsoft Store can't revoke malicious Store apps and users ca The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them. | Source process | Protocol | Destination | @@ -192,14 +192,14 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | svchost | | cy2.vortex.data.microsoft.com.akadns.net | The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft. | Source process | Protocol | Destination | |----------------|----------|------------| | svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | The following endpoints are used by Windows Error Reporting. -To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. +To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information won't be sent back to Microsoft. | Source process | Protocol | Destination | |----------------|----------|------------| @@ -209,7 +209,7 @@ To turn off traffic for these endpoints, enable the following Group Policy: Admi ## Font streaming The following endpoints are used to download fonts on demand. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you won't be able to download fonts on demand. | Source process | Protocol | Destination | |----------------|----------|------------| @@ -246,7 +246,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Microsoft account The following endpoints are used for Microsoft accounts to sign in. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users can't sign in with Microsoft accounts. | Source process | Protocol | Destination | |----------------|----------|------------| @@ -263,14 +263,14 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | | | *.wns.windows.com | The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. -To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | |----------------|----------|------------| | | HTTP | storecatalogrevocation.storequality.microsoft.com | The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps can't be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | |----------------|----------|------------| @@ -278,7 +278,7 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op | backgroundtransferhost | HTTPS | store-images.microsoft.com | The following endpoints are used to communicate with Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps can't be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | |----------------|----------|------------| @@ -318,7 +318,7 @@ If you turn off traffic for these endpoints, users won't be able to save documen |----------------|----------|------------| | system32\Auth.Host.exe | HTTPS | outlook.office365.com | -The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | |----------------|----------|------------| @@ -334,7 +334,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). -To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. +To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device won't able to get OneDrive for Business app updates. | Source process | Protocol | Destination | |----------------|----------|------------| @@ -365,7 +365,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Skype -The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | |----------------|----------|------------| @@ -376,7 +376,7 @@ The following endpoint is used to retrieve Skype configuration values. To turn o ## Windows Defender The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device won't use Cloud-based Protection. | Source process | Protocol | Destination | |----------------|----------|------------| @@ -393,7 +393,7 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op ## Windows Spotlight The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). | Source process | Protocol | Destination | |----------------|----------|------------| @@ -406,7 +406,7 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op ## Windows Update The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction. | Source process | Protocol | Destination | |----------------|----------|------------| @@ -421,7 +421,7 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op | svchost | HTTP | *.dl.delivery.mp.microsoft.com | The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device won't be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device won't be able to acquire and update apps from the Store. | Source process | Protocol | Destination | |----------------|----------|------------| diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index f2b61aed53..db9e899fea 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -39,10 +39,10 @@ Where applicable, each endpoint covered in this topic includes a link to specifi We used the following methodology to derive these network endpoints: 1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +2. Leave the devices running idle for a week (that is, a user isn't interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and wasn't joined to a domain or Azure Active Directory. 6. All traffic was captured in our lab using an IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] @@ -62,7 +62,7 @@ If you [turn off traffic to this endpoint](manage-connections-from-windows-opera The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. | Source process | Protocol | Destination | @@ -71,7 +71,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. | Source process | Protocol | Destination | @@ -81,7 +81,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. | Source process | Protocol | Destination | @@ -90,7 +90,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office. To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. | Source process | Protocol | Destination | @@ -99,7 +99,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. | Source process | Protocol | Destination | @@ -108,7 +108,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). -If you disable the Microsoft store, other Store apps cannot be installed or updated. +If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. | Source process | Protocol | Destination | @@ -135,21 +135,21 @@ To turn off traffic for this endpoint [disable the Microsoft Store](manage-conne ## Cortana and Search The following endpoint is used to get images that are used for Microsoft Store suggestions. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you'll block images that are used for Microsoft Store suggestions. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| | searchui | HTTPS | `store-images.s-microsoft.com` | The following endpoint is used to update Cortana greetings, tips, and Live Tiles. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you'll block updates to Cortana greetings, tips, and Live Tiles. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| | backgroundtaskhost | HTTPS | `www.bing.com/client` | The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters wouldn't be updated and the device would no longer participate in experiments. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -164,11 +164,11 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Certificates -The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It's possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that isn't recommended because when root certificates are updated over time, applications and websites may stop working because they didn't receive an updated root certificate the application uses. -Additionally, it is used to download certificates that are publicly known to be fraudulent. +Additionally, it's used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. -We do not recommend blocking this endpoint. +We don't recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. | Source process | Protocol | Destination | @@ -178,7 +178,7 @@ If traffic to this endpoint is turned off, Windows no longer automatically downl ## Device authentication The following endpoint is used to authenticate a device. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device won't be authenticated. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -187,7 +187,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Device metadata The following endpoint is used to retrieve device metadata. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata won't be updated for the device. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -197,21 +197,21 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Diagnostic Data The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| | svchost | | `cy2.vortex.data.microsoft.com.akadns.net` | The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| | svchost | HTTPS | `v10.vortex-win.data.microsoft.com/collect/v1` | The following endpoints are used by Windows Error Reporting. -To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. +To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information won't be sent back to Microsoft. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -240,7 +240,7 @@ To turn off traffic for this endpoint, disable the Windows License Manager Servi ## Location The following endpoint is used for location data. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps can't use location data. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -250,7 +250,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Maps The following endpoint is used to check for updates to maps that have been downloaded for offline use. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps won't be updated. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -259,7 +259,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Microsoft account The following endpoints are used for Microsoft accounts to sign in. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users can't sign in with Microsoft accounts. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -279,14 +279,14 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | | HTTPS | `*.wns.windows.com` | The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. -To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| | | HTTP | `storecatalogrevocation.storequality.microsoft.com` | The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps can't be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -294,7 +294,7 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op | backgroundtransferhost | HTTPS | `store-images.microsoft.com` | The following endpoints are used to communicate with Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps can't be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -306,7 +306,7 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op ## Network Connection Status Indicator (NCSI) Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet, and the icon denoting the network status tray will show a warning. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -336,7 +336,7 @@ If you turn off traffic for these endpoints, users won't be able to save documen |:--------------:|:--------:|:------------| | system32\Auth.Host.exe | HTTPS | `outlook.office365.com` | -The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -359,7 +359,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper | onedrive | HTTP \ HTTPS | `g.live.com/1rewlive5skydrive/ODSUProduction` | The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). -To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. +To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device won't be able to get OneDrive for Business app updates. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -390,7 +390,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Skype -The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. +The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -401,14 +401,14 @@ The following endpoint is used to retrieve Skype configuration values. To turn o ## Windows Defender The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service). +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device won't use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service). | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| | | | `wdcp.microsoft.com` | The following endpoints are used for Windows Defender definition updates. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions won't be updated. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -427,7 +427,7 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op ## Windows Spotlight The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, and suggested apps, Microsoft account notifications, and Windows tips. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -440,14 +440,14 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op ## Windows Update The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in redownloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in redownloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| | svchost | HTTPS | `*.prod.do.dsp.mp.microsoft.com` | The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device wón't be able to download updates for the operating system. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -455,7 +455,7 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op | svchost | HTTP | `*.dl.delivery.mp.microsoft.com` | The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. -If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device won't be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| From be699d64a687406a8f754b59b05df4582fcd364b Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 25 Jan 2022 17:18:15 +0530 Subject: [PATCH 02/13] Acrolinx score enhancement --- .../credential-guard-known-issues.md | 6 +-- .../enterprise-certificate-pinning.md | 48 +++++++++---------- .../vpn/vpn-profile-options.md | 2 +- .../bitlocker-network-unlock-faq.yml | 5 +- ...-monitor-dynamic-access-control-objects.md | 10 ++-- ...ort-advanced-audit-policy-configuration.md | 4 +- .../cybersecurity-industry-partners.md | 4 +- .../intelligence/malware-naming.md | 10 ++-- ...dit-the-access-of-global-system-objects.md | 16 +++---- ...events-centrally-using-advanced-hunting.md | 4 +- ...sed-root-of-trust-helps-protect-windows.md | 2 +- ...-guard-secure-launch-and-smm-protection.md | 4 +- 12 files changed, 57 insertions(+), 58 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index 0f5e251a7f..f449e5044d 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -72,7 +72,7 @@ The following issue affects the Java GSS API. See the following Oracle bug datab - [JDK-8161921: Windows Defender Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921) -When Windows Defender Credential Guard is enabled on Windows, the Java GSS API won't authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and won't provide the TGT session key to applications regardless of registry key settings. For further information, see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). +When Windows Defender Credential Guard is enabled on Windows, the Java GSS API won't authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and won't provide the TGT session key to applications regardless of registry key settings. For more information, see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). The following issue affects Cisco AnyConnect Secure Mobility Client: @@ -106,7 +106,7 @@ For further technical information on LSAISO.exe, see the MSDN article: [Isolated See the following article on Citrix support for Secure Boot: - [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/) -Windows Defender Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions: +Windows Defender Credential Guard isn't supported by either these products, products versions, computer systems, or Windows 10 versions: - For Windows Defender Credential Guard on Windows with McAfee Encryption products, see: [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009) @@ -123,6 +123,6 @@ Windows Defender Credential Guard is not supported by either these products, pro - For Windows Defender Credential Guard on Windows with Symantec Endpoint Protection [Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121) - This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard. + This isn't a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard. Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements. diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md index bef5c8651e..050b9e39c3 100644 --- a/windows/security/identity-protection/enterprise-certificate-pinning.md +++ b/windows/security/identity-protection/enterprise-certificate-pinning.md @@ -2,7 +2,7 @@ title: Enterprise Certificate Pinning ms.mktglfcycl: manage ms.sitesec: library -description: Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name. +description: Enterprise certificate pinning is a Windows feature for remembering; or pinning a root issuing certificate authority, or end entity certificate to a given domain name. audience: ITPro author: dulcemontemayor ms.author: dansimp @@ -22,15 +22,15 @@ ms.reviewer: **Applies to** - Windows 10 -Enterprise certificate pinning is a Windows feature for remembering, or “pinning,” a root issuing certificate authority or end entity certificate to a given domain name. +Enterprise certificate pinning is a Windows feature for remembering, or pinning a root issuing certificate authority or end entity certificate to a given domain name. Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. > [!NOTE] > External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning. -Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site’s server authentication certificate chain matches a restricted set of certificates. +Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site’s chain that authenticates servers matches a restricted set of certificates. These restrictions are encapsulated in a Pin Rules Certificate Trust List (CTL) that is configured and deployed to Windows 10 computers. -Any site certificate triggering a name mismatch causes Windows to write an event to the CAPI2 event log and prevents the user from navigating to the web site using Microsoft Edge or Internet Explorer. +Any site certificate that triggers a name mismatch causes Windows to write an event to the CAPI2 event log and prevents the user from navigating to the web site using Microsoft Edge or Internet Explorer. > [!NOTE] > Enterprise Certificate Pinning feature triggering doesn't cause clients other than Microsoft Edge or Internet Explorer to block the connection. @@ -80,9 +80,9 @@ For help with formatting Pin Rules, see [Representing a Date in XML](#representi | Attribute | Description | Required | |-----------|-------------|----------| -| **Duration** or **NextUpdate** | Specifies when the Pin Rules will expire. Either is required. **NextUpdate** takes precedence if both are specified.
**Duration**, represented as an XML TimeSpan data type, does not allow years and months. You represent the **NextUpdate** attribute as a XML DateTime data type in UTC. | **Required?** Yes. At least one is required. | -| **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
**LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months.
If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. | -| **ListIdentifier** | Provides a friendly name for the list of pin rules. Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL). | No. | +| **Duration** or **NextUpdate** | Specifies when the Pin Rules will expire. Either is required. **NextUpdate** takes precedence if both are specified.
**Duration**, represented as an XML TimeSpan data type, doesn't allow years and months. You represent the **NextUpdate** attribute as an XML DateTime data type in UTC. | **Required?** Yes. At least one is required. | +| **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
**LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
You represent **LogDuration** as an XML TimeSpan data type, which doesn't allow years and months.
If `none of the attributes are specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. | +| **ListIdentifier** | Provides a friendly name for the list of pin rules. Windows doesn't use this attribute for certificate pinning enforcement; however, it's included when the pin rules are converted to a certificate trust list (CTL). | No. | #### PinRule Element @@ -90,9 +90,9 @@ The **PinRule** element can have the following attributes. | Attribute | Description | Required | |-----------|-------------|----------| -| **Name** | Uniquely identifies the **PinRule**. Windows uses this attribute to identify the element for a parsing error or for verbose output. The attribute is not included in the generated certificate trust list (CTL). | Yes.| -| **Error** | Describes the action Windows performs when it encounters a PIN mismatch. You can choose from the following string values:
- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
- **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site.
- **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction. | No. | -| **Log** | A Boolean value represent as string that equals **true** or **false**. By default, logging is enabled (**true**). | No. | +| **Name** | Uniquely identifies the **PinRule**. Windows uses this attribute to identify the element for a parsing error or for verbose output. The attribute isn't included in the generated certificate trust list (CTL). | Yes.| +| **Error** | Describes the action Windows performs when it encounters a PIN mismatch. You can choose from the following string values:
- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
- **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate doesn't match the name of the site. This typically results in prompting the user before accessing the site.
- **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction. | No. | +| **Log** | A Boolean value represents a string that equals **true** or **false**. By default, logging is enabled (**true**). | No. | #### Certificate element @@ -100,9 +100,9 @@ The **Certificate** element can have the following attributes. | Attribute | Description | Required | |-----------|-------------|----------| -| **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory or Base64 must be present). | -| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory or Base64 must be present). | -| **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
This allows the certificates to be included in the XML file without a file directory dependency.
Note:
You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory or Base64 must be present). | +| **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory, or Base64 must be present). | +| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory, or Base64 must be present). | +| **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
This allows the certificates to be included in the XML file without a file directory dependency.
Note:
You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory, or Base64 must be present). | | **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.| #### Site element @@ -111,8 +111,8 @@ The **Site** element can have the following attributes. | Attribute | Description | Required | |-----------|-------------|----------| -| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*" it is removed.
- Non-ASCII DNS name are converted to ASCII Puny Code.
- Upper case ASCII characters are converted to lower case.
If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.| -| **AllSubdomains** | By default, wildcard left hand label matching is restricted to a single left hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.
For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.| +| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*", it's removed.
- Non-ASCII DNS name is converted to ASCII Puny Code.
- Upper case ASCII characters are converted to lower case.
If the normalized name has a leading ".", then, wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.| +| **AllSubdomains** | By default, wildcard left-hand label matching is restricted to a single left-hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.
For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.| ### Create a Pin Rules Certificate Trust List @@ -137,7 +137,7 @@ The same certificate(s) can occur in multiple **PinRule** elements. The same domain can occur in multiple **PinRule** elements. Certutil coalesces these in the resultant pin rules certificate trust list. -Certutil.exe does not strictly enforce the XML schema definition. +Certutil.exe doesn't strictly enforce the XML schema definition. It does perform the following to enable other tools to add/consume their own specific elements and attributes: - Skips elements before and after the **PinRules** element. @@ -154,7 +154,7 @@ certutil -generatePinRulesCTL certPinRules.xml pinrules.stl ### Applying Certificate Pinning Rules to a Reference Computer Now that your certificate pinning rules are in the certificate trust list format, you need to apply the settings to a reference computer as a prerequisite to deploying the setting to your enterprise. -To simplify the deployment configuration, it is best to apply your certificate pinning rules to a computer that has the Group Policy Management Console (GPMC) that is include in the Remote Server Administration Tools (RSAT). +To simplify the deployment configuration, it's best to apply your certificate pinning rules to a computer that has the Group Policy Management Console (GPMC) included in the Remote Server Administration Tools (RSAT). Use **certutil.exe** to apply your certificate pinning rules to your reference computer using the **setreg** argument. The **setreg** argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules. @@ -181,14 +181,14 @@ Certutil writes the binary information to the following registration location: ### Deploying Enterprise Pin Rule Settings using Group Policy You’ve successfully created a certificate pinning rules XML file. -From the XML file you have created a certificate pinning trust list file, and you have applied the contents of that file to your reference computer from which you can run the Group Policy Management Console. +From the XML file you've created a certificate pinning trust list file, and you've applied the contents of that file to your reference computer from which you can run the Group Policy Management Console. Now you need to configure a Group Policy object to include the applied certificate pin rule settings and deploy it to your environment. Sign-in to the reference computer using domain administrator equivalent credentials. 1. Start the **Group Policy Management Console** (gpmc.msc) 2. In the navigation pane, expand the forest node and then expand the domain node. -3. Expand the node that has contains your Active Directory’s domain name +3. Expand the node that contains your Active Directory’s domain name 4. Select the **Group Policy objects** node. Right-click the **Group Policy objects** node and click **New**. 5. In the **New GPO** dialog box, type _Enterprise Certificate Pinning Rules_ in the **Name** text box and click **OK**. 6. In the content pane, right-click the **Enterprise Certificate Pinning Rules** Group Policy object and click **Edit**. @@ -222,7 +222,7 @@ To assist in constructing certificate pinning rules, you can configure the **Pin ### Permission for the Pin Rule Log Folder The folder in which Windows writes the additional pin rule logs must have permissions so that all users and applications have full access. -You can run the following commands from an elevated command prompt to achieved the proper permissions. +You can run the following commands from an elevated command prompt to achieve the proper permissions. ```code set PinRulesLogDir=c:\PinRulesLog @@ -242,13 +242,13 @@ Whenever an application verifies a TLS/SSL certificate chain that contains a ser - NoPinRules Didn’t match any site in the certificate pin rules. -The output file name consists of the leading 8 ASCII hex digits of the root’s SHA1 thumbprint followed by the server name. +The output file name consists of the leading eight ASCII hex digits of the root’s SHA1 thumbprint followed by the server name. For example: - D4DE20D0_xsi.outlook.com.p7b - DE28F4A4_www.yammer.com.p7b -If there is either an enterprise certificate pin rule or Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder. +If there's either an enterprise certificate pin rule or a Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder. If the pin rules have expired, then Windows writes the .p7b to the **ExpiredPinRules** child folder. ## Representing a Date in XML @@ -270,7 +270,7 @@ However, be certain to append the uppercase “Z” to the end of the XML date s ## Converting an XML Date -You can also use Windows PowerShell to validate convert an XML date into a human readable date to validate it’s the correct date. +You can also use Windows PowerShell to validate and convert an XML date into a human readable date to validate it’s the correct date. ![Converting an XML date.](images/enterprise-certificate-pinning-converting-an-xml-date.png) @@ -284,7 +284,7 @@ You can use Windows PowerShell to properly format and validate durations (timesp ## Converting an XML Duration -You can convert a XML formatted timespan into a timespan variable that you can read. +You can convert an XML formatted timespan into a timespan variable that you can read. ![Converting an XML duration.](images/enterprise-certificate-pinning-converting-a-duration.png) diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index 16ce6d3e88..cca873649e 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -50,7 +50,7 @@ The following table lists the VPN settings and whether the setting can be config > [!NOTE] > VPN proxy settings are only used on Force Tunnel Connections. On Split Tunnel Connections, the general proxy settings are used. -The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This node is useful for deploying profiles with features that are not yet supported by MDMs. You can get more examples in the [ProfileXML XSD](/windows/client-management/mdm/vpnv2-profile-xsd) article. +The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This node is useful for deploying profiles with features that aren't yet supported by MDMs. You can get more examples in the [ProfileXML XSD](/windows/client-management/mdm/vpnv2-profile-xsd) article. ## Sample Native VPN profile diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml index 9828c35058..c909c07339 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml @@ -30,11 +30,10 @@ sections: answer: | BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method. - To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it. + To use Network Unlock you must also have a PIN configured for your computer. When your computer isn't connected to the network you'll need to provide the PIN to unlock it. BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it. - Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is - not available you will need to use the recovery key to unlock the computer if it can not be connected to the network. + Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt you to enter your PIN. If the PIN isn't available, you'll need to use the recovery key to unlock the computer if it can't be connected to the network. For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md index fe06c5d1a4..e91e703325 100644 --- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md +++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md @@ -35,12 +35,12 @@ Domain administrators can create and deploy expression-based security audit poli | - | - | | [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md) | This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management. | | [Monitor the use of removable storage devices](monitor-the-use-of-removable-storage-devices.md) | This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. | -| [Monitor resource attribute definitions](monitor-resource-attribute-definitions.md)| This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.| +| [Monitor resource attribute definitions](monitor-resource-attribute-definitions.md)| This topic for the IT professional describes how to monitor changes to resource attribute definitions when you're using advanced security auditing options to monitor dynamic access control objects.| | [Monitor central access policy and rule definitions](monitor-central-access-policy-and-rule-definitions.md) | This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. | -| [Monitor user and device claims during sign-in](monitor-user-and-device-claims-during-sign-in.md)| This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. | -| [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)| This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. | -| [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)| This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects. | -| [Monitor claim types](monitor-claim-types.md) | This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.| +| [Monitor user and device claims during sign-in](monitor-user-and-device-claims-during-sign-in.md)| This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you're using advanced security auditing options to monitor dynamic access control objects. | +| [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)| This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you're using advanced security auditing options to monitor dynamic access control objects. | +| [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)| This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects. | +| [Monitor claim types](monitor-claim-types.md) | This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options.| >**Important:**  This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment. diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md index 7917a249c2..b6c73ba668 100644 --- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md +++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md @@ -22,6 +22,6 @@ ms.technology: windows-sec Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista. -There is no difference in security auditing support between 32-bit and 64-bit versions. -Windows editions that cannot join a domain, such as Windows 10 Home edition, do not have access to these features. +There's no difference in security auditing support between 32-bit and 64-bit versions. +Windows editions that can't join a domain, such as Windows 10 Home edition, don't have access to these features. diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md index 6280b25772..86d39e9fb3 100644 --- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md +++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md @@ -1,7 +1,7 @@ --- title: Industry collaboration programs ms.reviewer: -description: Microsoft industry-wide anti-malware collaboration programs - Virus Information Alliance (VIA), Microsoft Virus Initiative (MVI), and Coordinated Malware Eradication (CME) +description: There are various collaborative programs regarding Microsoft industry-wide anti-malware - Virus Information Alliance (VIA), Microsoft Virus Initiative (MVI), and Coordinated Malware Eradication (CME) keywords: security, malware, antivirus industry, anti-malware Industry, collaboration programs, alliances, Virus Information Alliance, Microsoft Virus Initiative, Coordinated Malware Eradication, WDSI, MMPC, Microsoft Malware Protection Center, partnerships ms.prod: m365-security ms.mktglfcycl: secure @@ -17,7 +17,7 @@ ms.technology: windows-sec --- # Industry collaboration programs -Microsoft has several industry-wide collaboration programs with different objectives and requirements. Enrolling in the right program can help you protect your customers, gain more insight into the current threat landscape, or help disrupting the malware ecosystem. +There are various industry-wide collaboration programs with different objectives and requirements, provided by Microsoft. Enrolling in the right program can help you protect your customers, gain more insight into the current threat landscape, or help disrupting the malware ecosystem. ## Virus Information Alliance (VIA) diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index d8c17ef82c..2174fb9d8d 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -35,12 +35,12 @@ Describes what the malware does on your computer. Worms, viruses, trojans, backd * Constructor * DDoS * Exploit -* Hacktool +* HackTool * Joke * Misleading * MonitoringTool * Program -* PWS +* Personal Web Server (PWS) * Ransom * RemoteAccess * Rogue @@ -62,7 +62,7 @@ Describes what the malware does on your computer. Worms, viruses, trojans, backd ## Platforms -Platforms indicate the operating system (such as Windows, masOS X, and Android) the malware is designed to work on. The platform is also used to indicate programming languages and file formats. +Platforms guide the malware to its compatible operating system (such as Windows, masOS X, and Android). The platform's guidance is also used for programming languages and file formats. ### Operating systems @@ -144,7 +144,7 @@ Platforms indicate the operating system (such as Windows, masOS X, and Android) * MIME: MIME packets * Netware: Novell Netware files * QT: Quicktime files -* SB: StarBasic (Staroffice XML) files +* SB: StarBasic (StarOffice XML) files * SWF: Shockwave Flash files * TSQL: MS SQL server files * XML: XML files @@ -159,7 +159,7 @@ Used sequentially for every distinct version of a malware family. For example, t ## Suffixes -Provides extra detail about the malware, including how it is used as part of a multicomponent threat. In the example above, "!lnk" indicates that the threat component is a shortcut file used by Trojan:Win32/Reveton.T. +Provides extra detail about the malware, including how it's used as part of a multicomponent threat. In the preceding example, "!lnk" indicates that the threat component is a shortcut file used by Trojan:Win32/Reveton.T. * .dam: damaged malware * .dll: Dynamic Link Library component of a malware diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md index f22bcd4c5d..912d844e7c 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md @@ -1,6 +1,6 @@ --- -title: Audit Audit the access of global system objects (Windows 10) -description: Describes the best practices, location, values, and security considerations for the Audit Audit the access of global system objects security policy setting. +title: Audit the access of global system objects (Windows 10) +description: Describes the best practices, location, values, and security considerations for the audit of the access to global system objects security policy setting. ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460 ms.reviewer: ms.author: dansimp @@ -29,11 +29,11 @@ Describes the best practices, location, values, and security considerations for If you enable this policy setting, a default system access control list (SACL) is applied when the device creates system objects such as mutexes, events, semaphores, and MS-DOS® devices. If you also enable the [Audit object access](../auditing/basic-audit-object-access.md) audit setting, access to these system objects is audited. -Global system objects, also known as "base system objects" or "base named objects," are temporary kernel objects that have had names assigned to them by the application or system component that created them. These objects are most commonly used to synchronize multiple applications or multiple parts of a complex application. Because they have names, these objects are global in scope and, therefore, visible to all processes on the device. These objects all have a security descriptor; but typically, they do not have a NULL SACL. If you enable this policy setting and it takes effect at startup time, the kernel assigns a SACL to these objects when they are created. +Global system objects, also known as "base system objects" or "base named objects", are temporary kernel objects that have had names assigned to them by the application or system component that created them. These objects are most commonly used to synchronize multiple applications or multiple parts of a complex application. Because they have names, these objects are global in scope and, therefore, visible to all processes on the device. These objects all have a security descriptor; but typically, they don't have a NULL SACL. If you enable this policy setting and it takes effect at startup time, the kernel assigns a SACL to these objects when they're created. -The threat is that a globally visible named object, if incorrectly secured, might be acted on by a malicious program that knows the name of the object. For instance, if a synchronization object such as a mutex has a poorly constructed discretionary access control list (DACL), a malicious program can access that mutex by name and cause the program that created it to malfunction. However, the risk of this occurring is very low. +The threat is that a globally visible-named object, if incorrectly secured, might be acted on by a malicious program that knows the name of the object. For instance, if a synchronization object such as a mutex has a poorly constructed discretionary access control list (DACL), a malicious program can access that mutex by name and cause the program that created it to malfunction. However, the risk of this occurring is very low. -Enabling this policy setting can generate a large number of security events, especially on busy domain controllers and application servers. This might cause servers to respond slowly and force the security log to record numerous events of little significance. Auditing for access to global system objects is an all-or-nothing affair; there is no way to filter which events get recorded and which do not. Even if an organization has the resources to analyze events generated when this policy setting is enabled, it is unlikely to have the source code or a description of what each named object is used for; therefore, it is unlikely that many organizations could benefit from enabling this policy setting. +Enabling this policy setting can generate a large number of security events, especially on busy domain controllers and application servers. This might cause servers to respond slowly and force the security log to record numerous events of little significance. Auditing for access to global system objects is an all-or-nothing affair; there's no way to filter which events get recorded and which don't. Even if an organization has the resources to analyze events generated when this policy setting is enabled, it's unlikely to have the source code or a description of what each named object is used for; therefore, it's unlikely that many organizations could benefit from enabling this policy setting. ### Possible values @@ -53,7 +53,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. -| Server type or GPO | Default value | +| Server type or Group Policy Object (GPO) | Default value | | - | - | | Default Domain Policy | Not defined | | Default Domain Controller Policy | Not defined | @@ -76,7 +76,7 @@ All auditing capabilities are integrated in Group Policy. You can configure, dep ### Auditing -To audit attempts to access global system objects, you can use one of two security audit policy settings: +To audit the attempts to access global system objects, you can use one of the two security audit policy settings: - [Audit Kernel Object](../auditing/audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access - [Audit Object Access](../auditing/basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy @@ -119,7 +119,7 @@ Enable the **Audit: Audit the access of global system objects** setting. ### Potential impact -If you enable the **Audit: Audit the access of global system objects** setting, a large number of security events could be generated, especially on busy domain controllers and application servers. Such an occurrence could cause servers to respond slowly and force the Security log to record numerous events of little significance. This policy setting can only be enabled or disabled, and there is no way to choose which events are recorded from this setting. Even organizations that have the resources to analyze events that are generated by this policy setting are not likely to have the source code or a description of what each named object is used for. Therefore, it is unlikely that most organizations would benefit by enabling this policy setting. +If you enable the **Audit: Audit the access of global system objects** setting, a large number of security events could be generated, especially on busy domain controllers and application servers. Such an occurrence could cause servers to respond slowly and force the Security log to record numerous events of little significance. This policy setting can only be enabled or disabled, and there's no way to choose which events are recorded from this setting. Even organizations that have the resources to analyze events that are generated by this policy setting aren't likely to have the source code or a description of what each named object is used for. Therefore, it's unlikely that most organizations would benefit by enabling this policy setting. To reduce the number of audit events generated, use the advanced audit policy. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md index f5f01d8caa..292e2f4077 100644 --- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md @@ -28,7 +28,7 @@ In November 2018, we added functionality in Microsoft Defender for Endpoint that Advanced hunting in Microsoft Defender for Endpoint allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. This capability is supported beginning with Windows version 1607. -Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint: +Here's a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint: ``` DeviceEvents @@ -41,6 +41,6 @@ ActionType startswith "AppControl" The query results can be used for several important functions related to managing WDAC including: - Assessing the impact of deploying policies in audit mode - Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode. + Since applications still run in audit mode, it's an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real-world usage. This audit mode data will help streamline the transition to using policies in enforced mode. - Monitoring blocks from policies in enforced mode Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation. diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md index 15c64d432d..f031321396 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -67,7 +67,7 @@ To defend against this, two techniques are used: - Paging protection to prevent inappropriate access to code and data - SMM hardware supervision and attestation -Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. This prevents access to any memory that has not been assigned. +Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. This prevents access to any memory that hasn't been assigned. A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it doesn't access any part of the address space that it isn't supposed to. diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index bf7d7d7de2..8118710283 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -78,7 +78,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic |For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description| |--------|-----------| -|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| +|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| |Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs aren't supported, except Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.| |Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).| |SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. | @@ -99,4 +99,4 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic |Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | > [!NOTE] -> For more details around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). +> For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). From 16b07f21404f1ff45dde14561d0082ee4a3e60ab Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 28 Jan 2022 12:35:51 +0530 Subject: [PATCH 03/13] Windows Security App Notification Update Added a column with associated notifications toggle information as per Task :5650791 --- .../wdsc-hide-notifications.md | 94 +++++++++---------- 1 file changed, 46 insertions(+), 48 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index a58b61c3b1..4b010e206c 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -91,54 +91,52 @@ This can only be done in Group Policy. > You can use the following registry key and DWORD value to **Hide not-critical notifications**. >**[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]** **"DisableEnhancedNotifications"=dword:00000001** - - ## Notifications -| Purpose | Notification text | Toast Identifier | Critical? | -|---------|------------------|-------------|-----------| -| Network isolation | Your IT administrator has caused Windows Defender to disconnect your device. Contact IT help desk. | SENSE_ISOLATION | Yes | -| Network isolation customized | _Company name_ has caused Windows Defender to disconnect your device. Contact IT help desk _phone number_, _email address_, _url_. | SENSE_ISOLATION_CUSTOM (body) | Yes | -| Restricted access | Your IT administrator has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION | Yes | -| Restricted access customized | _Company_ has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION_CUSTOM (body) | Yes | -| HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes | -| HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes | -| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes | -| Remediation failure | Microsoft Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes | -| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Please restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes | -| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Please restart your device. | WDAV_REBOOT | Yes | -| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Please run a full scan of your device. | FULLSCAN_REQUIRED | Yes | -| Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Microsoft Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes | -| OS support ending warning | Support for your version of Windows is ending. When this support ends, Microsoft Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes | -| OS support ended, device at risk | Support for your version of Windows has ended. Microsoft Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes | -| Summary notification, items found | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No | -| Summary notification, items found, no scan count | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No | -| Summary notification, **no** items found, scans performed | Microsoft Defender Antivirus did not find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No | -| Summary notification, **no** items found, no scans | Microsoft Defender Antivirus did not find any threats since your last summary. | RECAP_NO_THREATS | No | -| Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No | -| Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No | -| Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No | -| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device. You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No | -| Long running BaFS | Your IT administrator requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS | No | -| Long running BaFS customized | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No | -| Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No | -| Sense detection customized | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED_CUSTOM (body) | No | -| Ransomware specific detection | Microsoft Defender Antivirus has detected threats which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No | -| ASR (HIPS) block | Your IT administrator caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED | No | -| ASR (HIPS) block customized | _Company_ caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED_CUSTOM (body) | No | -| CFA (FolderGuard) block | Controlled folder access blocked _process_ from making changes to the folder _path_ | FOLDERGUARD_BLOCKED | No | -| Network protect (HIPS) network block customized | _Company_ caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED_CUSTOM (body) | No | -| Network protection (HIPS) network block | Your IT administrator caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED | No | -| PUA detection, not blocked | Your settings cause the detection of any app that might perform unwanted actions on your computer. | PUA_DETECTED | No | -| PUA notification | Your IT settings caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED | No | -| PUA notification, customized | _Company_ caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED_CUSTOM (body) | No | -| Network isolation ended | | | No | -| Network isolation ended, customized | | | No | -| Restricted access ended | | | No | -| Restricted access ended, customized | | | No | -| Dynamic lock on, but bluetooth off | | | No | -| Dynamic lock on, bluetooth on, but device unpaired | | | No | -| Dynamic lock on, bluetooth on, but unable to detect device | | | No | -| NoPa or federated no hello | | | No | -| NoPa or federated hello broken | | | No | \ No newline at end of file +| Purpose | Notification text | Toast Identifier | Critical? |Notification Toggle| +|---------|------------------|-------------|-----------|---------| +| Network isolation | Your IT administrator has caused Windows Defender to disconnect your device. Contact IT help desk. | SENSE_ISOLATION | Yes |Firewall and network protection notification| +| Network isolation customized | _Company name_ has caused Windows Defender to disconnect your device. Contact IT help desk _phone number_, _email address_, _url_. | SENSE_ISOLATION_CUSTOM (body) | Yes |Firewall and network protection notification| +| Restricted access | Your IT administrator has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION | Yes |Firewall and network protection notification| +| Restricted access customized | _Company_ has caused Windows Defender to limit actions on this device. Some apps may not function as expected. Contact IT help desk. | SENSE_PROCESS_RESTRICTION_CUSTOM (body) | Yes |Firewall and network protection notification| +| HVCI, driver compat check fails (upon trying to enable) | There may be an incompatibility on your device. | HVCI_ENABLE_FAILURE | Yes |Firewall and network protection notification| +| HVCI, reboot needed to enable | The recent change to your protection settings requires a restart of your device. | HVCI_ENABLE_SUCCESS | Yes |Firewall and network protection notification| +| Item skipped in scan, due to exclusion setting, or network scanning disabled by admin | The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings. | ITEM_SKIPPED | Yes |Virus & threat protection notification| +| Remediation failure | Microsoft Defender Antivirus couldn’t completely resolve potential threats. | CLEAN_FAILED | Yes |Virus & threat protection notification| +| Follow-up action (restart & scan) | Microsoft Defender Antivirus found _threat_ in _file name_. Please restart and scan your device. Restart and scan | MANUALSTEPS_REQUIRED | Yes |Virus & threat protection notification| +| Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Please restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification| +| Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Please run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification| +| Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Microsoft Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes |Virus & threat protection notification| +| OS support ending warning | Support for your version of Windows is ending. When this support ends, Microsoft Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes |Virus & threat protection notification| +| OS support ended, device at risk | Support for your version of Windows has ended. Microsoft Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes |Virus & threat protection notification| +| Summary notification, items found | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No |Virus & threat protection notification| +| Summary notification, items found, no scan count | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No |Virus & threat protection notification| +| Summary notification, **no** items found, scans performed | Microsoft Defender Antivirus did not find any threats since your last summary. Your device was scanned _n_ times. | RECAP_NO THREATS_SCANNED | No |Virus & threat protection notification| +| Summary notification, **no** items found, no scans | Microsoft Defender Antivirus did not find any threats since your last summary. | RECAP_NO_THREATS | No |Virus & threat protection notification| +| Scan finished, manual, threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_, and took action against threats. | RECENT_SCAN_FOUND_THREATS | No |Virus & threat protection notification| +| Scan finished, manual, **no** threats found | Microsoft Defender Antivirus scanned your device at _timestamp_ on _date_. No threats were found. | RECENT_SCAN_NO_THREATS | No |Virus & threat protection notification| +| Threat found | Microsoft Defender Antivirus found threats. Get details. | CRITICAL | No |Virus & threat protection notification| +| LPS on notification | Microsoft Defender Antivirus is periodically scanning your device. You’re also using another antivirus program for active protection. | PERIODIC_SCANNING_ON | No |Virus & threat protection notification| +| Long running BaFS | Your IT administrator requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS | No |Firewall and network protection notification| +| Long running BaFS customized | _Company_ requires a security scan of this item. The scan could take up to _n_ seconds. | BAFS_DETECTED_CUSTOM (body) | No |Firewall and network protection notification| +| Sense detection | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED | No |Firewall and network protection notification| +| Sense detection customized | This application was removed because it was blocked by your IT security settings | WDAV_SENSE_DETECTED_CUSTOM (body) | No |Firewall and network protection notification| +| Ransomware specific detection | Microsoft Defender Antivirus has detected threats which may include ransomware. | WDAV_RANSOMWARE_DETECTED | No |Virus & threat protection notification| +| ASR (HIPS) block | Your IT administrator caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED | No |Firewall and network protection notification| +| ASR (HIPS) block customized | _Company_ caused Windows Defender Security Center to block this action. Contact your IT help desk. | HIPS_ASR_BLOCKED_CUSTOM (body) | No |Firewall and network protection notification| +| CFA (FolderGuard) block | Controlled folder access blocked _process_ from making changes to the folder _path_ | FOLDERGUARD_BLOCKED | No |Firewall and network protection notification| +| Network protect (HIPS) network block customized | _Company_ caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED_CUSTOM (body) | No |Firewall and network protection notification| +| Network protection (HIPS) network block | Your IT administrator caused Windows Defender Security Center to block this network connection. Contact your IT help desk. | HIPS_NETWORK_BLOCKED | No |Firewall and network protection notification| +| PUA detection, not blocked | Your settings cause the detection of any app that might perform unwanted actions on your computer. | PUA_DETECTED | No |Firewall and network protection notification| +| PUA notification | Your IT settings caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED | No |Firewall and network protection notification| +| PUA notification, customized | _Company_ caused Microsoft Defender Antivirus to block an app that may potentially perform unwanted actions on your device. | PUA_BLOCKED_CUSTOM (body) | No |Firewall and network protection notification| +| Network isolation ended | | | No |Firewall and network protection notification| +| Network isolation ended, customized | | | No |Firewall and network protection notification| +| Restricted access ended | | | No |Firewall and network protection notification| +| Restricted access ended, customized | | | No |Firewall and network protection notification| +| Dynamic lock on, but bluetooth off | | | No |Account protection notification| +| Dynamic lock on, bluetooth on, but device unpaired | | | No |Account protection notification| +| Dynamic lock on, bluetooth on, but unable to detect device | | | No |Account protection notification| +| NoPa or federated no hello | | | No |Account protection notification| +| NoPa or federated hello broken | | | No |Account protection notification| \ No newline at end of file From 202430294be5841d5a9a93452553ba5480cbda13 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 4 Feb 2022 11:25:04 +0530 Subject: [PATCH 04/13] Create windowsautopilot-csp.md --- .../mdm/windowsautopilot-csp.md | 481 ++++++++++++++++++ 1 file changed, 481 insertions(+) create mode 100644 windows/client-management/mdm/windowsautopilot-csp.md diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md new file mode 100644 index 0000000000..58c79ec8dc --- /dev/null +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -0,0 +1,481 @@ +--- +title: WindowsAutoPilot CSP +description: Learn how the WindowsLicensing configuration service provider (CSP) is designed for licensing related management scenarios. +ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6 +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: dansimp +ms.date: 08/15/2018 +--- + +# WindowsAutoPilot CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 client devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 client devices. + +The following shows the WindowsLicensing configuration service provider in tree format. + +```console +./Vendor/MSFT +WindowsLicensing +----UpgradeEditionWithProductKey +----ChangeProductKey +----Edition +----Status +----LicenseKeyType +----CheckApplicability +----ChangeProductKey (Added in Windows 10, version 1703) +----Subscriptions (Added in Windows 10, version 1607) +--------SubscriptionId (Added in Windows 10, version 1607) +------------Status (Added in Windows 10, version 1607) +------------Name (Added in Windows 10, version 1607) +----SMode (Added in Windows 10, version 1809) +--------SwitchingPolicy (Added in Windows 10, version 1809) +--------SwitchFromSMode (Added in Windows 10, version 1809) +--------Status (Added in Windows 10, version 1809) +``` +**./Device/Vendor/MSFT/WindowsLicensing** +This is the root node for the WindowsLicensing configuration service provider. + +The supported operation is Get. + +**UpgradeEditionWithProductKey** +Enters a product key for an edition upgrade of Windows 10 desktop devices. + +> [!NOTE] +> This upgrade process requires a system restart. + + + +The date type is a chr. + +The supported operation is Exec. + +When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or, after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart. + +After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. + +> [!IMPORTANT] +> If another policy requires a system reboot that occurs when **changepk.exe** is running, the edition upgrade will fail. + + + +If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and **changepk.exe** runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart. + +After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. + +This node can also be used to activate or change a product key on a particular edition of Windows 10 desktop device by entering a product key. Activation or changing a product key does not require a reboot and is a silent process for the user. + +> [!IMPORTANT] +> The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal. + + + +The following are valid edition upgrade paths when using this node through an MDM: + +- Windows 10 Enterprise to Windows 10 Education +- Windows 10 Home to Windows 10 Education +- Windows 10 Pro to Windows 10 Education +- Windows 10 Pro to Windows 10 Enterprise + +Activation or changing a product key can be carried out on the following editions: + +- Windows 10 Education +- Windows 10 Enterprise +- Windows 10 Home +- Windows 10 Pro + +**Edition** +Returns a value that maps to the Windows 10 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. + +The data type is an Int. + +The supported operation is Get. + +**Status** +Returns the status of an edition upgrade on Windows devices. The status corresponds to one of the following values: + +- 0 = Failed +- 1 = Pending +- 2 = In progress +- 3 = Completed +- 4 = Unknown + +The data type is an Int. + +The supported operation is Get. + + + +**LicenseKeyType** +Returns the parameter type used by Windows 10 devices for an edition upgrade, activation, or product key change. + +- Windows 10 client devices require a product key. + +The data type is a chr. + +The supported operation is Get. + +**CheckApplicability** +Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 for desktop devices. + +The data type is a chr. + +The supported operation is Exec. + +**ChangeProductKey** +Added in Windows 10, version 1703. Installs a product key for Windows 10 desktop devices. Does not reboot. + +The data type is a chr. + +The supported operation is Execute. + +**Subscriptions** +Added in Windows 10, version 1607. Node for subscriptions. + +**Subscriptions/SubscriptionId** +Added in Windows 10, version 1607. Node for subscription IDs. + +**Subscriptions/SubscriptionId/Status** +Added in Windows 10, version 1607. Returns the status of the subscription. + +The data type is an Int. + +The supported operation is Get. + +**Subscriptions/SubscriptionId/Name** +Added in Windows 10, version 1607. Returns the name of the subscription. + +The data type is a chr. + +The supported operation is Get. + +**SMode** +Interior node for managing S mode. + +**SMode/SwitchingPolicy** +Added in Windows 10, version 1809. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete) + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +Supported values: +- 0 - No Restriction: The user is allowed to switch the device out of S mode. +- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node. + +**SMode/SwitchFromSMode** +Added in Windows 10, version 1809. Switches a device out of S mode if possible. Does not reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute) + +Supported operation is Execute. + +**SMode/Status** +Added in Windows 10, version 1809. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example) + +Value type is integer. Supported operation is Get. + +Values: +- Request fails with error code 404 - no SwitchFromSMode request has been made. +- 0 - The device successfully switched out of S mode +- 1 - The device is processing the request to switch out of S mode +- 3 - The device was already switched out of S mode +- 4 - The device failed to switch out of S mode + +## SyncML examples + + +**CheckApplicability** + +```xml + + + + $CmdID$ + + + ./Device/Vendor/MSFT/WindowsLicensing/CheckApplicability + + + chr + + XXXXX-XXXXX-XXXXX-XXXXX-XXXXX + + + + + +``` + +> [!NOTE] +> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key. + + + +**Edition** + +```xml + + + + $CmdID$ + + + ./Device/Vendor/MSFT/WindowsLicensing/Edition + + + + + + +``` + +**LicenseKeyType** + +```xml + + + + $CmdID$ + + + ./Device/Vendor/MSFT/WindowsLicensing/LicenseKeyType + + + + + + +``` + +**Status** + +```xml + + + + $CmdID$ + + + ./Device/Vendor/MSFT/WindowsLicensing/Status + + + + + + +``` + +**UpgradeEditionWithProductKey** + +```xml + + + + $CmdID$ + + + ./Device/Vendor/MSFT/WindowsLicensing/UpgradeEditionWithProductKey + + + chr + + XXXXX-XXXXX-XXXXX-XXXXX-XXXXX + + + + + +``` + +> [!NOTE] +> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key. + + + +**Get S mode status** + +```xml + + + + 6 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/Status + + + + + + + +``` + +**Execute SwitchFromSMode** + +```xml + + + + 5 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchFromSMode + + + + null + text/plain + + + + + + + +``` + +**Add S mode SwitchingPolicy** + +```xml + + + + 4 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + int + text/plain + + 1 + + + + + +``` + +**Get S mode SwitchingPolicy** + +```xml + + + + 2 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + + + + +``` + +**Replace S mode SwitchingPolicy** + +```xml + + + + 1 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + int + text/plain + + 1 + + + + + +``` + +**Delete S mode SwitchingPolicy** + +```xml + + + + 3 + + + + ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy + + + + + + + +``` + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) From 90f7d7cb3c377141e16e2db51710ea0ab7444222 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 7 Feb 2022 10:53:15 +0530 Subject: [PATCH 05/13] Updated --- windows/client-management/mdm/toc.yml | 5 + .../mdm/windowsautopilot-csp.md | 466 +---------------- .../mdm/windowsautopilot-ddf-file.md | 483 ++++++++++++++++++ 3 files changed, 491 insertions(+), 463 deletions(-) create mode 100644 windows/client-management/mdm/windowsautopilot-ddf-file.md diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 1b85a93de4..4bb300e18c 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -963,6 +963,11 @@ items: items: - name: WindowsAdvancedThreatProtection DDF file href: windowsadvancedthreatprotection-ddf.md + - name: WindowsAutoPilot CSP + href: windowsautopilot-csp.md + items: + - name: WindowsAutoPilot DDF file + href: windowsautopilot-ddf.md - name: WindowsDefenderApplicationGuard CSP href: windowsdefenderapplicationguard-csp.md items: diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index 58c79ec8dc..6b0b3f0b8e 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -4,12 +4,12 @@ description: Learn how the WindowsLicensing configuration service provider (CSP) ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6 ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: nimishasatapathy ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 08/15/2018 +ms.date: 02/07/2022 --- # WindowsAutoPilot CSP @@ -17,465 +17,5 @@ ms.date: 08/15/2018 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 client devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 client devices. +The WindowsAutopilot CSP collects hardware information about a device and formats it into a blob. This blob is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot. -The following shows the WindowsLicensing configuration service provider in tree format. - -```console -./Vendor/MSFT -WindowsLicensing -----UpgradeEditionWithProductKey -----ChangeProductKey -----Edition -----Status -----LicenseKeyType -----CheckApplicability -----ChangeProductKey (Added in Windows 10, version 1703) -----Subscriptions (Added in Windows 10, version 1607) ---------SubscriptionId (Added in Windows 10, version 1607) -------------Status (Added in Windows 10, version 1607) -------------Name (Added in Windows 10, version 1607) -----SMode (Added in Windows 10, version 1809) ---------SwitchingPolicy (Added in Windows 10, version 1809) ---------SwitchFromSMode (Added in Windows 10, version 1809) ---------Status (Added in Windows 10, version 1809) -``` -**./Device/Vendor/MSFT/WindowsLicensing** -This is the root node for the WindowsLicensing configuration service provider. - -The supported operation is Get. - -**UpgradeEditionWithProductKey** -Enters a product key for an edition upgrade of Windows 10 desktop devices. - -> [!NOTE] -> This upgrade process requires a system restart. - - - -The date type is a chr. - -The supported operation is Exec. - -When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or, after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart. - -After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. - -> [!IMPORTANT] -> If another policy requires a system reboot that occurs when **changepk.exe** is running, the edition upgrade will fail. - - - -If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and **changepk.exe** runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart. - -After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. - -This node can also be used to activate or change a product key on a particular edition of Windows 10 desktop device by entering a product key. Activation or changing a product key does not require a reboot and is a silent process for the user. - -> [!IMPORTANT] -> The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal. - - - -The following are valid edition upgrade paths when using this node through an MDM: - -- Windows 10 Enterprise to Windows 10 Education -- Windows 10 Home to Windows 10 Education -- Windows 10 Pro to Windows 10 Education -- Windows 10 Pro to Windows 10 Enterprise - -Activation or changing a product key can be carried out on the following editions: - -- Windows 10 Education -- Windows 10 Enterprise -- Windows 10 Home -- Windows 10 Pro - -**Edition** -Returns a value that maps to the Windows 10 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. - -The data type is an Int. - -The supported operation is Get. - -**Status** -Returns the status of an edition upgrade on Windows devices. The status corresponds to one of the following values: - -- 0 = Failed -- 1 = Pending -- 2 = In progress -- 3 = Completed -- 4 = Unknown - -The data type is an Int. - -The supported operation is Get. - - - -**LicenseKeyType** -Returns the parameter type used by Windows 10 devices for an edition upgrade, activation, or product key change. - -- Windows 10 client devices require a product key. - -The data type is a chr. - -The supported operation is Get. - -**CheckApplicability** -Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 for desktop devices. - -The data type is a chr. - -The supported operation is Exec. - -**ChangeProductKey** -Added in Windows 10, version 1703. Installs a product key for Windows 10 desktop devices. Does not reboot. - -The data type is a chr. - -The supported operation is Execute. - -**Subscriptions** -Added in Windows 10, version 1607. Node for subscriptions. - -**Subscriptions/SubscriptionId** -Added in Windows 10, version 1607. Node for subscription IDs. - -**Subscriptions/SubscriptionId/Status** -Added in Windows 10, version 1607. Returns the status of the subscription. - -The data type is an Int. - -The supported operation is Get. - -**Subscriptions/SubscriptionId/Name** -Added in Windows 10, version 1607. Returns the name of the subscription. - -The data type is a chr. - -The supported operation is Get. - -**SMode** -Interior node for managing S mode. - -**SMode/SwitchingPolicy** -Added in Windows 10, version 1809. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete) - -Value type is integer. Supported operations are Add, Get, Replace, and Delete. - -Supported values: -- 0 - No Restriction: The user is allowed to switch the device out of S mode. -- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node. - -**SMode/SwitchFromSMode** -Added in Windows 10, version 1809. Switches a device out of S mode if possible. Does not reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute) - -Supported operation is Execute. - -**SMode/Status** -Added in Windows 10, version 1809. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example) - -Value type is integer. Supported operation is Get. - -Values: -- Request fails with error code 404 - no SwitchFromSMode request has been made. -- 0 - The device successfully switched out of S mode -- 1 - The device is processing the request to switch out of S mode -- 3 - The device was already switched out of S mode -- 4 - The device failed to switch out of S mode - -## SyncML examples - - -**CheckApplicability** - -```xml - - - - $CmdID$ - - - ./Device/Vendor/MSFT/WindowsLicensing/CheckApplicability - - - chr - - XXXXX-XXXXX-XXXXX-XXXXX-XXXXX - - - - - -``` - -> [!NOTE] -> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key. - - - -**Edition** - -```xml - - - - $CmdID$ - - - ./Device/Vendor/MSFT/WindowsLicensing/Edition - - - - - - -``` - -**LicenseKeyType** - -```xml - - - - $CmdID$ - - - ./Device/Vendor/MSFT/WindowsLicensing/LicenseKeyType - - - - - - -``` - -**Status** - -```xml - - - - $CmdID$ - - - ./Device/Vendor/MSFT/WindowsLicensing/Status - - - - - - -``` - -**UpgradeEditionWithProductKey** - -```xml - - - - $CmdID$ - - - ./Device/Vendor/MSFT/WindowsLicensing/UpgradeEditionWithProductKey - - - chr - - XXXXX-XXXXX-XXXXX-XXXXX-XXXXX - - - - - -``` - -> [!NOTE] -> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key. - - - -**Get S mode status** - -```xml - - - - 6 - - - - ./Vendor/MSFT/WindowsLicensing/SMode/Status - - - - - - - -``` - -**Execute SwitchFromSMode** - -```xml - - - - 5 - - - - ./Vendor/MSFT/WindowsLicensing/SMode/SwitchFromSMode - - - - null - text/plain - - - - - - - -``` - -**Add S mode SwitchingPolicy** - -```xml - - - - 4 - - - - ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy - - - - int - text/plain - - 1 - - - - - -``` - -**Get S mode SwitchingPolicy** - -```xml - - - - 2 - - - - ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy - - - - - - - -``` - -**Replace S mode SwitchingPolicy** - -```xml - - - - 1 - - - - ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy - - - - int - text/plain - - 1 - - - - - -``` - -**Delete S mode SwitchingPolicy** - -```xml - - - - 3 - - - - ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy - - - - - - - -``` - -## Related topics - -[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md new file mode 100644 index 0000000000..56746c960a --- /dev/null +++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md @@ -0,0 +1,483 @@ +--- +title: WindowsAutoPilot DDF file +description: learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP). +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: dansimp +ms.date: 02/07/2022 +ms.reviewer: +manager: dansimp +--- + +# WindowsAutoPilot DDF file + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider. + +Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). + +This XML is for Windows 10, version 1809. + +```xml + +]> + + 1.2 + + WindowsDefenderApplicationGuard + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.3/MDM/WindowsDefenderApplicationGuard + + + + Settings + + + + + + + + + + + + + + + + + + + AllowWindowsDefenderApplicationGuard + + + + + + + + + + + + + + + + + + text/plain + + + + + ClipboardFileType + + + + + + + + + + + + + + + + + + text/plain + + + + + ClipboardSettings + + + + + + + + + + + + + + + + + + text/plain + + + + + PrintingSettings + + + + + + + + + + + + + + + + + + text/plain + + + + + BlockNonEnterpriseContent + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowPersistence + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowVirtualGPU + + + + + + + + + + + + + + + + + + text/plain + + + + + SaveFilesToHost + + + + + + + + + + + + + + + + + + text/plain + + + + + FileTrustCriteria + + + + + + + + + + + + + + + + + + text/plain + + + + + FileTrustOriginRemovableMedia + + + + + + + + + + + + + + + + + + text/plain + + + + + FileTrustOriginNetworkShare + + + + + + + + + + + + + + + + + + text/plain + + + + + FileTrustOriginMarkOfTheWeb + + + + + + + + + + + + + + + + + + text/plain + + + + + CertificateThumbprints + + + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowCameraMicrophoneRedirection + + + + + + + + + + + + + + + + + + text/plain + + + + + + Status + + + + + + + + + + + + + + + text/plain + + + + + InstallWindowsDefenderApplicationGuard + + + + + + + + + + + + + + + + text/plain + + + + + Audit + + + + + + + + + + + + + + + + + + + AuditApplicationGuard + + + + + + + + + + + + + + + + + + text/plain + + + + + + +``` From 94da4d431bdeec7af6d2ffc4d5dd8b8ebe6c33cd Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 7 Feb 2022 11:12:03 +0530 Subject: [PATCH 06/13] Update windowsautopilot-csp.md --- windows/client-management/mdm/windowsautopilot-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index 6b0b3f0b8e..e1134594a8 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -4,7 +4,7 @@ description: Learn how the WindowsLicensing configuration service provider (CSP) ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6 ms.reviewer: manager: dansimp -ms.author: nimishasatapathy +ms.author: v-nsatapathy ms.topic: article ms.prod: w10 ms.technology: windows From 33e8e7810130ee0d57a50e333ba850a62cd2488d Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 7 Feb 2022 11:17:55 +0530 Subject: [PATCH 07/13] Updated --- .../mdm/windowsautopilot-csp.md | 2 +- .../mdm/windowsautopilot-ddf-file.md | 465 ------------------ 2 files changed, 1 insertion(+), 466 deletions(-) diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index e1134594a8..e13ba622fc 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -1,6 +1,6 @@ --- title: WindowsAutoPilot CSP -description: Learn how the WindowsLicensing configuration service provider (CSP) is designed for licensing related management scenarios. +description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, which results in security and privacy concerns in Autopilot. ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md index 56746c960a..a25906a591 100644 --- a/windows/client-management/mdm/windowsautopilot-ddf-file.md +++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md @@ -16,468 +16,3 @@ manager: dansimp > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). - -This XML is for Windows 10, version 1809. - -```xml - -]> - - 1.2 - - WindowsDefenderApplicationGuard - ./Device/Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/1.3/MDM/WindowsDefenderApplicationGuard - - - - Settings - - - - - - - - - - - - - - - - - - - AllowWindowsDefenderApplicationGuard - - - - - - - - - - - - - - - - - - text/plain - - - - - ClipboardFileType - - - - - - - - - - - - - - - - - - text/plain - - - - - ClipboardSettings - - - - - - - - - - - - - - - - - - text/plain - - - - - PrintingSettings - - - - - - - - - - - - - - - - - - text/plain - - - - - BlockNonEnterpriseContent - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPersistence - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowVirtualGPU - - - - - - - - - - - - - - - - - - text/plain - - - - - SaveFilesToHost - - - - - - - - - - - - - - - - - - text/plain - - - - - FileTrustCriteria - - - - - - - - - - - - - - - - - - text/plain - - - - - FileTrustOriginRemovableMedia - - - - - - - - - - - - - - - - - - text/plain - - - - - FileTrustOriginNetworkShare - - - - - - - - - - - - - - - - - - text/plain - - - - - FileTrustOriginMarkOfTheWeb - - - - - - - - - - - - - - - - - - text/plain - - - - - CertificateThumbprints - - - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCameraMicrophoneRedirection - - - - - - - - - - - - - - - - - - text/plain - - - - - - Status - - - - - - - - - - - - - - - text/plain - - - - - InstallWindowsDefenderApplicationGuard - - - - - - - - - - - - - - - - text/plain - - - - - Audit - - - - - - - - - - - - - - - - - - - AuditApplicationGuard - - - - - - - - - - - - - - - - - - text/plain - - - - - - -``` From 012ae6a2c1a9ebb97fc80646b14a63fc1919f3f2 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 7 Feb 2022 11:21:20 +0530 Subject: [PATCH 08/13] Updated --- windows/client-management/mdm/windowsautopilot-csp.md | 2 +- windows/client-management/mdm/windowsautopilot-ddf-file.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index e13ba622fc..99e3e1705a 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -17,5 +17,5 @@ ms.date: 02/07/2022 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The WindowsAutopilot CSP collects hardware information about a device and formats it into a blob. This blob is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot. +The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot. diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md index a25906a591..e63343cd63 100644 --- a/windows/client-management/mdm/windowsautopilot-ddf-file.md +++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md @@ -1,6 +1,6 @@ --- title: WindowsAutoPilot DDF file -description: learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP). +description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, for the WindowsAutoPilot DDF file configuration service provider (CSP) . ms.author: dansimp ms.topic: article ms.prod: w10 From c85ee3f9f9bbccd2dbd8cd00fc85205ca978e4f9 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 16 Feb 2022 16:47:25 +0530 Subject: [PATCH 09/13] Updated --- .../mdm/windowsautopilot-csp.md | 7 +++ .../mdm/windowsautopilot-ddf-file.md | 58 +++++++++++++++++++ 2 files changed, 65 insertions(+) diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index 99e3e1705a..c567125721 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -19,3 +19,10 @@ ms.date: 02/07/2022 The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot. +**./Vendor/MSFT/WindowsAutopilot** + +Root node. Supported operation is Get. + +**HardwareMismatchRemediationData** + +Interior node. Supported operation is Get. Collects hardware information about a device and returns it as an encoded string. This string is used as input for calling Windows Autopilot Service to remediate a device if the device underwent a hardware change that affects its ability to use Windows Autopilot. diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md index e63343cd63..a07f24501d 100644 --- a/windows/client-management/mdm/windowsautopilot-ddf-file.md +++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md @@ -16,3 +16,61 @@ manager: dansimp > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +This topic shows the device description framework (DDF) for the **WindowsAutoPilot** configuration service provider. + +Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). + +```xml +WindowsAutopilot + ./Vendor/MSFT + + + + + These settings enable configuration of Windows Autopilot + + + + + + + + + + + com.microsoft/1.0/MDM/WindowsAutopilot + + + 99.9.99999, 10.0.19041.1202, 10.0.19042.1202, 10.0.19043.1202 + 1.0 + + + + + + + HardwareMismatchRemediationData + + + + + This data is used to remediate Autopilot hardware mismatches. + + + + + + + + + + + text/plain + + + + + + + +``` From 9afe72b471d4547dddac79d078995c058f3a7073 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 16 Feb 2022 23:01:12 +0530 Subject: [PATCH 10/13] Updated --- windows/client-management/mdm/toc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 4bb300e18c..ee13358bb5 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -967,7 +967,7 @@ items: href: windowsautopilot-csp.md items: - name: WindowsAutoPilot DDF file - href: windowsautopilot-ddf.md + href: windowsautopilot-ddf-file.md - name: WindowsDefenderApplicationGuard CSP href: windowsdefenderapplicationguard-csp.md items: From ff84bc678a48a3d214b6aa598b156378a507ff6e Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 18 Feb 2022 10:28:16 +0530 Subject: [PATCH 11/13] Update windowsautopilot-csp.md --- windows/client-management/mdm/windowsautopilot-csp.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index c567125721..b50c42c129 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -17,7 +17,8 @@ ms.date: 02/07/2022 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot. + +The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot.” with “The WindowsAutopilot CSP exposes Windows Autopilot related device information.” Because the CSP description should be more general/high level. **./Vendor/MSFT/WindowsAutopilot** From aaf79669b91e7fb62d18cab653a9f425fd350dc4 Mon Sep 17 00:00:00 2001 From: Steve Burkett Date: Sat, 19 Feb 2022 11:59:20 +1300 Subject: [PATCH 12/13] Minor formatting updates Corrected a couple of minor formatting issues. --- .../hello-for-business/hello-hybrid-cloud-trust.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index 157f25c9bb..cd00383028 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -60,7 +60,7 @@ More details on how Azure AD Kerberos enables access to on-premises resources ar ### Unsupported Scenarios -The following scenarios aren't supported using Windows Hello for Business cloud trust. +The following scenarios aren't supported using Windows Hello for Business cloud trust: - On-premises only deployments - RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container) @@ -252,8 +252,8 @@ Windows Hello for Business cloud trust looks for a writeable DC to exchange the ### Do I need line of sight to a domain controller to use Windows Hello for Business cloud trust? Windows Hello for Business cloud trust requires line of sight to a domain controller for some scenarios: - - The first sign-in or unlock with Windows Hello for Business after provisioning on a Hybrid Azure AD joined device. - - When attempting to access an on-premises resource from an Azure AD joined device. +- The first sign-in or unlock with Windows Hello for Business after provisioning on a Hybrid Azure AD joined device +- When attempting to access an on-premises resource from an Azure AD joined device ### Can I use RDP/VDI with Windows Hello for Business cloud trust? From 56f461f7e8aef81f9a95256a91f3f78e3500eaa8 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Wed, 23 Feb 2022 09:13:03 -0800 Subject: [PATCH 13/13] SmartRetry case sensitive Adding updated info based on customer incident --- .../mdm/policy-csp-applicationmanagement.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 532d154577..3b6a634365 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -834,6 +834,9 @@ Value type is string. +> [!NOTE] +> The check for recurrence is done in a case sensitive manner. For instance the value needs to be “Daily” instead of “daily”. The wrong case will cause SmartRetry to fail to execute. + Sample SyncML: @@ -853,7 +856,7 @@ Sample SyncML: