From 6c41b1c29b3cc45bca54e98877be46cebcf2029d Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 25 May 2017 13:21:24 -0700 Subject: [PATCH 01/10] event 15 issue --- ...ot-onboarding-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 6e7445cde4..a43f5f374c 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -64,7 +64,7 @@ Event ID | Error Type | Resolution steps :---|:---|:--- 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. 10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator. -15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). +15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

If the endpoint is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. 15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure that Windows Defender is not disabled by a policy](#ensure-that-windows-defender-is-not-disabled-by-a-policy) for instructions. 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). 35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). From 227049635a43ea2fe753716e6bae89d1b9a84032 Mon Sep 17 00:00:00 2001 From: Yusuf Ozturk Date: Mon, 29 May 2017 11:40:46 +0200 Subject: [PATCH 02/10] Typo fix for ICMP DoS Attack It is ICMP (Internet Control Message Protocol) DoS Attack. --- .../auditing/audit-other-object-access-events.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/device-security/auditing/audit-other-object-access-events.md b/windows/device-security/auditing/audit-other-object-access-events.md index 4501674589..ed9fe36ec9 100644 --- a/windows/device-security/auditing/audit-other-object-access-events.md +++ b/windows/device-security/auditing/audit-other-object-access-events.md @@ -22,9 +22,9 @@ Audit Other Object Access Events allows you to monitor operations with scheduled | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICPM DoS attack. | -| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICPM DoS attack. | -| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICPM DoS attack. | +| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICMP DoS attack. | +| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICMP DoS attack. | +| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICMP DoS attack. | **Events List:** From 73bba26fd1acbe70fe43b71d07a8e66b5f516aa2 Mon Sep 17 00:00:00 2001 From: Yusuf Ozturk Date: Mon, 29 May 2017 11:46:03 +0200 Subject: [PATCH 03/10] Typo fix for ICMP DoS Attack Additional ICMP typo fix --- windows/device-security/auditing/event-5149.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/device-security/auditing/event-5149.md b/windows/device-security/auditing/event-5149.md index 24b3f6ab89..82a1d84b8e 100644 --- a/windows/device-security/auditing/event-5149.md +++ b/windows/device-security/auditing/event-5149.md @@ -15,7 +15,7 @@ author: Mir0sh - Windows Server 2016 -In most circumstances, this event occurs very rarely. It is designed to be generated when an ICPM DoS attack ended. +In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack ended. There is no example of this event in this document. From c8182dad774388bb60bfdd9466d37b7d4b748d42 Mon Sep 17 00:00:00 2001 From: Yusuf Ozturk Date: Mon, 29 May 2017 11:47:07 +0200 Subject: [PATCH 04/10] Typo fix for ICMP DoS Attack Additional ICMP typo fix --- windows/device-security/auditing/event-5148.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/device-security/auditing/event-5148.md b/windows/device-security/auditing/event-5148.md index 7751cd9686..305afcbee8 100644 --- a/windows/device-security/auditing/event-5148.md +++ b/windows/device-security/auditing/event-5148.md @@ -15,7 +15,7 @@ author: Mir0sh - Windows Server 2016 -In most circumstances, this event occurs very rarely. It is designed to be generated when an ICPM DoS attack starts or was detected. +In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack starts or was detected. There is no example of this event in this document. From a1e8502ea967be0a86900a2ddb6e1461c9371a0b Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Tue, 30 May 2017 15:25:19 -0700 Subject: [PATCH 05/10] TFS 11881906, Policy CSP and Configuration service provider topics, support for Windows 10 S --- ...onfiguration-service-provider-reference.md | 61 ++++++++++++++++++- ...ew-in-windows-mdm-enrollment-management.md | 16 +++++ .../policy-configuration-service-provider.md | 3 + 3 files changed, 78 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index b18d0daaf7..f92fff6839 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -13,7 +13,13 @@ author: nickbrower A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot. -For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224). See the [list of CSPs supported in Windows Holographic](#hololens) and the [list of CSPs supported in Microsoft Surface Hub ](#surfacehubcspsupport) for additional information. +For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224). + +Additional lists: +- [List of CSPs supported in Windows Holographic](#hololens) +- [List of CSPs supported in Microsoft Surface Hub ](#surfacehubcspsupport) +- [List of CSPs supported in Windows 10 IoT Core](#iotcoresupport) +- [List of CSPs supported in Windows 10 S](#windows10s) The following tables show the configuration service providers support in Windows 10. @@ -2426,4 +2432,55 @@ Footnotes: - [RootCATrustedCertificates CSP](rootcacertificates-csp.md) - [Update CSP](update-csp.md) - [VPNv2 CSP](vpnv2-csp.md) -- [WiFi CSP](wifi-csp.md) \ No newline at end of file +- [WiFi CSP](wifi-csp.md) + +## CSPs supported in Windows 10 S + +The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that Office CSP and EnterpriseDesktop CSP are not available in Windows 10 S. Here is the list: + +- [ActiveSync CSP](activesync-csp.md) +- [APPLICATION CSP](application-csp.md) +- [AppLocker CSP](applocker-csp.md) +- [BOOTSTRAP CSP](bootstrap-csp.md) +- [CellularSettings CSP](cellularsettings-csp.md) +- [CertificateStore CSP](certificatestore-csp.md) +- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) +- [CM_CellularEntries CSP](cm-cellularentries-csp.md) +- [Defender CSP](defender-csp.md) +- [DevDetail CSP](devdetail-csp.md) +- [DeviceManageability CSP](devicemanageability-csp.md) +- [DeviceStatus CSP](devicestatus-csp.md) +- [DevInfo CSP](devinfo-csp.md) +- [DiagnosticLog CSP](diagnosticlog-csp.md) +- [DMAcc CSP](dmacc-csp.md) +- [DMClient CSP](dmclient-csp.md) +- [EMAIL2 CSP](email2-csp.md) +- [EnterpriseAPN CSP](enterpriseapn-csp.md) +- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) +- [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) +- [HealthAttestation CSP](healthattestation-csp.md) +- [NAP CSP](nap-csp.md) +- [NAPDEF CSP](napdef-csp.md) +- [NetworkProxy CSP](networkproxy-csp.md) +- [NodeCache CSP](nodecache-csp.md) +- [PassportForWork CSP](passportforwork-csp.md) +- [Policy CSP](policy-configuration-service-provider.md) +- [Provisioning CSP](provisioning-csp.md) +- [PROXY CSP](proxy-csp.md) +- [PXLOGICAL CSP](pxlogical-csp.md) +- [Reboot CSP](reboot-csp.md) +- [RemoteFind CSP](remotefind-csp.md) +- [RemoteWipe CSP](remotewipe-csp.md) +- [Reporting CSP](reporting-csp.md) +- [RootCATrustedCertificates CSP](rootcacertificates-csp.md) +- [SecureAssessment CSP](secureassessment-csp.md) +- [SecurityPolicy CSP](securitypolicy-csp.md) +- [SharedPC CSP](sharedpc-csp.md) +- [Storage CSP](storage-csp.md) +- [SUPL CSP](supl-csp.md) +- [Update CSP](update-csp.md) +- [VPNv2 CSP](vpnv2-csp.md) +- [WiFi CSP](wifi-csp.md) +- [Win32AppInventory CSP](win32appinventory-csp.md) +- [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) +- [WindowsLicensing CSP](windowslicensing-csp.md) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index f4cb7668c3..9a51b7e7b4 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -880,6 +880,14 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • Ownership
    • + +MDM support for Windows 10 S +

    Updated the following topics to indicate MDM support in Windows 10 S.

    +
      +
    • [Configuration service provider reference](configuration-service-provider-reference.md)
      • +
    • [Policy CSP](policy-configuration-service-provider.md)
      • +
    +   @@ -1475,6 +1483,14 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware + +MDM support for Windows 10 S +

    Updated the following topics to indicate MDM support in Windows 10 S.

    +
      +
    • [Configuration service provider reference](configuration-service-provider-reference.md)
      • +
    • [Policy CSP](policy-configuration-service-provider.md)
      • +
    + diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index e040b2ab69..2fa89a1146 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -107,6 +107,9 @@ The following diagram shows the Policy configuration service provider in tree fo

    Supported operations are Add and Get. Does not support Delete. +> [!Note] +> The policies supported in Windows 10 S is the same as in Windows 10 Pro, except that policies under AppliationsDefaults are not suppported in Windows 10 s. +

    From b23bc70c9e341c454eb7b14d9f57419e43af41da Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Tue, 30 May 2017 15:39:49 -0700 Subject: [PATCH 06/10] TFS 11881906, fixed typo and fixed change history table --- .../new-in-windows-mdm-enrollment-management.md | 16 ++++++++-------- .../mdm/policy-configuration-service-provider.md | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 9a51b7e7b4..01c9aace26 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1228,6 +1228,14 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Ownership
    • + +MDM support for Windows 10 S +

    Updated the following topics to indicate MDM support in Windows 10 S.

    +
      +
    • [Configuration service provider reference](configuration-service-provider-reference.md)
      • +
    • [Policy CSP](policy-configuration-service-provider.md)
      • +
    + @@ -1483,14 +1491,6 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware - -MDM support for Windows 10 S -

    Updated the following topics to indicate MDM support in Windows 10 S.

    -
      -
    • [Configuration service provider reference](configuration-service-provider-reference.md)
      • -
    • [Policy CSP](policy-configuration-service-provider.md)
      • -
    - diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 2fa89a1146..6a2a63b9e5 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -108,7 +108,7 @@ The following diagram shows the Policy configuration service provider in tree fo

    Supported operations are Add and Get. Does not support Delete. > [!Note] -> The policies supported in Windows 10 S is the same as in Windows 10 Pro, except that policies under AppliationsDefaults are not suppported in Windows 10 s. +> The policies supported in Windows 10 S is the same as in Windows 10 Pro, except that policies under AppliationsDefaults are not suppported in Windows 10 S.

    From aee40708f3a40ae0a7a507ac4ba03ef79bfb7316 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 30 May 2017 16:01:42 -0700 Subject: [PATCH 07/10] fixed table formatting --- .../enterprise-certificate-pinning.md | 119 +++--------------- 1 file changed, 16 insertions(+), 103 deletions(-) diff --git a/windows/access-protection/enterprise-certificate-pinning.md b/windows/access-protection/enterprise-certificate-pinning.md index c1713b7bac..3594fcaae9 100644 --- a/windows/access-protection/enterprise-certificate-pinning.md +++ b/windows/access-protection/enterprise-certificate-pinning.md @@ -71,115 +71,32 @@ Each PinRule element contains a sequence of one or more Site elements and a sequ The PinRules element can have the following attributes. For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml). -- **Duration** or **NextUpdate** - - Specifies when the Pin Rules will expire. - Either is required. - **NextUpdate** takes precedence if both are specified. - - **Duration**, represented as an XML TimeSpan data type, does not allow years and months. - You represent the **NextUpdate** attribute as a XML DateTime data type in UTC. - - **Required?** Yes. At least one is required. - -- **LogDuration** or **LogEndDate** - - Configures auditing only to extend beyond the expiration of enforcing the Pin Rules. - - **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified. - - You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months. - - If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes. - - **Required?** No. - -- **ListIdentifier** - - Provides a friendly name for the list of pin rules. - Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL). - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **Duration** or **NextUpdate** | Specifies when the Pin Rules will expire. Either is required. **NextUpdate** takes precedence if both are specified.
    **Duration**, represented as an XML TimeSpan data type, does not allow years and months. You represent the **NextUpdate** attribute as a XML DateTime data type in UTC. | **Required?** Yes. At least one is required. | +| **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
    **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
    You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months.
    If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. | +| **ListIdentifier** | Provides a friendly name for the list of pin rules. Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL). | No. | #### PinRule Element The **PinRule** element can have the following attributes: -- **Name** - - Uniquely identifies the **PinRule**. - Windows uses this attribute to identify the element for a parsing error or for verbose output. - The attribute is not included in the generated certificate trust list (CTL). - - **Required?** Yes. - -- **Error** - - Describes the action Windows performs when it encounters a PIN mismatch. - You can choose from the following string values: - - **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site. - - **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site. - - **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction. - - **Required?** No. - -- **Log** - - A Boolean value represent as string that equals **true** or **false**. - By default, logging is enabled (**true**). - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **Name** | Uniquely identifies the **PinRule**. Windows uses this attribute to identify the element for a parsing error or for verbose output. The attribute is not included in the generated certificate trust list (CTL). | Yes.| +| **Error** | Describes the action Windows performs when it encounters a PIN mismatch. You can choose from the following string values:
    - **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
    - **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site.
    - **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction. | No. | +| **Log** | A Boolean value represent as string that equals **true** or **false**. By default, logging is enabled (**true**). | No. | #### Certificate element The **Certificate** element can have the following attributes: -- **File** - - Path to a file containing one or more certificates. - Where the certificate(s) can be encoded as: - - single certificate - - p7b - - sst. - - These files can also be Base64 formatted. - All **Site** elements included in the same **PinRule** element can match any of these certificates. - - **Required?** Yes (File, Directory or Base64 must be present). - -- **Directory** - - Path to a directory containing one or more of the above certificate files. - Skips any files not containing any certificates. - - **Required?** Yes (File, Directory or Base64 must be present). - -- **Base64** - - Base64 encoded certificate(s). - Where the certificate(s) can be encoded as: - - single certificate - - p7b - - sst. - - This allows the certificates to be included in the XML file without a file directory dependency. - - > [!Note] - > You can use **certutil -encode** to a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. - - **Required?** Yes (File, Directory or Base64 must be present). - -- **EndDate** - - Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule. - - If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates. - - If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL. - - For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml). - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as:
    - single certificate
    - p7b
    - sst
    These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory or Base64 must be present). | +| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory or Base64 must be present). | +| **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as:
    - single certificate
    - p7b
    - sst
    This allows the certificates to be included in the XML file without a file directory dependency.
    Note:
    You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory or Base64 must be present). | +| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
    If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
    If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
    For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml). #### Site element @@ -302,10 +219,6 @@ Sign-in to the reference computer using domain administrator equivalent credenti To assist in constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules. -```code -HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config -``` - | Name | Value | |------|-------| | Key | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config | From 1c6012937d9e3f21a053a7e5ad3acc01fa992970 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 30 May 2017 16:29:50 -0700 Subject: [PATCH 08/10] fixed table formatting --- .../enterprise-certificate-pinning.md | 31 +++++-------------- 1 file changed, 7 insertions(+), 24 deletions(-) diff --git a/windows/access-protection/enterprise-certificate-pinning.md b/windows/access-protection/enterprise-certificate-pinning.md index 3594fcaae9..6f77234962 100644 --- a/windows/access-protection/enterprise-certificate-pinning.md +++ b/windows/access-protection/enterprise-certificate-pinning.md @@ -79,7 +79,7 @@ For help with formatting Pin Rules, see [Representing a Date in XML](#representi #### PinRule Element -The **PinRule** element can have the following attributes: +The **PinRule** element can have the following attributes. | Attribute | Description | Required | |-----------|-------------|----------| @@ -89,7 +89,7 @@ The **PinRule** element can have the following attributes: #### Certificate element -The **Certificate** element can have the following attributes: +The **Certificate** element can have the following attributes. | Attribute | Description | Required | |-----------|-------------|----------| @@ -100,29 +100,12 @@ The **Certificate** element can have the following attributes: #### Site element -The **Site** element can have the following attributes: +The **Site** element can have the following attributes. -- **Domain** - - Contains the DNS name to be matched for this pin rule. - When creating the certificate trust list, the parser normalizes the input name string value as follows: - - If the DNS name has a leading "*" it is removed. - - Non-ASCII DNS name are converted to ASCII Puny Code. - - Upper case ASCII characters are converted to lower case. - - If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. - For example, ".xyz.com" would match "abc.xyz.com". - - **Required?** Yes. - -- **AllSubdomains** - - By default, wildcard left hand label matching is restricted to a single left hand label. - This attribute can be set to "true" to enable wildcard matching of all of the left hand labels. - - For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value. - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows:
    - If the DNS name has a leading "*" it is removed.
    - Non-ASCII DNS name are converted to ASCII Puny Code.
    - Upper case ASCII characters are converted to lower case.
    If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.| +| **AllSubdomains** | By default, wildcard left hand label matching is restricted to a single left hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.
    For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.| ### Create a Pin Rules Certificate Trust List From d5214402b6fff1b7c8b0f843c1b164c92c62acf4 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 30 May 2017 16:40:56 -0700 Subject: [PATCH 09/10] fixed tables --- windows/access-protection/enterprise-certificate-pinning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/enterprise-certificate-pinning.md b/windows/access-protection/enterprise-certificate-pinning.md index 6f77234962..130251d4b2 100644 --- a/windows/access-protection/enterprise-certificate-pinning.md +++ b/windows/access-protection/enterprise-certificate-pinning.md @@ -96,7 +96,7 @@ The **Certificate** element can have the following attributes. | **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as:
    - single certificate
    - p7b
    - sst
    These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory or Base64 must be present). | | **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory or Base64 must be present). | | **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as:
    - single certificate
    - p7b
    - sst
    This allows the certificates to be included in the XML file without a file directory dependency.
    Note:
    You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory or Base64 must be present). | -| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
    If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
    If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
    For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml). +| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
    If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
    If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
    For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.| #### Site element From b045f28920ede94e6d0762672cc7dda26b57370d Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 31 May 2017 07:48:21 -0700 Subject: [PATCH 10/10] tweak note per Akshatha --- .../windows-10-start-layout-options-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index d8b003ff30..5fc6d0a993 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -64,7 +64,7 @@ There are three categories of apps that might be pinned to a taskbar: * Apps pinned by the enterprise, such as in an unattended Windows setup >[!NOTE] - >The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607. + >We recommend using [the layoutmodification.xml method](configure-windows-10-taskbar.md) to configure taskbar options, rather than the earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file. The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).