mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 18:33:43 +00:00
Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into dynamicupdate
This commit is contained in:
jaimeo
Binary file not shown.
|
Before Width: | Height: | Size: 50 KiB After Width: | Height: | Size: 17 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 9.5 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 70 KiB After Width: | Height: | Size: 22 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 22 KiB After Width: | Height: | Size: 13 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 46 KiB After Width: | Height: | Size: 33 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 38 KiB After Width: | Height: | Size: 11 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 73 KiB After Width: | Height: | Size: 19 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 19 KiB After Width: | Height: | Size: 12 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 9.4 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 25 KiB After Width: | Height: | Size: 7.5 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 41 KiB After Width: | Height: | Size: 12 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 87 KiB After Width: | Height: | Size: 22 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 25 KiB After Width: | Height: | Size: 7.9 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 19 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 158 KiB After Width: | Height: | Size: 34 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 54 KiB After Width: | Height: | Size: 22 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 9.8 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 9.4 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 25 KiB After Width: | Height: | Size: 7.5 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 41 KiB After Width: | Height: | Size: 12 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 81 KiB After Width: | Height: | Size: 21 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 19 KiB After Width: | Height: | Size: 14 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 14 KiB After Width: | Height: | Size: 12 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 60 KiB After Width: | Height: | Size: 15 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 25 KiB After Width: | Height: | Size: 7.4 KiB |
@ -9,7 +9,7 @@ ms.author: greglin
|
||||
manager: laurawi
|
||||
audience: Admin
|
||||
ms.topic: article
|
||||
ms.date: 07/1/2019
|
||||
ms.date: 02/06/2019
|
||||
ms.localizationpriority: Medium
|
||||
---
|
||||
|
||||
@ -24,62 +24,45 @@ If you replace your Surface Hub 2S, one of its components, or a related accessor
|
||||
|
||||
Use the following steps to pack your Surface Hub 2S 50" for shipment.
|
||||
|
||||
|
||||
|
||||
|
||||
| | | |
|
||||
| - | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----- |
|
||||
| **1.** | Remove the pen and the camera. Do not pack them with the unit. |  |
|
||||
| **2.** | Remove the drive and the power cable. Do not pack them with the unit. Do not pack the Setup guide with the unit. |  |
|
||||
| **3.** | Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge. |  |
|
||||
| **4.** | Slide the Compute Cartridge out of the unit. |  |
|
||||
| **5.** | You will need the Compute Cartridge and a screwdriver. | |
|
||||
| **6.** | Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD). | |
|
||||
| **7.** | Replace the cover and slide the Compute Cartridge back into the unit. | |
|
||||
| **8.** | Re-fasten the locking screw and slide the cover into place. | |
|
||||
| **9.** | Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container. | |
|
||||
| **10.** | Replace the cover of the shipping container, and insert the four clips. | |
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## How to replace and pack your Surface Hub 2S Compute Cartridge
|
||||
|
||||
Use the following steps to remove the Surface Hub 2S Compute Cartridge, pack it for shipment, and install the new Compute Cartridge.
|
||||
Use the following steps to remove the Surface Hub 2S Compute Cartridge, pack it for shipment, and install the new Compute Cartridge.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
| | | |
|
||||
| - | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----- |
|
||||
| **1.** | Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge. |  |
|
||||
| **2.** | Slide the Compute Cartridge out of the unit. |  |
|
||||
| **3.** | You will need the Compute Cartridge and a screwdriver. |  |
|
||||
| **4.** | Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD). When finished, replace the cover. |  |
|
||||
| **5.**| You will need the packaging fixtures that were used to package your replacement Compute Cartridge. |  |
|
||||
| **6.**| Place the old Compute Cartridge in the packaging fixtures. |  |
|
||||
| **7.** | Place the old Compute Cartridge and its packaging into the box that was used for the replacement Compute Cartridge. Reseal the box. | |
|
||||
| **8.**| Slide the replacement Compute Cartridge into the unit. |  |
|
||||
| **9.**| Fasten the locking screw and slide the cover into place |  |
|
||||
|
||||
## How to replace your Surface Hub 2S Camera
|
||||
|
||||
Use the following steps to remove the Surface Hub 2S camera and install the new camera.
|
||||
|
||||
|
||||
|
||||
|
||||
| | | |
|
||||
| - | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----- |
|
||||
| **1.** | You will need the new camera and the two-millimeter allen wrench. | |
|
||||
| **2.** | Unplug the old camera from the unit. If needed, use the allen wrench to adjust the new camera. Plug the new camera into the unit. |  |
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
# [Surface](index.md)
|
||||
# [Surface](index.yml)
|
||||
|
||||
## [Get started](get-started.md)
|
||||
|
||||
|
||||
@ -1,151 +0,0 @@
|
||||
---
|
||||
title: Microsoft Surface documentation and resources
|
||||
layout: HubPage
|
||||
hide_bc: true
|
||||
description: Surface and Surface Hub documentation for admins & IT professionals
|
||||
author: greg-lindsay
|
||||
ms.author: greglin
|
||||
manager: laurawi
|
||||
ms.topic: hub-page
|
||||
keywords: Microsoft Surface, Microsoft Surface Hub, Surface documentation
|
||||
ms.localizationpriority: High
|
||||
audience: ITPro
|
||||
ms.prod: Surface
|
||||
description: Learn about Microsoft Surface and Surface Hub devices.
|
||||
---
|
||||
<div id="main" class="v2">
|
||||
<div class="container">
|
||||
<h1>Microsoft Surface</h1>
|
||||
<p>Learn how to plan, deploy, and manage Microsoft Surface and Surface Hub devices.<br><br></p>
|
||||
<ul class="pivots">
|
||||
<li>
|
||||
<a href="#home"></a>
|
||||
<ul id="home">
|
||||
<li>
|
||||
<a href="#home-all"></a>
|
||||
<ul id="home-all" class="cardsK">
|
||||
<li>
|
||||
<a href="get-started.md">
|
||||
<div class="cardSize">
|
||||
<div class="cardPadding">
|
||||
<div class="card">
|
||||
<div class="cardImageOuter">
|
||||
<div class="cardImage bgdAccent1">
|
||||
<img src="images/surface-devices-400x140.svg" alt="Surface Devices" />
|
||||
</div>
|
||||
</div>
|
||||
<div class="cardText">
|
||||
<h3>Surface Devices</h3>
|
||||
<p>Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface devices in your organization.</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</a>
|
||||
</li>
|
||||
<li>
|
||||
<a href="https://docs.microsoft.com/surface-hub/index">
|
||||
<div class="cardSize">
|
||||
<div class="cardPadding">
|
||||
<div class="card">
|
||||
<div class="cardImageOuter">
|
||||
<div class="cardImage bgdAccent1">
|
||||
<img src="images/surface-hub-400x140.svg" alt="Surface Hub" />
|
||||
</div>
|
||||
</div>
|
||||
<div class="cardText">
|
||||
<h3>Surface Hub</h3>
|
||||
<p>Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device that brings the power of Windows 10 to team collaboration. Learn how to plan, deploy, manage, and support your Surface Hub devices.</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</a>
|
||||
</li>
|
||||
<li>
|
||||
<a href="https://www.microsoft.com/surface/business">
|
||||
<div class="cardSize">
|
||||
<div class="cardPadding">
|
||||
<div class="card">
|
||||
<div class="cardImageOuter">
|
||||
<div class="cardImage bgdAccent1">
|
||||
<img src="images/surface-workplace-400x140.svg" alt="Surface for Business" />
|
||||
</div>
|
||||
</div>
|
||||
<div class="cardText">
|
||||
<h3>Surface for Business</h3>
|
||||
<p>Explore how Surface devices are transforming the modern workplace with people-centric design and flexible form factors, helping you get the most out of AI, big data, the cloud, and other foundational technologies.</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</a>
|
||||
</li>
|
||||
<li class="fullSpan">
|
||||
<hr />
|
||||
<br>
|
||||
<ul class="cardsF panelContent singlePanelContent" style="display:flex!important;">
|
||||
<li>
|
||||
<div class="cardSize">
|
||||
<div class="cardPadding">
|
||||
<div class="card">
|
||||
<div class="cardImageOuter">
|
||||
<div class="cardImage">
|
||||
<img src="https://docs.microsoft.com/office/media/icons/blog-site-blue.svg" alt="Communities" />
|
||||
</div>
|
||||
</div>
|
||||
<div class="cardText">
|
||||
<h3>Communities</h3>
|
||||
<P><a href="https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro" target="_blank">Surface IT Pro blog</a></p>
|
||||
<P><a href="https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices" target="_blank">Surface Devices Tech Community</a></p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</li>
|
||||
<li>
|
||||
<div class="cardSize">
|
||||
<div class="cardPadding">
|
||||
<div class="card">
|
||||
<div class="cardImageOuter">
|
||||
<div class="cardImage">
|
||||
<img src="https://docs.microsoft.com/office/media/icons/education-tutorial-blue.svg" alt="Learn" />
|
||||
</div>
|
||||
</div>
|
||||
<div class="cardText">
|
||||
<h3>Learn</h3>
|
||||
<P><a href="https://docs.microsoft.com/learn/browse/?term=Surface" target="_blank">Surface training on Microsoft Learn</a></p>
|
||||
<P><a href="https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ" target="_blank">Microsoft Mechanics Surface videos</a></p>
|
||||
<P><a href="https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit" target="_blank">Surface Hub 2S adoption and training</a></p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</li>
|
||||
<li>
|
||||
<div class="cardSize">
|
||||
<div class="cardPadding">
|
||||
<div class="card">
|
||||
<div class="cardImageOuter">
|
||||
<div class="cardImage">
|
||||
<img src="https://docs.microsoft.com/office/media/icons/chat.svg" alt="Need help?" />
|
||||
</div>
|
||||
</div>
|
||||
<div class="cardText">
|
||||
<h3>Need help?</h3>
|
||||
<P><a href="https://support.microsoft.com/products/surface-devices" target="_blank">Surface Devices</a></p>
|
||||
<P><a href="https://support.microsoft.com/hub/4343507/surface-hub-help" target="_blank">Surface Hub</a></p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
</div>
|
||||
62
devices/surface/index.yml
Normal file
62
devices/surface/index.yml
Normal file
@ -0,0 +1,62 @@
|
||||
### YamlMime:Hub
|
||||
|
||||
title: Microsoft Surface # < 60 chars
|
||||
summary: Learn how to plan, deploy, and manage Microsoft Surface and Surface Hub devices. # < 160 chars
|
||||
# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-platform | project | sharepoint | sql | sql-server | teams | vs | visual-studio | windows | xamarin
|
||||
brand: windows
|
||||
|
||||
metadata:
|
||||
title: Microsoft Surface # Required; page title displayed in search results. Include the brand. < 60 chars.
|
||||
description: Learn how to plan, deploy, and manage Microsoft Surface and Surface Hub devices. # Required; article description that is displayed in search results. < 160 chars.
|
||||
ms.prod: surface #Required; service per approved list. service slug assigned to your service by ACOM.
|
||||
ms.topic: hub-page # Required
|
||||
audience: ITPro
|
||||
author: samanro #Required; your GitHub user alias, with correct capitalization.
|
||||
ms.author: samanro #Required; microsoft alias of author; optional team alias.
|
||||
ms.date: 07/03/2019 #Required; mm/dd/yyyy format.
|
||||
localization_priority: Priority
|
||||
|
||||
# additionalContent section (optional)
|
||||
# Card with summary style
|
||||
additionalContent:
|
||||
# Supports up to 3 sections
|
||||
sections:
|
||||
- title: For IT Professionals # < 60 chars (optional)
|
||||
items:
|
||||
# Card
|
||||
- title: Surface devices
|
||||
summary: Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface devices in your organization.
|
||||
url: https://docs.microsoft.com/en-us/surface/get-started
|
||||
# Card
|
||||
- title: Surface Hub
|
||||
summary: Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device that brings the power of Windows 10 to team collaboration. Learn how to plan, deploy, manage, and support your Surface Hub devices.
|
||||
url: https://docs.microsoft.com/surface-hub/index
|
||||
# Card
|
||||
- title: Surface for Business
|
||||
summary: Explore how Surface devices are transforming the modern workplace with people-centric design and flexible form factors, helping you get the most out of AI, big data, the cloud, and other foundational technologies.
|
||||
url: https://www.microsoft.com/surface/business
|
||||
- title: Other resources # < 60 chars (optional)
|
||||
items:
|
||||
# Card
|
||||
- title: Communities
|
||||
links:
|
||||
- text: Surface IT Pro blog
|
||||
url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro
|
||||
- text: Surface Devices Tech Community
|
||||
url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices
|
||||
# Card
|
||||
- title: Learn
|
||||
links:
|
||||
- text: Surface training on Microsoft Learn
|
||||
url: https://docs.microsoft.com/learn/browse/?term=Surface
|
||||
- text: Microsoft Mechanics Surface videos
|
||||
url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ
|
||||
- text: Surface Hub 2S adoption and training
|
||||
url: https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit
|
||||
# Card
|
||||
- title: Need help?
|
||||
links:
|
||||
- text: Surface devices
|
||||
url: https://support.microsoft.com/products/surface-devices
|
||||
- text: Surface Hub
|
||||
url: https://support.microsoft.com/hub/4343507/surface-hub-help
|
||||
@ -14,7 +14,7 @@ author: dansimp
|
||||
ms.author: dansimp
|
||||
ms.topic: article
|
||||
ms.audience: itpro
|
||||
ms.date: 11/13/2019
|
||||
ms.date: 02/06/2020
|
||||
---
|
||||
|
||||
# Microsoft Surface Data Eraser
|
||||
@ -85,6 +85,9 @@ After the creation tool is installed, follow these steps to create a Microsoft S
|
||||
|
||||
2. Click **Build** to begin the Microsoft Surface Data Eraser USB creation process.
|
||||
|
||||
>[!NOTE]
|
||||
>For Surface Pro X devices, select **ARM64**. for other Surface devices, select **x64**.
|
||||
|
||||
3. Click **Start** to acknowledge that you have a USB stick of at least 4 GB connected, as shown in Figure 1.
|
||||
|
||||
|
||||
@ -153,8 +156,8 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
|
||||
|
||||
8. Click the **Yes** button to continue erasing data on the Surface device.
|
||||
|
||||
>[!NOTE]
|
||||
>When you run Surface Data Eraser on the Surface Data Eraser USB drive, a log file is generated in the **SurfaceDataEraserLogs** folder.
|
||||
>[!NOTE]
|
||||
>When you run Surface Data Eraser on the Surface Data Eraser USB drive, a log file is generated in the **SurfaceDataEraserLogs** folder.
|
||||
|
||||
## Changes and updates
|
||||
|
||||
@ -222,8 +225,8 @@ This version of Microsoft Surface Data Eraser adds support for the following:
|
||||
|
||||
- Surface Pro 1TB
|
||||
|
||||
>[!NOTE]
|
||||
>Surface Data Eraser v3.2.45.0 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information.
|
||||
>[!NOTE]
|
||||
>Surface Data Eraser v3.2.45.0 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information.
|
||||
|
||||
|
||||
### Version 3.2.36.0
|
||||
|
||||
@ -13,7 +13,7 @@ ms.author: dansimp
|
||||
ms.topic: article
|
||||
ms.localizationpriority: medium
|
||||
ms.audience: itpro
|
||||
ms.date: 11/26/2019
|
||||
ms.date: 02/06/2020
|
||||
---
|
||||
|
||||
# Windows Autopilot and Surface devices
|
||||
@ -42,7 +42,7 @@ Surface partners that are enabled for Windows Autopilot include:
|
||||
|
||||
- [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp)
|
||||
- [Atea](https://www.atea.com/)
|
||||
- [Bechtle](https://www.bechtle.com/de-en)
|
||||
- [Bechtle](https://www.bechtle.com/backend/cms/marken/microsoft/microsoft-windows-autopilot)
|
||||
- [Cancom](https://www.cancom.de/)
|
||||
- [CDW](https://www.cdw.com/)
|
||||
- [Computacenter](https://www.computacenter.com/uk)
|
||||
|
||||
@ -32,5 +32,6 @@
|
||||
#### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md)
|
||||
#### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
|
||||
#### [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
|
||||
#### [Stop error occurs when you update the in-box Broadcom network adapter driver](troubleshoot-stop-error-on-broadcom-driver-update.md)
|
||||
## [Mobile device management for solution providers](mdm/index.md)
|
||||
## [Change history for Client management](change-history-for-client-management.md)
|
||||
|
||||
@ -9,7 +9,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: dansimp
|
||||
ms.author: dansimp
|
||||
ms.date: 12/27/2019
|
||||
ms.date: 1/21/2020
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.topic: article
|
||||
@ -19,11 +19,19 @@ ms.topic: article
|
||||
|
||||
This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
|
||||
|
||||
## February 2020
|
||||
|
||||
New or changed topic | Description
|
||||
--- | ---
|
||||
[Blue screen occurs when you update the in-box Broadcom NIC driver](troubleshoot-stop-error-on-broadcom-driver-update.md) | New
|
||||
[Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md) | Updated
|
||||
|
||||
## December 2019
|
||||
|
||||
New or changed topic | Description
|
||||
--- | ---
|
||||
[Change in default removal policy for external storage media in Windows 10, version 1809](change-default-removal-policy-external-storage-media.md) | New
|
||||
[Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md) | Updated
|
||||
[Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) | New
|
||||
|
||||
## December 2018
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Provide server-side support for mobile app management on Windows
|
||||
description: The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices.
|
||||
title: Implement server-side support for mobile application management on Windows
|
||||
description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices.
|
||||
ms.author: dansimp
|
||||
ms.topic: article
|
||||
ms.prod: w10
|
||||
@ -16,21 +16,21 @@ manager: dansimp
|
||||
|
||||
The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703.
|
||||
|
||||
## Integration with Azure Active Directory
|
||||
## Integration with Azure AD
|
||||
|
||||
MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
|
||||
|
||||
MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
|
||||
MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
|
||||
|
||||
On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings>Accounts>Access work or school**.
|
||||
On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
|
||||
|
||||
Regular non-admin users can enroll to MAM.
|
||||
|
||||
## Integration with Windows Information Protection
|
||||
|
||||
MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip) and WIP-aware applications. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf.
|
||||
MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf.
|
||||
|
||||
To make applications WIP-aware, app developers need to include the following data in the app resource file:
|
||||
To make applications WIP-aware, app developers need to include the following data in the app resource file.
|
||||
|
||||
``` syntax
|
||||
// Mark this binary as Allowed for WIP (EDP) purpose
|
||||
@ -42,7 +42,7 @@ To make applications WIP-aware, app developers need to include the following dat
|
||||
|
||||
## Configuring an Azure AD tenant for MAM enrollment
|
||||
|
||||
MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the Management app for an IT admin configuration.
|
||||
MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.
|
||||
|
||||
|
||||
|
||||
@ -53,9 +53,9 @@ MAM and MDM services in an organization could be provided by different vendors.
|
||||
MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](https://msdn.microsoft.com/library/mt221945.aspx). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.
|
||||
|
||||
Below are protocol changes for MAM enrollment:
|
||||
- MDM discovery is not supported
|
||||
- APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional
|
||||
- MAM enrollment variation of [MS-MDE2] protocol does not support the client authentication certificate, and therefore, does not support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication.
|
||||
- MDM discovery is not supported.
|
||||
- APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional.
|
||||
- MAM enrollment variation of [MS-MDE2] protocol does not support the client authentication certificate, and therefore does not support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication.
|
||||
|
||||
Here is an example provisioning XML for MAM enrollment.
|
||||
|
||||
@ -73,39 +73,36 @@ Here is an example provisioning XML for MAM enrollment.
|
||||
|
||||
Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isn’t provided above, the device would default to once every 24 hours.
|
||||
|
||||
## Supported Configuration Service Providers (CSPs)
|
||||
## Supported CSPs
|
||||
|
||||
MAM on Windows support the following CSPs. All other CSPs will be blocked. Note the list may change later based on customer feedback.
|
||||
MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback:
|
||||
|
||||
- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps
|
||||
- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs
|
||||
- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703)
|
||||
- [DevInfo CSP](devinfo-csp.md)
|
||||
- [DMAcc CSP](dmacc-csp.md)
|
||||
- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL
|
||||
- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies
|
||||
- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703)
|
||||
- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management
|
||||
- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas
|
||||
- [Reporting CSP](reporting-csp.md) for retrieving WIP logs
|
||||
- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md)
|
||||
- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM
|
||||
- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM
|
||||
- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps.
|
||||
- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
|
||||
- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
|
||||
- [DevInfo CSP](devinfo-csp.md).
|
||||
- [DMAcc CSP](dmacc-csp.md).
|
||||
- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL.
|
||||
- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies.
|
||||
- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
|
||||
- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management.
|
||||
- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas.
|
||||
- [Reporting CSP](reporting-csp.md) for retrieving WIP logs.
|
||||
- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md).
|
||||
- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
|
||||
- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
|
||||
|
||||
|
||||
## Device lock policies and EAS
|
||||
|
||||
MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP.
|
||||
|
||||
We do not recommend configuring both Exchange Active Sync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows:
|
||||
We do not recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows:
|
||||
|
||||
<ol>
|
||||
<li>When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies and reports compliance to EAS:</li><ul>
|
||||
<li>If the device is found to be compliant, EAS will report compliance to the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance does not require device admin rights.</li>
|
||||
<li>If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights.</li>
|
||||
</ul>
|
||||
<li>If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM, EAS, and the resultant set of policies will be a superset of both.</li>
|
||||
</ol>
|
||||
- When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies and reports compliance to EAS.
|
||||
- If the device is found to be compliant, EAS will report compliance to the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance does not require device admin rights.
|
||||
- If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights.
|
||||
- If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM and EAS, and the resultant set of policies will be a superset of both.
|
||||
|
||||
## Policy sync
|
||||
|
||||
@ -115,20 +112,18 @@ MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to
|
||||
|
||||
Windows does not support applying both MAM and MDM policies to the same devices. If configured by the admin, a user can change his MAM enrollment to MDM.
|
||||
|
||||
> [!Note]
|
||||
> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On the Home edition, we do not recommend pushing MDM policies to enable users to upgrade.
|
||||
> [!NOTE]
|
||||
> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we do not recommend pushing MDM policies to enable users to upgrade.
|
||||
|
||||
To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment.
|
||||
|
||||
In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when WIP policies are removed from the device, the user’s access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
|
||||
|
||||
<ol>
|
||||
<li>Both MAM and MDM policies for the organization support WIP</li>
|
||||
<li>EDP CSP Enterprise ID is the same for both MAM and MDM</li>
|
||||
<li>EDP CSP RevokeOnMDMHandoff is set to FALSE</li>
|
||||
</ol>
|
||||
- Both MAM and MDM policies for the organization support WIP.
|
||||
- EDP CSP Enterprise ID is the same for both MAM and MDM.
|
||||
- EDP CSP RevokeOnMDMHandoff is set to false.
|
||||
|
||||
If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings>Accounts>Access work or school**. The user can click on this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account will not be affected.
|
||||
If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account will not be affected.
|
||||
|
||||
## Skype for Business compliance with MAM
|
||||
|
||||
@ -164,7 +159,7 @@ We have updated Skype for Business to work with MAM. The following table explain
|
||||
<td>October 10 2017</td>
|
||||
<td>Office 365 ProPlus</td>
|
||||
</tr><tr>
|
||||
<td><a href="https://technet.microsoft.com/library/mt455210.aspx#BKMK_FRCBB" data-raw-source="[First release for deferred channel](https://technet.microsoft.com/library/mt455210.aspx#BKMK_FRCBB)">First release for deferred channel</a></td>
|
||||
<td><a href="https://technet.microsoft.com/library/mt455210.aspx#BKMK_FRCBB" data-raw-source="[First release for deferred channel](https://technet.microsoft.com/library/mt455210.aspx#BKMK_FRCBB)">First release for Deferred channel</a></td>
|
||||
<td>Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. </td>
|
||||
<td>June 13 2017</td>
|
||||
<td></td>
|
||||
|
||||
@ -0,0 +1,46 @@
|
||||
---
|
||||
title: Stop error occurs when you update the in-box Broadcom network adapter driver
|
||||
description: Describes an issue that causes a stop error when you update an in-box Broadcom driver on Windows Server 2019, version 1809.
|
||||
author: Teresa-Motiv
|
||||
ms.author: v-tea
|
||||
ms.date: 2/3/2020
|
||||
ms.prod: w10
|
||||
ms.topic: article
|
||||
ms.custom:
|
||||
- CI 113175
|
||||
- CSSTroubleshooting
|
||||
audience: ITPro
|
||||
ms.localizationpriority: medium
|
||||
keywords:
|
||||
manager: kaushika
|
||||
---
|
||||
|
||||
# Stop error occurs when you update the in-box Broadcom network adapter driver
|
||||
|
||||
This issue affects computers that meet the following criteria:
|
||||
|
||||
- The operating system is Windows Server 2019, version 1809.
|
||||
- The network adapter is a Broadcom NX1 Gigabit Ethernet network adapter.
|
||||
- The number of logical processors is large (for example, a computer that has more than 38 logical processors).
|
||||
|
||||
On such a computer, when you update the in-box Broadcom network adapter driver to a later version, the computer experiences a Stop error (also known as a blue screen error or bug check error).
|
||||
|
||||
## Cause
|
||||
|
||||
The operating system media for Windows Server 2019, version 1809, contains version 17.2 of the Broadcom NIC driver. When you upgrade this driver to a later version, the process of uninstalling the version 17.2 driver generates an error. This is a known issue.
|
||||
|
||||
This issue was resolved in Windows Server 2019 version 1903. The operating system media use a later version of the Broadcom network adapter driver.
|
||||
|
||||
## Workaround
|
||||
|
||||
To update the Broadcom network adapter driver on an affected computer, follow these steps:
|
||||
|
||||
> [!NOTE]
|
||||
> This procedure describes how to use Device Manager to disable and re-enable the Broadcom network adapter. Alternatively, you can use the computer BIOS to disable and re-enable the adapter. For specific instructions, see your OEM BIOS configuration guide.
|
||||
|
||||
1. Download the driver update to the affected computer.
|
||||
1. Open Device Manager, and then select the Broadcom network adapter.
|
||||
1. Right-click the adapter and then select **Disable device**.
|
||||
1. Right-click the adapter again and then select **Update driver** > **Browse my computer for driver software**.
|
||||
1. Select the update that you downloaded, and then start the update.
|
||||
1. After the update finishes, right-click the adapter and then select **Enable device**.
|
||||
@ -7,7 +7,7 @@ ms.topic: troubleshooting
|
||||
author: dansimp
|
||||
ms.localizationpriority: medium
|
||||
ms.author: dansimp
|
||||
ms.date:
|
||||
ms.date: 2/3/2020
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
---
|
||||
@ -51,3 +51,5 @@ These articles will walk you through the resources you need to troubleshoot Wind
|
||||
- [Advanced troubleshooting for Stop error or blue screen error](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors)
|
||||
|
||||
- [Advanced troubleshooting for Windows-based computer freeze issues](https://docs.microsoft.com/windows/client-management/troubleshoot-windows-freeze)
|
||||
|
||||
- [Stop error occurs when you update the in-box Broadcom network adapter driver](troubleshoot-stop-error-on-broadcom-driver-update.md)
|
||||
|
||||
@ -60,7 +60,7 @@ The Settings UI is talking to the Update Orchestrator service which in turn is t
|
||||
On computers running [Windows 10 1709 or higher](#BKMK_DCAT) configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered.
|
||||
|
||||
Checking the WindowsUpdate.log reveals the following error:
|
||||
```
|
||||
```console
|
||||
YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * START * Finding updates CallerId = Update;taskhostw Id = 25
|
||||
YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No
|
||||
YYYY/MM/DD HH:mm:ss:SSS PID TID Agent ServiceID = {855E8A7C-ECB4-4CA3-B045-1DFA50104289} Third party service
|
||||
@ -85,7 +85,7 @@ YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * END * Finding updates Caller
|
||||
```
|
||||
|
||||
The 0x80070426 error code translates to:
|
||||
```
|
||||
```console
|
||||
ERROR_SERVICE_NOT_ACTIVE - # The service has not been started.
|
||||
```
|
||||
|
||||
@ -98,7 +98,7 @@ Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download u
|
||||
|
||||
To fix this issue, configure a proxy in WinHTTP by using the following netsh command:
|
||||
|
||||
```
|
||||
```console
|
||||
netsh winhttp set proxy ProxyServerName:PortNumber
|
||||
```
|
||||
|
||||
@ -128,15 +128,15 @@ The most common reasons for this error are described in the following table:
|
||||
|
||||
## Issues related to firewall configuration
|
||||
Error that may be seen in the WU logs:
|
||||
```
|
||||
```console
|
||||
DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls.
|
||||
```
|
||||
Or
|
||||
```
|
||||
```console
|
||||
[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 <NULL>, error = 0x800706D9
|
||||
```
|
||||
Or
|
||||
```
|
||||
```console
|
||||
DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 <NULL>, error = 0x80D0000A
|
||||
```
|
||||
|
||||
@ -150,17 +150,17 @@ See [How to configure automatic updates by using Group Policy or registry settin
|
||||
## Device cannot access update files
|
||||
Check that your device can access these Windows Update endpoints:
|
||||
|
||||
- http://windowsupdate.microsoft.com
|
||||
- http://*.windowsupdate.microsoft.com
|
||||
- https://*.windowsupdate.microsoft.com
|
||||
- http://*.update.microsoft.com
|
||||
- https://*.update.microsoft.com
|
||||
- http://*.windowsupdate.com
|
||||
- http://download.windowsupdate.com
|
||||
- https://download.microsoft.com
|
||||
- http://*.download.windowsupdate.com
|
||||
- http://wustat.windows.com
|
||||
- http://ntservicepack.microsoft.com
|
||||
- `http://windowsupdate.microsoft.com`
|
||||
- `http://*.windowsupdate.microsoft.com`
|
||||
- `https://*.windowsupdate.microsoft.com`
|
||||
- `http://*.update.microsoft.com`
|
||||
- `https://*.update.microsoft.com`
|
||||
- `http://*.windowsupdate.com`
|
||||
- `http://download.windowsupdate.com`
|
||||
- `https://download.microsoft.com`
|
||||
- `http://*.download.windowsupdate.com`
|
||||
- `http://wustat.windows.com`
|
||||
- `http://ntservicepack.microsoft.com`
|
||||
|
||||
Whitelist these endpoints for future use.
|
||||
|
||||
@ -183,13 +183,13 @@ Check the output for the Name and OffersWindowsUPdates parameters, which you can
|
||||
## You have a bad setup in the environment
|
||||
If we look at the GPO being set through registry, the system is configured to use WSUS to download updates:
|
||||
|
||||
```
|
||||
```console
|
||||
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
|
||||
"UseWUServer"=dword:00000001 ===================================> it says use WSUS server.
|
||||
```
|
||||
|
||||
From the WU logs:
|
||||
```
|
||||
```console
|
||||
2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49]
|
||||
2018-08-06 09:33:31:085 480 1118 Agent *********
|
||||
2018-08-06 09:33:31:085 480 1118 Agent * Include potentially superseded updates
|
||||
@ -206,7 +206,7 @@ In the above log snippet, we see that the Criteria = "IsHidden = 0 AND Deploymen
|
||||
|
||||
Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here.
|
||||
|
||||
```
|
||||
```console
|
||||
2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57]
|
||||
2018-08-06 10:58:45:992 480 5d8 Agent *********
|
||||
2018-08-06 10:58:45:992 480 5d8 Agent * Online = Yes; Ignore download priority = No
|
||||
@ -224,12 +224,12 @@ Users may see that Windows 10 is consuming all the bandwidth in the different of
|
||||
|
||||
The following group policies can help mitigate this:
|
||||
|
||||
- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled)
|
||||
- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update")
|
||||
- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled)
|
||||
- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](https://gpsearch.azurewebsites.net/#4728) (Set to enabled)
|
||||
- Driver search: [Policy Specify search order for device driver source locations](https://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update")
|
||||
- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](https://gpsearch.azurewebsites.net/#10876) (Set to enabled)
|
||||
|
||||
Other components that reach out to the internet:
|
||||
|
||||
- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled)
|
||||
- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled)
|
||||
- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571)
|
||||
- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](https://gpsearch.azurewebsites.net/#13362) (Set to disabled)
|
||||
- Consumer experiences: [Policy Turn off Microsoft consumer experiences](https://gpsearch.azurewebsites.net/#13329) (Set to enabled)
|
||||
- Background traffic from Windows apps: [Policy Let Windows apps run in the background](https://gpsearch.azurewebsites.net/#13571)
|
||||
|
||||
@ -101,6 +101,9 @@ To provide needed Azure Active Directory (automatic MDM enrollment and company b
|
||||
- [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
|
||||
- [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/cloud-platform/microsoft-intune) (or an alternative MDM service).
|
||||
|
||||
> [!NOTE]
|
||||
> Even when using Microsoft 365 subscriptions, you still need to [assign Intune licenses to the users](https://docs.microsoft.com/intune/fundamentals/licenses-assign).
|
||||
|
||||
Additionally, the following are also recommended (but not required):
|
||||
- [Office 365 ProPlus](https://www.microsoft.com/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services).
|
||||
- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise.
|
||||
|
||||
@ -140,7 +140,7 @@ Windows 10, version 1803 and later, allows users to change their diagnostic data
|
||||
|
||||
#### 2.3.7 Diagnostic data: Managing device-based data delete
|
||||
|
||||
Windows 10, version 1809 and later, allows a user to delete diagnostic data collected from their device by going into **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button. An IT administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet script.
|
||||
Windows 10, version 1803 and later, allows a user to delete diagnostic data collected from their device by going into **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button. An IT administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet script.
|
||||
|
||||
An administrator can disable a user’s ability to delete their device’s diagnostic data by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Disable deleting diagnostic data** or the MDM policy `DisableDeviceDelete`.
|
||||
|
||||
|
||||
@ -32,6 +32,7 @@ sections:
|
||||
- type: markdown
|
||||
text: "
|
||||
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Date resolved</td></tr>
|
||||
<tr><td><div id='384msg'></div><b>Custom wallpaper displays as black</b><br>Using a custom image set to \"Stretch\" might not display as expected.<br><br><a href = '#384msgdesc'>See details ></a></td><td>January 14, 2020<br><a href ='https://support.microsoft.com/help/4534310' target='_blank'>KB4534310</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4539601' target='_blank'>KB4539601</a></td><td>February 07, 2020 <br>10:00 AM PT</td></tr>
|
||||
<tr><td><div id='374msg'></div><b>MSRT might fail to install and be re-offered from Windows Update or WSUS </b><br>The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.<br><br><a href = '#374msgdesc'>See details ></a></td><td><br><a href ='' target='_blank'></a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>January 23, 2020 <br>02:08 PM PT</td></tr>
|
||||
<tr><td><div id='351msg'></div><b>Intermittent issues when printing</b><br>The print spooler service may intermittently have issues completing a print job and results print job failure.<br><br><a href = '#351msgdesc'>See details ></a></td><td>September 24, 2019<br><a href ='https://support.microsoft.com/help/4516048' target='_blank'>KB4516048</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4519976' target='_blank'>KB4519976</a></td><td>October 08, 2019 <br>10:00 AM PT</td></tr>
|
||||
<tr><td><div id='329msg'></div><b>You may receive an error when opening or using the Toshiba Qosmio AV Center</b><br>Toshiba Qosmio AV Center may error when opening and you may also receive an error in Event Log related to cryptnet.dll.<br><br><a href = '#329msgdesc'>See details ></a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512506' target='_blank'>KB4512506</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4516048' target='_blank'>KB4516048</a></td><td>September 24, 2019 <br>10:00 AM PT</td></tr>
|
||||
@ -50,6 +51,15 @@ sections:
|
||||
<div>
|
||||
</div>
|
||||
"
|
||||
- title: January 2020
|
||||
- items:
|
||||
- type: markdown
|
||||
text: "
|
||||
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
|
||||
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='384msgdesc'></div><b>Custom wallpaper displays as black</b><div>After installing <a href='https://support.microsoft.com/help/4534310' target='_blank'>KB4534310</a>, your desktop wallpaper when set to \"Stretch\" might display as black.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 7 SP1</li><li>Server: Windows Server 2008 R2 SP1</li></ul><div></div><div><strong>Resolution:</strong> This issue was resolved in <a href='https://support.microsoft.com/help/4539601' target='_blank'>KB4539601</a>, if you are using Monthly Rollups. If you are using Security Only updates, see <a href=\"https://support.microsoft.com/help/4539602\" rel=\"noopener noreferrer\" target=\"_blank\">KB4539602</a>. These updates are available for all customers running Windows 7 SP1 and Windows Server 2008 R2 SP1.</div><br><a href ='#384msg'>Back to top</a></td><td>January 14, 2020<br><a href ='https://support.microsoft.com/help/4534310' target='_blank'>KB4534310</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4539601' target='_blank'>KB4539601</a></td><td>Resolved:<br>February 07, 2020 <br>10:00 AM PT<br><br>Opened:<br>January 24, 2020 <br>09:15 AM PT</td></tr>
|
||||
</table>
|
||||
"
|
||||
|
||||
- title: November 2019
|
||||
- items:
|
||||
- type: markdown
|
||||
|
||||
@ -60,7 +60,7 @@ sections:
|
||||
- type: markdown
|
||||
text: "<div>This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.</div><br>
|
||||
<table border ='0'><tr><td width='65%'>Summary</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>Last updated</td></tr>
|
||||
<tr><td><div id='384msg'></div><b>Custom wallpaper displays as black</b><br>Using a custom image set to \"Stretch\" might not display as expected.<br><br><a href = '#384msgdesc'>See details ></a></td><td>January 14, 2020<br><a href ='https://support.microsoft.com/help/4534310' target='_blank'>KB4534310</a></td><td>Mitigated<br><a href = 'https://support.microsoft.com/help/4539601' target='_blank'>KB4539601</a></td><td>January 27, 2020 <br>12:27 PM PT</td></tr>
|
||||
<tr><td><div id='384msg'></div><b>Custom wallpaper displays as black</b><br>Using a custom image set to \"Stretch\" might not display as expected.<br><br><a href = '#384msgdesc'>See details ></a></td><td>January 14, 2020<br><a href ='https://support.microsoft.com/help/4534310' target='_blank'>KB4534310</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4539601' target='_blank'>KB4539601</a></td><td>February 07, 2020 <br>10:00 AM PT</td></tr>
|
||||
<tr><td><div id='374msg'></div><b>MSRT might fail to install and be re-offered from Windows Update or WSUS </b><br>The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.<br><br><a href = '#374msgdesc'>See details ></a></td><td><br><a href ='' target='_blank'></a></td><td>Resolved<br><a href = '' target='_blank'></a></td><td>January 23, 2020 <br>02:08 PM PT</td></tr>
|
||||
<tr><td><div id='364msg'></div><b>TLS connections might fail or timeout</b><br>Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.<br><br><a href = '#364msgdesc'>See details ></a></td><td>October 08, 2019<br><a href ='https://support.microsoft.com/help/4519976' target='_blank'>KB4519976</a></td><td>Mitigated External<br></td><td>November 05, 2019 <br>03:36 PM PT</td></tr>
|
||||
<tr><td><div id='310msg'></div><b>IA64 and x64 devices may fail to start after installing updates</b><br>After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.<br><br><a href = '#310msgdesc'>See details ></a></td><td>August 13, 2019<br><a href ='https://support.microsoft.com/help/4512506' target='_blank'>KB4512506</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>August 17, 2019 <br>12:59 PM PT</td></tr>
|
||||
@ -79,7 +79,7 @@ sections:
|
||||
- type: markdown
|
||||
text: "
|
||||
<table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
|
||||
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='384msgdesc'></div><b>Custom wallpaper displays as black</b><div>After installing <a href='https://support.microsoft.com/help/4534310' target='_blank'>KB4534310</a>, your desktop wallpaper when set to \"Stretch\" might display as black.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 7 SP1</li><li>Server: Windows Server 2008 R2 SP1</li></ul><div></div><div><strong>Workaround:</strong> To mitigate the issue, you can do one of the following:</div><ul><li>Set your custom image to an option other than \"Stretch\", such as “Fill”, “Fit”, “Tile”, or “Center”, or</li><li>Choose a custom wallpaper that matches the resolution of your desktop.</li></ul><div></div><div><strong>Next steps: </strong>We are working on a resolution and estimate a solution will be available mid-February, which will be released to all customers running Windows 7 and Windows Server 2008 R2 SP1.</div><br><a href ='#384msg'>Back to top</a></td><td>January 14, 2020<br><a href ='https://support.microsoft.com/help/4534310' target='_blank'>KB4534310</a></td><td>Mitigated<br><a href = 'https://support.microsoft.com/help/4539601' target='_blank'>KB4539601</a></td><td>Last updated:<br>January 27, 2020 <br>12:27 PM PT<br><br>Opened:<br>January 24, 2020 <br>09:15 AM PT</td></tr>
|
||||
<tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='384msgdesc'></div><b>Custom wallpaper displays as black</b><div>After installing <a href='https://support.microsoft.com/help/4534310' target='_blank'>KB4534310</a>, your desktop wallpaper when set to \"Stretch\" might display as black.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 7 SP1</li><li>Server: Windows Server 2008 R2 SP1</li></ul><div></div><div><strong>Resolution:</strong> This issue was resolved in <a href='https://support.microsoft.com/help/4539601' target='_blank'>KB4539601</a>, if you are using Monthly Rollups. If you are using Security Only updates, see <a href=\"https://support.microsoft.com/help/4539602\" rel=\"noopener noreferrer\" target=\"_blank\">KB4539602</a>. These updates are available for all customers running Windows 7 SP1 and Windows Server 2008 R2 SP1.</div><br><a href ='#384msg'>Back to top</a></td><td>January 14, 2020<br><a href ='https://support.microsoft.com/help/4534310' target='_blank'>KB4534310</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4539601' target='_blank'>KB4539601</a></td><td>Resolved:<br>February 07, 2020 <br>10:00 AM PT<br><br>Opened:<br>January 24, 2020 <br>09:15 AM PT</td></tr>
|
||||
</table>
|
||||
"
|
||||
|
||||
|
||||
@ -85,13 +85,6 @@ sections:
|
||||
<tr><td id='313'><a href = 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-9506' target='_blank'><b>Advisory: Bluetooth encryption key size vulnerability disclosed (CVE-2019-9506)</b></a><a class='docon docon-link heading-anchor' aria-labelledby='313' href='#313'></a><br><div>On August 13, 2019, Microsoft released security updates to address a Bluetooth key length encryption vulnerability. To exploit this vulnerability, an attacker would need specialized hardware and would be limited by the signal range of the Bluetooth devices in use. For more information about this industry-wide issue, see <a href='https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-9506' target='_blank'>CVE-2019-9506 | Bluetooth Encryption Key Size Vulnerability</a> in the Microsoft Security Update Guide and important guidance for IT pros in <a href='https://support.microsoft.com/help/4514157' target='_blank'>KB4514157</a>. (Note: we are documenting this vulnerability together with guidance for IT admins as part of a coordinated industry disclosure effort.)</div></td><td>August 13, 2019 <br>10:00 AM PT</td></tr>
|
||||
<tr><td id='312'><a href = 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162' target='_blank'><b>Advisory: Windows Advanced Local Procedure Call Elevation of Privilege vulnerability disclosed (CVE-2019-1162)</b></a><a class='docon docon-link heading-anchor' aria-labelledby='312' href='#312'></a><br><div>On August 13, 2019, Google Project Zero (GPZ) disclosed an Elevation of Privilege (EoP) vulnerability in how Windows handles calls to Advanced Local Procedure Call (ALPC) that affects Windows operating systems, versions 8.1 and higher. An attacker must already have code execution on the target system to leverage these vulnerabilities. Microsoft released security updates on August 13, 2019 that partially address this issue. Other items disclosed by GPZ require more time to address and we are working to release a resolution in mid-September. For more information, see <a href='https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162' target='_blank'>CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability</a></div></td><td>August 13, 2019 <br>10:00 AM PT</td></tr>
|
||||
<tr><td id='311'><a href = 'https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-1803' target='_blank'><b>Take action: Windows 10, version 1803 (the April 2018 Update) reaches end of service on November 12, 2019 </b></a><a class='docon docon-link heading-anchor' aria-labelledby='311' href='#311'></a><br><div>Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running Windows 10, version 1803 to Windows 10, version 1903 (the May 2019 Update) starting July 16, 2019 to help ensure that these devices remain in a serviced and secure state. For more information, see the <a href='https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-1903' target='_blank'>Windows 10, version 1903 section</a> of the Windows release health dashboard.</div></td><td>August 13, 2019 <br>10:00 AM PT</td></tr>
|
||||
<tr><td id='305'><b>Advisory: Windows Kernel Information Disclosure Vulnerability (CVE-2019-1125)</b><a class='docon docon-link heading-anchor' aria-labelledby='305' href='#305'></a><br><div>On July 9, 2019, Microsoft released a security update for a Windows kernel information disclosure vulnerability (CVE-2019-1125). Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically; no further configuration is necessary. For more information, see <a href='https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1125' target='_blank'>CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability</a> in the Microsoft Security Update Guide. (Note: we are documenting this mitigation publicly today, instead of back in July, as part of a coordinated industry disclosure effort.)</div></td><td>August 06, 2019 <br>10:00 AM PT</td></tr>
|
||||
<tr><td id='304'><b>Resolved August 1, 2019 16:00 PT: Microsoft Store users may encounter blank screens when clicking on certain buttons</b><a class='docon docon-link heading-anchor' aria-labelledby='304' href='#304'></a><br><div>Some customers running the version of the Microsoft Store app released on July 29, 2019 encountered a blank screen when selecting “Switch out of S mode,” “Get Genuine,” or some “Upgrade to [version]” OS upgrade options. This issue has now been resolved and a new version of the Microsoft Store app has been released. Users who encountered this issue will need to update the Microsoft Store app on their device. If you are still encountering an issue, please see <a href='https://support.microsoft.com/help/4027498/microsoft-store-fix-problems-with-apps' target='_blank'>Fix problems with apps from Microsoft Store</a>.</div></td><td>August 01, 2019 <br>02:00 PM PT</td></tr>
|
||||
<tr><td id='300'><a href = 'https://support.microsoft.com/help/4505903' target='_blank'><b>Status update: Windows 10, version 1903 “D” release now available</b></a><a class='docon docon-link heading-anchor' aria-labelledby='300' href='#300'></a><br><div>The optional monthly “D” release for Windows 10, version 1903 is now available. Follow <a href='https://twitter.com/windowsupdate' target='_blank'>@WindowsUpdate</a> for the latest on the availability of this release.</div></td><td>July 26, 2019 <br>02:00 PM PT</td></tr>
|
||||
<tr><td id='299'><a href = 'https://support.microsoft.com/en-us/help/4511036/silverlight-end-of-support' target='_blank'><b>Plan for change: Microsoft Silverlight will reach end of support on October 12, 2021</b></a><a class='docon docon-link heading-anchor' aria-labelledby='299' href='#299'></a><br><div>After this date, Silverlight will not receive any future quality or security updates. Microsoft will continue to ship updates to the Silverlight 5 Developer Runtime for supported browsers and versions (Internet Explorer 10 and Internet Explorer 11); however, please note that support for Internet Explorer 10 will end on 31 January 2020. See the <a href='https://support.microsoft.com/en-us/help/4511036/silverlight-end-of-support' target='blank'>Silverlight end of support FAQ</a> for more details.</div></td><td>July 19, 2019 <br>12:00 AM PT</td></tr>
|
||||
<tr><td id='296'><a href = 'https://blogs.windows.com/windowsexperience/2019/07/01/evolving-windows-10-servicing-and-quality-the-next-steps/' target='_blank'><b>Evolving Windows 10 servicing and quality</b></a><a class='docon docon-link heading-anchor' aria-labelledby='296' href='#296'></a><br><div>Find out how we plan to further optimize the delivery of the next Windows 10 feature update for devices running Windows 10, version 1903. If you're a commercial customer, please see the <a href='https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Moving-to-the-next-Windows-10-feature-update-for-commercial/ba-p/732968' target='_blank'>Windows IT Pro Blog</a> for more details on how to plan for this new update option in your environment.</div></td><td>July 01, 2019 <br>02:00 PM PT</td></tr>
|
||||
<tr><td id='297'><b>Windows 10, version 1903 starting to roll out to devices running Windows 10, version 1803 and earlier</b><a class='docon docon-link heading-anchor' aria-labelledby='297' href='#297'></a><br><div>We are now beginning to build and train the machine learning (ML) based rollout process to update devices running Windows 10, version 1803 (the April 2018 Update) and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates, and improvements.</div></td><td>June 18, 2019 <br>02:00 PM PT</td></tr>
|
||||
<tr><td id='298'><b>Windows 10, version 1903 available by selecting “Check for updates”</b><a class='docon docon-link heading-anchor' aria-labelledby='298' href='#298'></a><br><div>Windows 10, version 1903 is now available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.</div></td><td>June 06, 2019 <br>06:00 PM PT</td></tr>
|
||||
<tr><td id='262'><a href = 'https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97' target='_blank'><b>Windows 10, version 1903 rollout begins</b></a><a class='docon docon-link heading-anchor' aria-labelledby='262' href='#262'></a><br>The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback.</td><td>May 21, 2019 <br>10:00 AM PT</td></tr>
|
||||
</table>
|
||||
"
|
||||
|
||||
@ -114,5 +114,5 @@ The following table provides links to additional resources that are related to s
|
||||
| Content type | References |
|
||||
|---------------|-------------|
|
||||
| **Product evaluation** | [What's New for Managed Service Accounts](https://technet.microsoft.com/library/hh831451(v=ws.11).aspx)<br>[Getting Started with Group Managed Service Accounts](https://technet.microsoft.com/library/jj128431(v=ws.11).aspx) |
|
||||
| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) |
|
||||
| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](https://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) |
|
||||
| **Related technologies** | [Security Principals](security-principals.md)<br>[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx) |
|
||||
|
||||
@ -65,7 +65,7 @@ This policy setting controls the behavior of the elevation prompt for standard u
|
||||
This policy setting controls the behavior of application installation detection for the computer.
|
||||
|
||||
- **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
|
||||
- **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or System Center Configuration Manager should disable this policy setting. In this case, installer detection is unnecessary.
|
||||
- **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Endpoint Configuration Manager should disable this policy setting. In this case, installer detection is unnecessary.
|
||||
|
||||
## User Account Control: Only elevate executable files that are signed and validated
|
||||
|
||||
|
||||
@ -38,9 +38,9 @@ The Create command sets up new virtual smart cards on the user’s system. It re
|
||||
| /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.<br>**DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.<br>**PROMPT** Prompts the user to enter a value for the administrator key.<br>**RANDOM** Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key must be entered as 48 hexadecimal characters. |
|
||||
| /PIN | Indicates desired user PIN value.<br>**DEFAULT** Specifies the default PIN of 12345678.<br>**PROMPT** Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. |
|
||||
| /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK.<br>**DEFAULT** Specifies the default PUK of 12345678.<br>**PROMPT** Prompts the user to enter a PUK at the command line. |
|
||||
| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft System Center Configuration Manager. |
|
||||
| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Endpoint Configuration Manager. |
|
||||
| /machine | Allows you to specify the name of a remote computer on which the virtual smart card can be created. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in creating a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. |
|
||||
| /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options:<br>**minlen** <minimum PIN length><br> If not specificed, defaults to 8. The lower bound is 4.<br>**maxlen** <maximum PIN length><br> If not specificed, defaults to 127. The upper bound is 127.<br>**uppercase** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**lowercase** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**digits** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**specialchars** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br><br>When using **/pinpolicy**, PIN characters must be printable ASCII characters. |
|
||||
| /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options:<br>**minlen** <minimum PIN length><br> If not specified, defaults to 8. The lower bound is 4.<br>**maxlen** <maximum PIN length><br> If not specified, defaults to 127. The upper bound is 127.<br>**uppercase** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**lowercase** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**digits** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**specialchars** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br><br>When using **/pinpolicy**, PIN characters must be printable ASCII characters. |
|
||||
| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](https://msdn.microsoft.com/library/mt766230.aspx#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:<br>**AIK_AND_CERT** Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](https://msdn.microsoft.com/library/cc249746.aspx#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there is no network connectivity, it is possible that creation of the virtual smart card will fail.<br>**AIK_ONLY** Creates an AIK but does not obtain an AIK certificate. |
|
||||
| /? | Displays Help for this command. |
|
||||
|
||||
|
||||
@ -48,7 +48,7 @@ Virtual smart cards can also be created and deleted by using APIs. For more info
|
||||
|
||||
- [ITPMVirtualSmartCardManagerStatusCallBack](https://msdn.microsoft.com/library/windows/desktop/hh707161(v=vs.85).aspx)
|
||||
|
||||
You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Microsoft Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](http://channel9.msdn.com/events/build/2013/2-041).
|
||||
You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Microsoft Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](https://channel9.msdn.com/events/build/2013/2-041).
|
||||
|
||||
The following table describes the features that can be developed in a Microsoft Store app:
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ ms.date: 05/17/2018
|
||||
- Windows 10
|
||||
- Windows 10 Mobile
|
||||
|
||||
Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or System Center Configuration Manager. All VPN settings in Windows 10 can be configued using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
|
||||
Most of the VPN settings in Windows 10 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
|
||||
|
||||
>[!NOTE]
|
||||
>If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers) first.
|
||||
|
||||
@ -47,8 +47,8 @@
|
||||
##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
|
||||
#### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
|
||||
#### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md)
|
||||
### [Create a WIP policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md)
|
||||
#### [Create and deploy a WIP policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
|
||||
### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md)
|
||||
#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
|
||||
#### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
|
||||
#### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md)
|
||||
### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md)
|
||||
|
||||
@ -126,13 +126,13 @@ Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage
|
||||
|
||||
* Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
|
||||
* Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
|
||||
* Provides centralized reporting and hardware management with Microsoft System Center Configuration Manager.
|
||||
* Provides centralized reporting and hardware management with Microsoft Microsoft Endpoint Configuration Manager.
|
||||
* Reduces the workload on the help desk to assist end users with BitLocker recovery requests.
|
||||
* Enables end users to recover encrypted devices independently by using the Self-Service Portal.
|
||||
* Enables security officers to easily audit access to recovery key information.
|
||||
* Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected.
|
||||
* Enforces the BitLocker encryption policy options that you set for your enterprise.
|
||||
* Integrates with existing management tools, such as System Center Configuration Manager.
|
||||
* Integrates with existing management tools, such as Microsoft Endpoint Configuration Manager.
|
||||
* Offers an IT-customizable recovery user experience.
|
||||
* Supports Windows 10.
|
||||
|
||||
|
||||
@ -109,9 +109,9 @@ list volume
|
||||
```
|
||||
|
||||
|
||||
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from System Center Configuration Manager).
|
||||
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
|
||||
|
||||
|
||||
|
||||
|
||||
#### Step 2: Verify the status of WinRE
|
||||
|
||||
|
||||
@ -47,7 +47,7 @@ The recovery process included in this topic only works for desktop devices. WIP
|
||||
>[!Important]
|
||||
>Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
|
||||
|
||||
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager](create-wip-policy-using-sccm.md).
|
||||
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md).
|
||||
|
||||
> [!NOTE]
|
||||
> This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM).
|
||||
@ -147,7 +147,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
|
||||
|
||||
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)
|
||||
|
||||
- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
|
||||
- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md)
|
||||
|
||||
- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ ms.date: 01/09/2020
|
||||
- Windows 10 Mobile, version 1607 and later
|
||||
- Microsoft Endpoint Configuration Manager
|
||||
|
||||
Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
|
||||
Microsoft Endpoint Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
|
||||
|
||||
## Add a WIP policy
|
||||
After you’ve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
|
||||
@ -46,7 +46,7 @@ The **Create Configuration Item Wizard** starts.
|
||||
|
||||
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
|
||||
|
||||
4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**.
|
||||
4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Microsoft Endpoint Configuration Manager for device management, and then click **Next**.
|
||||
|
||||
- **Settings for devices managed with the Configuration Manager client:** Windows 10
|
||||
|
||||
@ -65,7 +65,8 @@ The **Create Configuration Item Wizard** starts.
|
||||
The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
|
||||
|
||||
## Add app rules to your policy
|
||||
During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
|
||||
|
||||
During the policy-creation process in Microsoft Endpoint Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
|
||||
|
||||
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
|
||||
|
||||
@ -298,9 +299,10 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
|
||||
</RuleCollection>
|
||||
</AppLockerPolicy>
|
||||
```
|
||||
12. After you’ve created your XML file, you need to import it by using Configuration Manager.
|
||||
12. After you’ve created your XML file, you need to import it by using Microsoft Endpoint Configuration Manager.
|
||||
|
||||
**To import your Applocker policy file app rule using Configuration Manager**
|
||||
|
||||
1. From the **App rules** area, click **Add**.
|
||||
|
||||
The **Add app rule** box appears.
|
||||
|
||||
@ -86,7 +86,7 @@ Microsoft still has apps that are unenlightened, but which have been tested and
|
||||
> [!NOTE]
|
||||
> As of January 2019 it is no longer necessary to add Intune Company Portal as an exempt app since it is now included in the default list of protected apps.
|
||||
|
||||
You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
|
||||
You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and Microsoft Endpoint Configuration Manager.
|
||||
|
||||
|
||||
| Product name | App info |
|
||||
|
||||
@ -110,7 +110,7 @@ You can see sensitive information types in Microsoft 365 compliance under **Clas
|
||||
- Auto labelling requires Windows 10, version 1903
|
||||
- Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy
|
||||
- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center
|
||||
- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager (SCCM)](overview-create-wip-policy-sccm.md)
|
||||
- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-sccm.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -114,7 +114,7 @@ This table provides info about the most common problems you might encounter whil
|
||||
<li>SavedGames</li>
|
||||
</ul>
|
||||
</td>
|
||||
<td>WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using System Center Configuration Manager.</td>
|
||||
<td>WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.</td>
|
||||
<td>Don’t set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see <a href="https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection" data-raw-source="[Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection)">Can't open files offline when you use Offline Files and Windows Information Protection</a>.
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Create a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10)
|
||||
description: System Center Configuration Manager helps you create & deploy your enterprise data protection (WIP) policy.
|
||||
title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10)
|
||||
description: Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
|
||||
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
|
||||
ms.reviewer:
|
||||
ms.prod: w10
|
||||
@ -17,17 +17,17 @@ ms.topic: conceptual
|
||||
ms.date: 02/26/2019
|
||||
---
|
||||
|
||||
# Create a Windows Information Protection (WIP) policy using System Center Configuration Manager
|
||||
# Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10, version 1607 and later
|
||||
- Windows 10 Mobile, version 1607 and later
|
||||
|
||||
System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
|
||||
Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
|
||||
|
||||
## In this section
|
||||
|Topic |Description |
|
||||
|------|------------|
|
||||
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|
||||
|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|
||||
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
|
||||
|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
|
||||
description: Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy.
|
||||
description: Microsoft Intune and Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy.
|
||||
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
|
||||
ms.reviewer:
|
||||
ms.prod: w10
|
||||
|
||||
@ -42,7 +42,7 @@ You’ll need this software to run WIP in your enterprise:
|
||||
|
||||
|Operating system | Management solution |
|
||||
|-----------------|---------------------|
|
||||
|Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>System Center Configuration Manager<br><br>-OR-<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634.aspx) documentation.|
|
||||
|Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>Microsoft Endpoint Configuration Manager<br><br>-OR-<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634.aspx) documentation.|
|
||||
|
||||
## What is enterprise data control?
|
||||
Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can’t share anything and it’s all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
|
||||
@ -79,7 +79,7 @@ WIP provides:
|
||||
|
||||
- Use of audit reports for tracking issues and remedial actions.
|
||||
|
||||
- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company.
|
||||
- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company.
|
||||
|
||||
## Why use WIP?
|
||||
WIP is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
|
||||
@ -110,7 +110,7 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give
|
||||
- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
|
||||
|
||||
>[!NOTE]
|
||||
>For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
|
||||
>For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.<br>Microsoft Endpoint Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
|
||||
|
||||
## How WIP works
|
||||
WIP helps address your everyday challenges in the enterprise. Including:
|
||||
|
||||
@ -56,7 +56,7 @@ You can try any of the processes included in these scenarios, but you should foc
|
||||
<td>Create work documents in enterprise-allowed apps.</td>
|
||||
<td><strong>For desktop:</strong><br><br>
|
||||
<ul>
|
||||
<li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-sccm.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md)">Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager</a>, based on your deployment system.</li>
|
||||
<li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-sccm.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md)">Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager</a>, based on your deployment system.</li>
|
||||
</ul>
|
||||
<strong>For mobile:</strong><br><br>
|
||||
<ol>
|
||||
|
||||
@ -291,7 +291,7 @@
|
||||
#### [Manage antivirus in your business]()
|
||||
##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
|
||||
##### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
|
||||
##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
|
||||
##### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
|
||||
##### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
|
||||
##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
|
||||
##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
|
||||
@ -318,12 +318,11 @@
|
||||
#### [Manage next-generation protection in your business]()
|
||||
##### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md)
|
||||
##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
|
||||
##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
|
||||
##### [Use Group Policy settings to manage next-generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
|
||||
##### [Use PowerShell cmdlets to manage next-generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
|
||||
##### [Use Windows Management Instrumentation (WMI) to manage next-generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
|
||||
##### [Use the mpcmdrun.exe command line tool to manage next-generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
|
||||
|
||||
##### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
|
||||
##### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
|
||||
##### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
|
||||
##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
|
||||
##### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
|
||||
|
||||
### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
|
||||
#### [What's New](microsoft-defender-atp/mac-whatsnew.md)
|
||||
@ -355,7 +354,7 @@
|
||||
##### [Onboard Windows 10 machines]()
|
||||
###### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md)
|
||||
###### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
|
||||
###### [Onboard machines using System Center Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
|
||||
###### [Onboard machines using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
|
||||
###### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
|
||||
###### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md)
|
||||
###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md)
|
||||
|
||||
@ -25,9 +25,9 @@ Audit Authorization Policy Change allows you to audit assignment and removal of
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
|
||||
@ -1,6 +1,11 @@
|
||||
---
|
||||
title: Audit Token Right Adjusted (Windows 10)
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Token Right Adjusted, which determines whether the operating system generates audit events when specific changes are made to the privileges of a token.
|
||||
manager: dansimp
|
||||
author: dansimp
|
||||
ms.author: dansimp
|
||||
ms.pagetype: security
|
||||
ms.prod: w10
|
||||
---
|
||||
|
||||
# Audit Token Right Adjusted
|
||||
@ -16,9 +21,9 @@ For more information, see [Security Monitoring: A Possible New Way to Detect Pri
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Member Server | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
| Workstation | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
|
||||
|
||||
**Events List:**
|
||||
|
||||
|
||||
@ -158,7 +158,7 @@ This event generates when a logon session is created (on destination machine). I
|
||||
|
||||
- **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.
|
||||
|
||||
Reference: <http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx>.
|
||||
Reference: <https://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx>.
|
||||
|
||||
If not a **RemoteInteractive** logon, then this will be "-" string.
|
||||
|
||||
|
||||
@ -26,7 +26,7 @@ ms.author: dansimp
|
||||
|
||||
***Event Description:***
|
||||
|
||||
This event generates when [token privileges](https://msdn.microsoft.com/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific account’s token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703.
|
||||
This event generates when [token privileges](https://msdn.microsoft.com/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific account’s token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703.
|
||||
|
||||
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
|
||||
|
||||
@ -185,7 +185,7 @@ Token privileges provide the ability to take certain system-level actions that y
|
||||
|
||||
For 4703(S): A user right was adjusted.
|
||||
|
||||
As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory, [Audit Authorization Policy Change](audit-authorization-policy-change.md), or work with a very high volume of event 4703.
|
||||
As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory, [Audit Authorization Policy Change](audit-authorization-policy-change.md), or work with a very high volume of event 4703.
|
||||
|
||||
Otherwise, see the recommendations in the following table.
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ This event generates each time the [Password Policy Checking API](https://msdn.m
|
||||
|
||||
The Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.
|
||||
|
||||
This event, for example, generates during Directory Services Restore Mode ([DSRM](http://blogs.technet.com/b/askds/archive/2009/03/11/ds-restore-mode-password-maintenance.aspx)) account password reset procedure to check new DSRM password.
|
||||
This event, for example, generates during Directory Services Restore Mode ([DSRM](https://blogs.technet.com/b/askds/archive/2009/03/11/ds-restore-mode-password-maintenance.aspx)) account password reset procedure to check new DSRM password.
|
||||
|
||||
This event generates on the computer where Password Policy Checking API was called.
|
||||
|
||||
|
||||
@ -34,7 +34,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
|
||||
|
||||
More information about Special Groups auditing can be found here:
|
||||
|
||||
<http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx>
|
||||
<https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx>
|
||||
|
||||
<https://support.microsoft.com/kb/947223>
|
||||
|
||||
|
||||
@ -26,7 +26,7 @@ ms.author: dansimp
|
||||
|
||||
***Event Description:***
|
||||
|
||||
This event generates when [resource attributes](http://blogs.technet.com/b/canitpro/archive/2013/05/07/step-by-step-protecting-your-information-with-dynamic-access-control.aspx) of the file system object were changed.
|
||||
This event generates when [resource attributes](https://blogs.technet.com/b/canitpro/archive/2013/05/07/step-by-step-protecting-your-information-with-dynamic-access-control.aspx) of the file system object were changed.
|
||||
|
||||
Resource attributes for file or folder can be changed, for example, using Windows File Explorer (object’s Properties->Classification tab).
|
||||
|
||||
|
||||
@ -26,7 +26,7 @@ ms.author: dansimp
|
||||
|
||||
***Event Description:***
|
||||
|
||||
This event occurs when an account that is a member of any defined [Special Group](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) logs in.
|
||||
This event occurs when an account that is a member of any defined [Special Group](https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) logs in.
|
||||
|
||||
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
|
||||
|
||||
@ -94,7 +94,7 @@ This event occurs when an account that is a member of any defined [Special Group
|
||||
|
||||
> S-1-5-32-544;S-1-5-32-123-54-65
|
||||
|
||||
> For more information see: <http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx>
|
||||
> For more information see: <https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx>
|
||||
|
||||
***Field Descriptions:***
|
||||
|
||||
|
||||
@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/bb204775(v=vs.85).aspx>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=1251>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=30688>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
|
||||
@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/bb204775(v=vs.85).aspx>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=1251>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=30688>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
|
||||
@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/bb204775(v=vs.85).aspx>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=1251>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=30688>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
|
||||
@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=1251>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=30688>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
|
||||
@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=1251>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=30688>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
|
||||
@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=1251>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=30688>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
|
||||
@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=1251>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=30688>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
|
||||
@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=1251>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=30688>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
|
||||
@ -26,9 +26,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=1251>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=30688>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
|
||||
@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=1251>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=30688>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
|
||||
@ -28,9 +28,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=1251>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <http://www.microsoft.com/en-us/download/details.aspx?id=30688>
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
|
||||
@ -43,7 +43,7 @@ To enable HVCI on Windows 10 devices with supporting hardware throughout an ente
|
||||
- [Windows Security app](#windows-security-app)
|
||||
- [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
|
||||
- [Group Policy](#enable-hvci-using-group-policy)
|
||||
- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
|
||||
- [Microsoft Endpoint Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
|
||||
- [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity)
|
||||
|
||||
### Windows Security app
|
||||
|
||||
@ -40,7 +40,7 @@ The toolkit supports formats created by the Windows GPO backup feature (.pol, .i
|
||||
|
||||
Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features.
|
||||
|
||||
**Does SCT support the creation of System Center Configuration Manager (SCCM) DCM packs?**
|
||||
**Does SCT support the creation of Microsoft Endpoint Configuration Manager DCM packs?**
|
||||
|
||||
No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
|
||||
|
||||
|
||||
@ -81,7 +81,7 @@ The "engine version" of attack surface reduction events in the event log, is gen
|
||||
|
||||
## Attack surface reduction rules
|
||||
|
||||
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs:
|
||||
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs:
|
||||
|
||||
Rule name | GUID | File & folder exclusions
|
||||
-----------|------|--------------------------
|
||||
@ -110,11 +110,11 @@ This rule blocks the following file types from launching from email in Microsoft
|
||||
* Executable files (such as .exe, .dll, or .scr)
|
||||
* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
|
||||
|
||||
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
|
||||
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Microsoft Endpoint Configuration Manager CB 1710
|
||||
|
||||
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
|
||||
|
||||
SCCM name: Block executable content from email client and webmail
|
||||
Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail
|
||||
|
||||
GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
|
||||
|
||||
@ -124,11 +124,11 @@ This rule blocks Office apps from creating child processes. This includes Word,
|
||||
|
||||
This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings.
|
||||
|
||||
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
|
||||
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
|
||||
|
||||
Intune name: Office apps launching child processes
|
||||
|
||||
SCCM name: Block Office application from creating child processes
|
||||
Configuration Manager name: Block Office application from creating child processes
|
||||
|
||||
GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
|
||||
|
||||
@ -138,11 +138,11 @@ This rule prevents Office apps, including Word, Excel, and PowerPoint, from crea
|
||||
|
||||
This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
|
||||
|
||||
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
|
||||
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
|
||||
|
||||
Intune name: Office apps/macros creating executable content
|
||||
|
||||
SCCM name: Block Office applications from creating executable content
|
||||
Configuration Manager name: Block Office applications from creating executable content
|
||||
|
||||
GUID: 3B576869-A4EC-4529-8536-B80A7769E899
|
||||
|
||||
@ -152,11 +152,11 @@ Attackers might attempt to use Office apps to migrate malicious code into other
|
||||
|
||||
This rule applies to Word, Excel, and PowerPoint.
|
||||
|
||||
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
|
||||
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
|
||||
|
||||
Intune name: Office apps injecting code into other processes (no exceptions)
|
||||
|
||||
SCCM name: Block Office applications from injecting code into other processes
|
||||
Configuration Manager name: Block Office applications from injecting code into other processes
|
||||
|
||||
GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
|
||||
|
||||
@ -169,11 +169,11 @@ Malware written in JavaScript or VBS often acts as a downloader to fetch and lau
|
||||
> [!IMPORTANT]
|
||||
> File and folder exclusions don't apply to this attack surface reduction rule.
|
||||
|
||||
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
|
||||
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
|
||||
|
||||
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
|
||||
|
||||
SCCM name: Block JavaScript or VBScript from launching downloaded executable content
|
||||
Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content
|
||||
|
||||
GUID: D3E037E1-3EB8-44C8-A917-57927947596D
|
||||
|
||||
@ -181,11 +181,11 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D
|
||||
|
||||
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script.
|
||||
|
||||
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
|
||||
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
|
||||
|
||||
Intune name: Obfuscated js/vbs/ps/macro code
|
||||
|
||||
SCCM name: Block execution of potentially obfuscated scripts.
|
||||
Configuration Manager name: Block execution of potentially obfuscated scripts.
|
||||
|
||||
GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
|
||||
|
||||
@ -193,11 +193,11 @@ GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
|
||||
|
||||
Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface.
|
||||
|
||||
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
|
||||
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
|
||||
|
||||
Intune name: Win32 imports from Office macro code
|
||||
|
||||
SCCM name: Block Win32 API calls from Office macros
|
||||
Configuration Manager name: Block Win32 API calls from Office macros
|
||||
|
||||
GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
|
||||
|
||||
@ -215,11 +215,11 @@ This rule blocks the following file types from launching unless they either meet
|
||||
>
|
||||
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
|
||||
|
||||
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
|
||||
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
|
||||
|
||||
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
|
||||
|
||||
SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
|
||||
Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
|
||||
|
||||
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
|
||||
|
||||
@ -230,11 +230,11 @@ This rule provides an extra layer of protection against ransomware. It scans exe
|
||||
> [!NOTE]
|
||||
> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
|
||||
|
||||
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
|
||||
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
|
||||
|
||||
Intune name: Advanced ransomware protection
|
||||
|
||||
SCCM name: Use advanced protection against ransomware
|
||||
Configuration Manager name: Use advanced protection against ransomware
|
||||
|
||||
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
|
||||
|
||||
@ -245,11 +245,11 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i
|
||||
> [!NOTE]
|
||||
> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
|
||||
|
||||
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
|
||||
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
|
||||
|
||||
Intune name: Flag credential stealing from the Windows local security authority subsystem
|
||||
|
||||
SCCM name: Block credential stealing from the Windows local security authority subsystem
|
||||
Configuration Manager name: Block credential stealing from the Windows local security authority subsystem
|
||||
|
||||
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
|
||||
|
||||
@ -261,13 +261,13 @@ This rule blocks processes through PsExec and WMI commands from running, to prev
|
||||
> File and folder exclusions do not apply to this attack surface reduction rule.
|
||||
|
||||
> [!WARNING]
|
||||
> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
|
||||
> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
|
||||
|
||||
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019
|
||||
|
||||
Intune name: Process creation from PSExec and WMI commands
|
||||
|
||||
SCCM name: Not applicable
|
||||
Configuration Manager name: Not applicable
|
||||
|
||||
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
|
||||
|
||||
@ -278,11 +278,11 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
|
||||
* Executable files (such as .exe, .dll, or .scr)
|
||||
* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
|
||||
|
||||
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
|
||||
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
|
||||
|
||||
Intune name: Untrusted and unsigned processes that run from USB
|
||||
|
||||
SCCM name: Block untrusted and unsigned processes that run from USB
|
||||
Configuration Manager name: Block untrusted and unsigned processes that run from USB
|
||||
|
||||
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
|
||||
|
||||
@ -297,7 +297,7 @@ This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Serve
|
||||
|
||||
Intune name: Process creation from Office communication products (beta)
|
||||
|
||||
SCCM name: Not yet available
|
||||
Configuration Manager name: Not yet available
|
||||
|
||||
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
|
||||
|
||||
@ -309,7 +309,7 @@ This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Serve
|
||||
|
||||
Intune name: Process creation from Adobe Reader (beta)
|
||||
|
||||
SCCM name: Not yet available
|
||||
Configuration Manager name: Not yet available
|
||||
|
||||
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
|
||||
|
||||
@ -321,7 +321,7 @@ This rule was introduced in: Windows 10 1903, Windows Server 1903
|
||||
|
||||
Intune name: Block persistence through WMI event subscription
|
||||
|
||||
SCCM name: Not yet available
|
||||
Configuration Manager name: Not yet available
|
||||
|
||||
GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Configure Threat & Vulnerability Management in Microsoft Defender ATP
|
||||
ms.reviewer:
|
||||
description: Configuring TVM's integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) helps security and IT admins collaborate seamlessly
|
||||
description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft Endpoint Configuration Manager integrations.
|
||||
keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM
|
||||
search.product: Windows 10
|
||||
search.appverid: met150
|
||||
@ -23,16 +23,16 @@ ms.topic: article
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation.
|
||||
This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft Endpoint Configuration Manager for a seamless collaboration of issue remediation.
|
||||
|
||||
### Before you begin
|
||||
> [!IMPORTANT]
|
||||
> Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.</br>
|
||||
|
||||
Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM).
|
||||
Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft Endpoint Configuration Manager.
|
||||
|
||||
>[!WARNING]
|
||||
>Only Intune and SCCM enrolled devices are supported in this scenario.</br>
|
||||
>Only Intune and Microsoft Endpoint Configuration Manager enrolled devices are supported in this scenario.</br>
|
||||
>Use any of the following options to enroll devices in Intune:
|
||||
>- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
|
||||
>- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
|
||||
|
||||
@ -23,7 +23,7 @@ ms.date: 07/01/2018
|
||||
You can configure attack surface reduction with a number of tools, including:
|
||||
|
||||
* Microsoft Intune
|
||||
* System Center Configuration Manager
|
||||
* Microsoft Endpoint Configuration Manager
|
||||
* Group Policy
|
||||
* PowerShell cmdlets
|
||||
|
||||
|
||||
@ -150,7 +150,7 @@ With Group Policy there isn’t an option to monitor deployment of policies on t
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md)
|
||||
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
|
||||
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
|
||||
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
|
||||
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
|
||||
|
||||
@ -86,7 +86,7 @@ For more information on Microsoft Intune policy settings see, [Windows 10 policy
|
||||
|
||||
## Related topics
|
||||
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
|
||||
- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md)
|
||||
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
|
||||
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
|
||||
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
|
||||
- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md)
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Onboard Windows 10 machines using System Center Configuration Manager
|
||||
description: Use System Center Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service.
|
||||
keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines, sccm
|
||||
title: Onboard Windows 10 machines using Configuration Manager
|
||||
description: Use Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service.
|
||||
keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
@ -15,43 +15,34 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 12/11/2018
|
||||
ms.date: 02/07/2020
|
||||
---
|
||||
|
||||
# Onboard Windows 10 machines using System Center Configuration Manager
|
||||
# Onboard Windows 10 machines using Configuration Manager
|
||||
|
||||
**Applies to:**
|
||||
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
- System Center 2012 Configuration Manager or later versions
|
||||
|
||||
|
||||
- Microsoft Endpoint Configuration Manager current branch
|
||||
- System Center 2012 R2 Configuration Manager
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
|
||||
|
||||
<span id="sccm1606"/>
|
||||
## Onboard Windows 10 machines using System Center Configuration Manager (current branch) version 1606
|
||||
System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Microsoft Defender ATP on machines. For more information, see <a href="https://go.microsoft.com/fwlink/p/?linkid=823682" data-raw-source="[Support for Microsoft Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682)">Support for Microsoft Defender Advanced Threat Protection service</a>.
|
||||
|
||||
>[!NOTE]
|
||||
> If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
|
||||
> Starting with version 1606 of Configuration Manager, see [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/sccm/protect/deploy-use/windows-defender-advanced-threat-protection) for ATP configuration.
|
||||
## Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager current branch
|
||||
|
||||
Configuration Manager current branch has integrated support to configure and manage Microsoft Defender ATP on managed devices. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection).
|
||||
|
||||
<span id="sccm1602"/>
|
||||
## Onboard Windows 10 machines using System Center Configuration Manager earlier versions
|
||||
You can use existing System Center Configuration Manager functionality to create a policy to configure your machines. This is supported in the following System Center Configuration Manager versions:
|
||||
|
||||
- System Center 2012 Configuration Manager
|
||||
- System Center 2012 R2 Configuration Manager
|
||||
- System Center Configuration Manager (current branch), version 1511
|
||||
- System Center Configuration Manager (current branch), version 1602
|
||||
## Onboard Windows 10 machines using earlier versions of System Center Configuration Manager
|
||||
|
||||
You can use existing Configuration Manager functionality to create a policy to configure your machines. This action is supported in System Center 2012 R2 Configuration Manager.
|
||||
|
||||
### Onboard machines using System Center Configuration Manager
|
||||
|
||||
|
||||
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
|
||||
1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Onboarding**.
|
||||
|
||||
@ -63,7 +54,7 @@ You can use existing System Center Configuration Manager functionality to create
|
||||
|
||||
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
|
||||
|
||||
3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic.
|
||||
3. Deploy the package by following the steps in the [Packages and Programs in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg699369\(v=technet.10\)) article.
|
||||
|
||||
a. Choose a predefined device collection to deploy the package to.
|
||||
|
||||
@ -72,8 +63,16 @@ You can use existing System Center Configuration Manager functionality to create
|
||||
|
||||
>[!TIP]
|
||||
> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md).
|
||||
>
|
||||
> Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a machine has been onboarded. An application is a different type of object than a package and program.
|
||||
> If a machine is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the machine until the rule detects the status change.
|
||||
>
|
||||
> This behavior can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1.
|
||||
> This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status".
|
||||
For more information, see [Configure Detection Methods in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682159\(v=technet.10\)#step-4-configure-detection-methods-to-indicate-the-presence-of-the-deployment-type).
|
||||
|
||||
### Configure sample collection settings
|
||||
|
||||
For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
|
||||
|
||||
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine.
|
||||
@ -94,17 +93,23 @@ Possible values are:
|
||||
|
||||
The default value in case the registry key doesn’t exist is 1.
|
||||
|
||||
For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings).
|
||||
For more information about System Center Configuration Manager Compliance see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
|
||||
|
||||
|
||||
|
||||
## Offboard machines using System Center Configuration Manager
|
||||
## Offboard machines using Configuration Manager
|
||||
|
||||
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
|
||||
|
||||
> [!NOTE]
|
||||
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
|
||||
|
||||
### Offboard machines using Microsoft Endpoint Configuration Manager current branch
|
||||
|
||||
If you use Microsoft Endpoint Configuration Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file).
|
||||
|
||||
### Offboard machines using System Center 2012 R2 Configuration Manager
|
||||
|
||||
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Offboarding**.
|
||||
@ -117,7 +122,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
|
||||
|
||||
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
|
||||
|
||||
3. Deploy the package by following the steps in the [Packages and Programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs) topic.
|
||||
3. Deploy the package by following the steps in the [Packages and Programs in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg699369\(v=technet.10\)) article.
|
||||
|
||||
a. Choose a predefined device collection to deploy the package to.
|
||||
|
||||
@ -125,16 +130,19 @@ For security reasons, the package used to Offboard machines will expire 30 days
|
||||
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
|
||||
|
||||
|
||||
### Monitor machine configuration
|
||||
Monitoring with SCCM consists of two parts:
|
||||
## Monitor machine configuration
|
||||
|
||||
If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Microsoft Defender ATP dashboard in the Configuration Manager console. For more information, see [Microsoft Defender Advanced Threat Protection - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor).
|
||||
|
||||
If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts:
|
||||
|
||||
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the machines in your network.
|
||||
|
||||
2. Checking that the machines are compliant with the Microsoft Defender ATP service (this ensures the machine can complete the onboarding process and can continue to report data to the service).
|
||||
|
||||
**To confirm the configuration package has been correctly deployed:**
|
||||
### Confirm the configuration package has been correctly deployed
|
||||
|
||||
1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane.
|
||||
1. In the Configuration Manager console, click **Monitoring** at the bottom of the navigation pane.
|
||||
|
||||
2. Click **Overview** and then **Deployments**.
|
||||
|
||||
@ -142,12 +150,13 @@ Monitoring with SCCM consists of two parts:
|
||||
|
||||
4. Review the status indicators under **Completion Statistics** and **Content Status**.
|
||||
|
||||
If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
|
||||
If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
|
||||
|
||||
|
||||
|
||||
|
||||
**Check that the machines are compliant with the Microsoft Defender ATP service:**<br>
|
||||
You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment.
|
||||
### Check that the machines are compliant with the Microsoft Defender ATP service
|
||||
|
||||
You can set a compliance rule for configuration item in System Center 2012 R2 Configuration Manager to monitor your deployment.
|
||||
|
||||
This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines.
|
||||
|
||||
@ -157,7 +166,7 @@ Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
|
||||
Name: “OnboardingState”
|
||||
Value: “1”
|
||||
```
|
||||
For more information about System Center Configuration Manager Compliance see [Get started with compliance settings in System Center Configuration Manager](https://docs.microsoft.com/sccm/compliance/get-started/get-started-with-compliance-settings).
|
||||
For more information, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
|
||||
|
||||
## Related topics
|
||||
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
|
||||
|
||||
@ -136,7 +136,7 @@ Monitoring can also be done directly on the portal, or by using the different de
|
||||
|
||||
## Related topics
|
||||
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
|
||||
- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md)
|
||||
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
|
||||
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
|
||||
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
|
||||
- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md)
|
||||
|
||||
@ -97,7 +97,7 @@ The following steps will guide you through onboarding VDI machines and will high
|
||||
|
||||
## Related topics
|
||||
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
|
||||
- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm.md)
|
||||
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
|
||||
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
|
||||
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
|
||||
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
|
||||
|
||||
@ -122,7 +122,7 @@ If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP
|
||||
|
||||
## Microsoft Defender ATP service backend IP range
|
||||
|
||||
If your network devices don't support the URLs white-listed in the prior section, you can use the following information.
|
||||
If your network devices don't support the URLs added to an "allow" list in the prior section, you can use the following information.
|
||||
|
||||
Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
|
||||
|
||||
|
||||
@ -56,7 +56,7 @@ You can exclude files and folders from being evaluated by most attack surface re
|
||||
|
||||
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
|
||||
|
||||
ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
|
||||
ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
|
||||
|
||||
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
|
||||
|
||||
@ -76,7 +76,7 @@ The following procedures for enabling ASR rules include instructions for how to
|
||||
|
||||
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
|
||||
|
||||
The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules).
|
||||
The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules).
|
||||
|
||||
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
|
||||
|
||||
@ -186,4 +186,4 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
|
||||
|
||||
* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
|
||||
* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
|
||||
* [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
|
||||
* [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
|
||||
|
||||
@ -56,7 +56,7 @@ For more information on how to configure exclusions from JAMF, Intune, or anothe
|
||||
|
||||
Open the Microsoft Defender ATP application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot:
|
||||
|
||||
|
||||
|
||||
|
||||
Select the type of exclusion that you wish to add and follow the prompts.
|
||||
|
||||
|
||||
@ -294,27 +294,28 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
|
||||
2. Select **App type=Other/Line-of-business app**.
|
||||
3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
|
||||
4. Select **Configure** and add the required information.
|
||||
5. Use **macOS High Sierra 10.13** as the minimum OS and set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
|
||||
5. Use **macOS High Sierra 10.13** as the minimum OS.
|
||||
6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
|
||||
|
||||
> [!CAUTION]
|
||||
> Failure to set *Ignore app version* to **Yes** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated.
|
||||
> Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy.
|
||||
|
||||
|
||||
|
||||
6. Select **OK** and **Add**.
|
||||
7. Select **OK** and **Add**.
|
||||
|
||||
|
||||
|
||||
7. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.
|
||||
8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.
|
||||
|
||||
|
||||
|
||||
8. Change **Assignment type** to **Required**.
|
||||
9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
|
||||
9. Change **Assignment type** to **Required**.
|
||||
10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
|
||||
|
||||
|
||||
|
||||
10. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
|
||||
11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
|
||||
|
||||
|
||||
|
||||
|
||||
@ -34,7 +34,6 @@ Follow the corresponding instructions depending on your preferred deployment met
|
||||
## Offboard Windows 10 machines
|
||||
- [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script)
|
||||
- [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy)
|
||||
- [Offboard machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager)
|
||||
- [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools)
|
||||
|
||||
## Offboard Servers
|
||||
|
||||
@ -70,7 +70,7 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
|
||||
|
||||
For more information on the available commands, see [Investigate machines using Live response](live-response.md).
|
||||
|
||||
4. Click **Next** to assign the role to an Azure AD group.
|
||||
4. Click **Next** to assign the role to an Azure AD Security group.
|
||||
|
||||
5. Use the filter to select the Azure AD group that you'd like to add to this role.
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Web protection
|
||||
description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization
|
||||
keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
|
||||
keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, malicious websites
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
@ -36,7 +36,7 @@ Web threat protection includes:
|
||||
|
||||
## Web content filtering
|
||||
|
||||
The cards that make up web content filtering are **Web activity by category**, **Web content filtering summary**, and **Web activity summary**.
|
||||
The cards that comprise web content filtering are **Web activity by category**, **Web content filtering summary**, and **Web activity summary**.
|
||||
|
||||
Web content filtering includes:
|
||||
- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away
|
||||
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 07/13/2017
|
||||
ms.date: 2/6/2020
|
||||
---
|
||||
|
||||
# Increase scheduling priority
|
||||
@ -75,11 +75,11 @@ A user who is assigned this user right could increase the scheduling priority of
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Verify that only Administrators and Window Manager/Window Manager Group have the **Increase scheduling priority** user right assigned to them.
|
||||
Verify that only Administrators and Window Manager\Window Manager Group have the **Increase scheduling priority** user right assigned to them.
|
||||
|
||||
### Potential impact
|
||||
|
||||
None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager/Window Manager Group is the default configuration.
|
||||
None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager\Window Manager Group is the default configuration.
|
||||
|
||||
> [!Warning]
|
||||
> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
|
||||
|
||||
Reference in New Issue
Block a user