From 1b4e38f020f548601e4db8961994ef0c52080f21 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 24 Nov 2021 15:27:47 +0530 Subject: [PATCH 01/18] Update policy-csp-settings.md --- .../mdm/policy-csp-settings.md | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 69c7b52c83..c595c0b078 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -29,6 +29,9 @@ manager: dansimp
Settings/AllowDateTime
+
+ Settings/AllowEditDeviceName +
Settings/AllowLanguage
@@ -266,6 +269,68 @@ The following list shows the supported values:
+ +**Settings/AllowEditDeviceName** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy disables edit device name option on Settings. + + + + +Describes what value are supported in by this policy and meaning of each value, default value. + + + + +
+ **Settings/AllowLanguage** From 61fa2b89662ef007259e506b1830a5442694d41d Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 24 Nov 2021 19:37:26 +0530 Subject: [PATCH 02/18] Notification update --- .../mdm/policy-csp-notifications.md | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 643ef3e681..7ba7ed964f 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -31,6 +31,9 @@ manager: dansimp
Notifications/DisallowTileNotification
+
+ Notifications/WnsEndpoint +
@@ -280,5 +283,77 @@ Validation:
+ +**Notifications/WnsEndpoint** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting determines which Windows Notification Service endpoint will be used to connect for Windows Push Notifications. + +If you disable or do not configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com. + +Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also whitelisted from your firewall settings. + + + +ADMX Info: +- GP Friendly name: *Required for Airgap servers that may have a unique FQDN that is different from the public endpoint* +- GP name: *WnsEndpoint* +- GP path: *Start Menu and Taskbar/Notifications* +- GP ADMX file name: *WPN.admx* + + + +If the policy is not specified, we will default our connection to client.wns.windows.com. + + + +
+ \ No newline at end of file From 6eb3154a08d2dba2f155e3681e5b1d0f38bcd837 Mon Sep 17 00:00:00 2001 From: takondo Date: Thu, 30 Dec 2021 05:07:17 +0900 Subject: [PATCH 03/18] Update network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md 1. Fix typo in "Notes" section under "Possible values" and add wording to make condition clearer. 2. This setting is enabled by default on Windows 10 1607 and newer. Make changes accordingly. 3. Update [Best practices]. Currently, the [best practices] state that the policy should be disabled. However, this is the best practice from Server 2008 R2 era and is old suggestion. The [Security considerations] section addresses this and specifies that the policy should be enabled for hybrid environments, but the [Best practices] section has not been updated. --- ...requests-to-this-computer-to-use-online-identities.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 7b4fd7fe4b..b41c905d78 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -34,14 +34,14 @@ When devices are configured to accept authentication requests by using online ID > [!NOTE] > Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager. -This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 and later. +This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 up to Windows 10 1607. This policy is enabled by default on Windows 10 1607 and newer. ### Possible values - **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. > [!NOTE] - > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client. + > PKU2U is disabled by default on Windows Server. If PKU2U is disabled, Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client. - **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. @@ -49,7 +49,7 @@ This policy isn't configured by default on domain-joined devices. This would dis ### Best practices -Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate. +Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Azure AD joined environments. ### Location @@ -66,7 +66,8 @@ The following table lists the effective default values for this policy. Default | Stand-alone server default settings | Not defined| | Domain controller effective default settings | Disabled| | Member server effective default settings | Disabled| -| Effective GPO default settings on client computers | Disabled| +| Effective GPO default settings on client computers prior to Windows 10 1607 | Disabled| +| Effective GPO default settings on client computers Windows 10 1607 and newer | Enabled| ## Security considerations From a9289ad95f211dd7021eb3f3fa63244fb52db5f9 Mon Sep 17 00:00:00 2001 From: v-chodges <96920257+v-chodges@users.noreply.github.com> Date: Fri, 31 Dec 2021 10:49:56 -0600 Subject: [PATCH 04/18] Edit Notes: ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue It is recommended not to set the value below 2 days to avoid machines to go out of date. --- .../mdm/policy-csp-admx-microsoftdefenderantivirus.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index ea7d8bca47..fba7c6f419 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -3693,6 +3693,8 @@ ADMX Info: This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. +It is recommended not to set the value below 2 days to avoid machines to go out of date. + If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update. From ffcfb6ca644c80a37ee4ff6a3d6a6d5581a55fec Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 1 Jan 2022 07:07:23 +0500 Subject: [PATCH 05/18] Update in the document As intune is now the Endpoint protection manager, so updated the content. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10173 --- ...ll-a-windows-10-device-automatically-using-group-policy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index c77b8f6df6..238ff184f9 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -50,11 +50,11 @@ For this policy to work, you must verify that the MDM service provider allows th To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: -1. Verify that the user who is going to enroll the device has a valid Intune license. +1. Verify that the user who is going to enroll the device has a valid Endpoint Portection Manager license. :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: -2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). +2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM). For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) From 5e39f46a6950dbd73bcd4002c85f8ed92d3eaa91 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 2 Jan 2022 10:04:25 +0500 Subject: [PATCH 06/18] Update windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 238ff184f9..9fa74b61f9 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -50,7 +50,7 @@ For this policy to work, you must verify that the MDM service provider allows th To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: -1. Verify that the user who is going to enroll the device has a valid Endpoint Portection Manager license. +1. Verify that the user who is going to enroll the device has a valid Endpoint Protection Manager license. :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: From f61aa2010aac7960a3099b1ab0622d99c532fb4c Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 3 Jan 2022 13:21:47 +0200 Subject: [PATCH 07/18] Update description https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8840 --- windows/security/threat-protection/auditing/event-4625.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 61e190ba1a..548b217e6d 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out. +This event is logged for any logon failure. It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation. @@ -293,4 +293,4 @@ For 4625(F): An account failed to log on. | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. | | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This issue is typically not a security issue but it can be an infrastructure or availability issue. | | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. | - | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | \ No newline at end of file + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | From 9d93b1f9da96d49263654fc185e43ce24d686f11 Mon Sep 17 00:00:00 2001 From: v-chodges <96920257+v-chodges@users.noreply.github.com> Date: Mon, 3 Jan 2022 08:49:56 -0600 Subject: [PATCH 08/18] Update windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/policy-csp-admx-microsoftdefenderantivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index fba7c6f419..e8f77fefa1 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -3693,7 +3693,7 @@ ADMX Info: This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. -It is recommended not to set the value below 2 days to avoid machines to go out of date. +We do not recommend setting the value below two days to avoid machines going out of date. If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. From 8b920d8805e84f941e89d44857a84dd56550def5 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:13:43 -0800 Subject: [PATCH 09/18] Update event-4625.md --- windows/security/threat-protection/auditing/event-4625.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 548b217e6d..44603fc006 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 09/07/2021 +ms.date: 01/03/2022 ms.reviewer: manager: dansimp ms.author: dansimp From 09ef58e0256c540f2ad52efa512e7d884637b013 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:17:25 -0800 Subject: [PATCH 10/18] Update enroll-a-windows-10-device-automatically-using-group-policy.md --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 9fa74b61f9..1bb3dbc3a7 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 12/03/2021 +ms.date: 01/03/2022 ms.reviewer: manager: dansimp ms.collection: highpri From cd460bcaeb13386e9262ef74fd1fd039d1cde03f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:19:15 -0800 Subject: [PATCH 11/18] Update policy-csp-admx-microsoftdefenderantivirus.md --- .../mdm/policy-csp-admx-microsoftdefenderantivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index e8f77fefa1..08bfd199f0 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 12/02/2020 +ms.date: 01/03/2022 ms.reviewer: manager: dansimp --- From 7c8ae05545f782609276cab7aff3b1acae60fd0e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:20:40 -0800 Subject: [PATCH 12/18] Update policy-csp-admx-microsoftdefenderantivirus.md --- .../mdm/policy-csp-admx-microsoftdefenderantivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index 08bfd199f0..f115057a2b 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -3693,7 +3693,7 @@ ADMX Info: This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. -We do not recommend setting the value below two days to avoid machines going out of date. +We do not recommend setting the value to less than 2 days to prevent machines from going out of date. If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. From 5cc0c739b032790e5c3a2675b1516de531de7dfe Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:23:15 -0800 Subject: [PATCH 13/18] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index b41c905d78..4767297d8b 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -34,7 +34,7 @@ When devices are configured to accept authentication requests by using online ID > [!NOTE] > Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager. -This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 up to Windows 10 1607. This policy is enabled by default on Windows 10 1607 and newer. +This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers from Windows 7 up to Windows 10, Version 1607. This policy is enabled by default in Windows 10, Version 1607, and later. ### Possible values From a45b1464f64435acda70de9d1c25373d3b18a98f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:23:33 -0800 Subject: [PATCH 14/18] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 4767297d8b..5dbbd249c2 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -67,7 +67,7 @@ The following table lists the effective default values for this policy. Default | Domain controller effective default settings | Disabled| | Member server effective default settings | Disabled| | Effective GPO default settings on client computers prior to Windows 10 1607 | Disabled| -| Effective GPO default settings on client computers Windows 10 1607 and newer | Enabled| +| Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled| ## Security considerations From a4505b95a7dd99ac0aa17d3b3167b685c78c8ff2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:23:39 -0800 Subject: [PATCH 15/18] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 5dbbd249c2..cef443df16 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -66,7 +66,7 @@ The following table lists the effective default values for this policy. Default | Stand-alone server default settings | Not defined| | Domain controller effective default settings | Disabled| | Member server effective default settings | Disabled| -| Effective GPO default settings on client computers prior to Windows 10 1607 | Disabled| +| Effective GPO default settings on client computers prior to Windows 10, Version 1607 | Disabled| | Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled| ## Security considerations From 69a58e1afe6c0181e4cbc9e0b690622935fe75dd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:23:46 -0800 Subject: [PATCH 16/18] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index cef443df16..17e7ba0bfb 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -49,7 +49,7 @@ This policy isn't configured by default on domain-joined devices. This would dis ### Best practices -Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Azure AD joined environments. +Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Azure AD-joined environments. ### Location From 2af534ff2d4c9b7c99a58e75da592ad8d3fe7f53 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:24:32 -0800 Subject: [PATCH 17/18] Update network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 17e7ba0bfb..e89957070a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 01/03/2022 ms.technology: windows-sec --- From bc51f80df3a28b7dcae913e13ff1e7afc6ca443c Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 3 Jan 2022 12:08:54 -0800 Subject: [PATCH 18/18] updating download link --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e5f880e174..d4c8f8e591 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -31,7 +31,7 @@ ms.technology: privacy This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. -Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. +Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://download.microsoft.com/download/D/9/0/D905766D-FEDA-43E5-86ED-8987CEBD8D89/WindowsRTLFB.zip) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. > [!IMPORTANT] > - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices.