deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/microsoftdocs/windows-itpro-docs

Browse Source
This commit is contained in:
Patti Short
2018-08-03 10:00:02 -07:00
parent 5cf0b2da1e 865fdbceba
commit 49326d41be
64 changed files with 1009 additions and 542 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
windows/client-management/mdm/defender-csp.md
View File

@ -365,7 +365,7 @@ Node that can be used to perform signature updates for Windows Defender.
Supported operations are Get and Execute.
<a href="" id="offlinescan"></a>**OfflineScan**
Added in Windows 10, version 1803. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. This command causes the computer reboot and start in Windows Defender offline mode to begin the scan.
Added in Windows 10, version 1803. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. After the next OS reboot, the device will start in Windows Defender offline mode to begin the scan.
Supported operations are Get and Execute.
@ -374,12 +374,3 @@ Supported operations are Get and Execute.
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

20
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -364,7 +364,7 @@ Added in Windows 10, next major version. Specifies if an app is nonremovable by
This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesnt remove it for all users.
This setting requires admin permission. This can only be set per device, not per user. You can query the setting using AppInvetoryQuery or AppInventoryResults.
NonRemovable requires admin permission. This can only be set per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@ -382,12 +382,12 @@ Add an app to the nonremovable app policy list
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable</LocURI>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
<Data>1</Data>
</Item>
</Add>
<Final/>
@ -403,7 +403,7 @@ Delete an app from the nonremovable app policy list
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable</LocURI>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable</LocURI>
</Target>
</Item>
</Delete>
@ -412,7 +412,7 @@ Delete an app from the nonremovable app policy list
</SyncML>
```
Get list of apps in the nonremovable app policy list
Get the status for a particular app
```
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -420,7 +420,7 @@ Get list of apps in the nonremovable app policy list
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable</LocURI>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable</LocURI>
</Target>
</Item>
</Get>
@ -429,9 +429,9 @@ Get list of apps in the nonremovable app policy list
</SyncML>
```
Replace an app in the nonremovable app policy list
Data 0 = app is not in the app policy list
Data 1 = app is in the app policy list
Replace an app in the nonremovable app policy list
Data 0 = app is not in the app policy list
Data 1 = app is in the app policy list
```
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -439,7 +439,7 @@ Data 1 = app is in the app policy list
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable</LocURI>
<LocURI>./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>

BIN
windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 22 KiB

After

Width:  |  Height:  |  Size: 31 KiB

2
windows/client-management/mdm/reboot-csp.md
View File

@ -41,7 +41,7 @@ The following diagram shows the Reboot configuration service provider management
<p style="margin-left: 20px">The supported operations are Get, Add, Replace, and Delete.</p>
<a href="" id="schedule-dailyrecurrent"></a>**Schedule/DailyRecurrent**
<p style="margin-left: 20px">This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. For example: 2015-12-15T07:36:25Z</p>
<p style="margin-left: 20px">This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00. </p>
<p style="margin-left: 20px">The supported operations are Get, Add, Replace, and Delete.</p>

74
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -6,11 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 03/22/2018
ms.date: 08/02/2018
---
# WindowsDefenderApplicationGuard CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in the Application Guard. This CSP was added in Windows 10, version 1709.
@ -19,20 +21,19 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se
![windowsdefenderapplicationguard csp](images/provisioning-csp-windowsdefenderapplicationguard.png)
<a href="" id="windowsdefenderapplicationguard"></a>**./Device/Vendor/MSFT/WindowsDefenderApplicationGuard**
<p style="margin-left: 20px">Root node. Supported operation is Get.</p>
<p style="margin-left: 20px"></p>
Root node. Supported operation is Get.
<a href="" id="settings"></a>**Settings**
<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
Interior node. Supported operation is Get.
<a href="" id="allowwindowsdefenderapplicationguard"></a>**Settings/AllowWindowsDefenderApplicationGuard**
<p style="margin-left: 20px">Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
- 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
- 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container.
<a href="" id="clipboardfiletype"></a>**Settings/ClipboardFileType**
<p style="margin-left: 20px">Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
- 0 - Disables content copying.
- 1 - Allow text copying.
@ -40,7 +41,7 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se
- 3 - Allow text and image copying.
<a href="" id="clipboardsettings"></a>**Settings/ClipboardSettings**
<p style="margin-left: 20px">This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete</p>
This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete
- 0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
- 1 - Turns On clipboard operation from an isolated session to the host
@ -51,7 +52,7 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se
> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
<a href="" id="printingsettings"></a>**Settings/PrintingSettings**
<p style="margin-left: 20px">This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
- 0 - Disables all print functionality (default)
- 1 - Enables only XPS printing
@ -70,13 +71,13 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se
- 15 - Enables all printing
<a href="" id="blocknonenterprisecontent"></a>**Settings/BlockNonEnterpriseContent**
<p style="margin-left: 20px">This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
- 0 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard.
- 1 (default) - Non-enterprise sites can open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge..
- 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard.
<a href="" id="allowpersistence"></a>**Settings/AllowPersistence**
<p style="margin-left: 20px">This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
@ -93,29 +94,62 @@ Added in Windows 10, version 1803. This policy setting allows you to determine w
- 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0).
- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
<a href="" id="status"></a>**Status**
<p style="margin-left: 20px">Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get.
<a href="" id="filetrustcriteria"></a>**Settings/FileTrustCriteria**
Placeholder for future use. Do not use in production code.
Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode
<a href="" id="filetrustoriginremovablemedia"></a>**Settings/FileTrustOriginRemovableMedia**
Placeholder for future use. Do not use in production code.
<a href="" id="filetrustoriginnetworkshare"></a>**Settings/FileTrustOriginNetworkShare**
Placeholder for future use. Do not use in production code.
<a href="" id="filetrustoriginmarkoftheweb"></a>**Settings/FileTrustOriginMarkOfTheWeb**
Placeholder for future use. Do not use in production code.
<a href="" id="certificatethumbprints"></a>**Settings/CertificateThumbprints**
Added in Windows 10, next major version. This policy setting allows certain Root Certificates to be shared with the Windows Defender Application Guard container.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. You can specify multiple certificates using a comma to separate the thumbprints for each certificate you want to transfer.
Example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924
If you disable or dont configure this setting, certificates are not shared with the Windows Defender Application Guard container.
<a href="" id="allowcameramicrophoneredirection"></a>**Settings/AllowCameraMicrophoneRedirection**
Added in Windows 10, next major version. The policy allows you to determine whether applications inside Windows Defender Application Guard can access the devices camera and microphone when these settings are enabled on the users device.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
If you enable this policy, applications inside Windows Defender Application Guard will be able to access the camera and microphone on the users device.
If you disable or don't configure this policy, applications inside Windows Defender Application Guard will be unable to access the camera and microphone on the users device.
> [!Important]
> If you turn on this policy, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
<a href="" id="status"></a>**Status**
Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get.
Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode
Bit 1 - Set to 1 when the client machine is Hyper-V capable
Bit 2 - Set to 1 when the client machine has a valid OS license and SKU
Bit 3 - Set to 1 when WDAG installed on the client machine
Bit 4 - Set to 1 when required Network Isolation Policies are configured
Bit 5 - Set to 1 when the client machine meets minimum hardware requirements
</p>
<a href="" id="installwindowsdefenderapplicationguard"></a>**InstallWindowsDefenderApplicationGuard**
<p style="margin-left: 20px">Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.</p>
Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.
- Install - Will initiate feature install
- Uninstall - Will initiate feature uninstall
<a href="" id="audit"></a>**Audit**
<p style="margin-left: 20px">Interior node. Supported operation is Get</p>
Interior node. Supported operation is Get
<a href="" id="auditapplicationguard"></a>**Audit/AuditApplicationGuard**
<p style="margin-left: 20px">This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete.</p>
This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete.
- 0 (default) - - Audit event logs aren't collected for Application Guard.
- 1 - Application Guard inherits its auditing policies from Microsoft Edge and starts to audit system events specifically for Application Guard.

149
windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
View File

@ -6,17 +6,19 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 03/22/2018
ms.date: 08/02/2018
---
# WindowsDefenderApplicationGuard DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
This XML is for Windows 10, version 1803.
This XML is for Windows 10, next major version.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
@ -42,7 +44,7 @@ This XML is for Windows 10, version 1803.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.2/MDM/WindowsDefenderApplicationGuard</MIME>
<MIME>com.microsoft/1.3/MDM/WindowsDefenderApplicationGuard</MIME>
</DFType>
</DFProperties>
<Node>
@ -248,6 +250,147 @@ This XML is for Windows 10, version 1803.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FileTrustCriteria</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FileTrustOriginRemovableMedia</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FileTrustOriginNetworkShare</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FileTrustOriginMarkOfTheWeb</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CertificateThumbprints</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllowCameraMicrophoneRedirection</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Status</NodeName>

6
windows/deployment/update/windows-analytics-get-started.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 07/18/2018
ms.date: 08/01/2018
ms.localizationpriority: medium
---
@ -52,9 +52,9 @@ To enable data sharing, configure your proxy sever to whitelist the following en
| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
| `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
| `https://login.live.com` | Windows Error Reporting (WER); required by Device Health for device tickets. |
| `https://login.live.com` | Windows Error Reporting (WER); required by Device Health. **Note:** WER does *not* use login.live.com to access Microsoft Account consumer services such as Xbox Live. WER uses an anti-spoofing API at that address to enhance the integrity of error reports. |
| `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. |
| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. **Note:** In this context login.live.com is *not* used for access to Microsoft Account consumer services. The endpoint is used only as part of the WIndows Error Reporting protocol to enhance the integrity of error reports. |
| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. |
>[!NOTE]

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
View File

@ -67,7 +67,7 @@ The Windows Hello for Business Group Policy object delivers the correct Group Po
#### Enable Windows Hello for Business
The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
@ -163,7 +163,7 @@ Users must receive the Windows Hello for Business group policy settings and have
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)

1
windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md
View File

@ -49,4 +49,3 @@ While Windows Defender System Guard provides advanced protection that will help
As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the devices Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the devices firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png)

2
windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
View File

@ -26,7 +26,7 @@ When a service connects with the device identity, signing and encryption are sup
### Possible values
| Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 |
| - | - |
| - | - | - |
| Enabled | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. |
| Disabled| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.|
|Neither|Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.|

3
windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 09/21/2017
ms.date: 08/02/2018
---
# Delete an AppLocker rule
@ -43,6 +43,7 @@ Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML
  <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
</AppLockerPolicy>
To use the Set-AppLockerPolicy cmdlet, first import the Applocker modules: