Date: Mon, 3 May 2021 14:31:48 -0700
Subject: [PATCH 004/148] Creating Test TOC
This is a test to see how the landing page will look without having changed the original landing page.
---
.../TOC2.yml | 113 ++++++++++++++++++
1 file changed, 113 insertions(+)
create mode 100644 windows/security/threat-protection/windows-defender-application-control/TOC2.yml
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
new file mode 100644
index 0000000000..cbd308449b
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
@@ -0,0 +1,113 @@
+
+### WDAC:Landing
+title: Application Control for Windows
+metadata:
+ title: Application Control for Windows
+ description: Landing page for Windows Defender Application Control
+# services: service
+# ms.service: microsoft-WDAC-AppLocker
+# ms.subservice: Application-Control
+# ms.topic: landing-page
+# author: Kim Klein
+# ms.author: Jordan Geurten
+# manager: Jeffrey Sutherland
+# ms.update: 04/30/2021
+# linkListType: overview | how-to-guide | tutorial | video
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card
+ - title: Learn about Application Control
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: What is WDAC (WDAC Overview)?
+ url: wdac-and-applocker-overview.md
+ - text: What is AppLocker?
+ url: applocker\applocker-overview.md
+ - text: WDAC and AppLocker feature availability
+ url: feature-availability.md
+ # Card
+ - title: Learn about the Design Guide
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Using code signing to simplify application control
+ url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+ - text: Merging Policies
+ url: wdac-wizard-merging-policies.md
+ - text: Recommended blocks
+ url: microsoft-recommended-block-rules.md #there are block rules and driver block rules, which link?
+ - text: Example policies
+ url: example-wdac-base-policies.md
+ - text: LOB Win32 apps on S Mode
+ url: LOB-win32-apps-on-s.md
+ - linkListType: how-to-guide
+ links:
+ - text: Create a WDAC policy for a lightly managed device
+ url: cardreate-wdac-policy-for-lightly-managed-devices.md
+ - text: Create a WDAC policy for a fully managed device
+ url: create-wdac-policy-for-fully-managed-devices.md
+ - text: Create a WDAC policy for a fixed-workload
+ url: create-initial-default-policy.md
+ - text: Using catalog files
+ url: deploy-catalog-files-to-support-windows-defender-application-control.md
+ - text: WDAC Wizard tool
+ url: wdac-wizard.md
+ - linkListType: Tutorial (videos)
+ links:
+ - text: Using the WDAC Wizard
+ url: video md
+ - text: Specifying custom values
+ url: video md
+ # Card
+ - title: Learn about Policy Configuration
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Understanding policy rules
+ url:
+ - text: Understanding File rules
+ url:
+ - linkListType: how-to-guide (written)
+ links:
+ - text: Allow managed installer and configure managed installer rules
+ url: use-windows-defender-application-control-with-managed-installer.md
+ - text: Allow reputable apps with ISG
+ url: use-windows-defender-application-control-with-intelligent-security-graph.md
+ # Card
+ - title: Learn how to deploy WDAC Policies
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Signed policies
+ url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+ - text: Audit and enforce policies
+ url: audit-windows-defender-application-control-policies.md #(merge with enforce-windows-defender-application-control-policies.md)
+ - text: Disabling WDAC policies
+ url: disable-windows-defender-application-control-policies.md
+ - linkListType: tutorial
+ links:
+ - text: Deployment with MDM
+ url: deploy-windows-defender-application-control-policies-using-intune.md
+ - text: Deployment with MEMCM
+ url: deployment/deploy-wdac-policies-with-memcm.md
+ - text: Deployment with script and refresh policy
+ url: deployment/deploy-wdac-policies-with-script.md
+ # Card
+ - title: Learn how to monitor and reiterate WDAC Policies (operational)
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Event logs (tags, IDs)
+ url: event-id-explanations.md #(merge with event-tag-explanations.md)
+ - text: Advanced hunting
+ url: querying-application-control-events-centrally-using-advanced-hunting.md #same as below
+ - linkListType: how-to-guide
+ links:
+ - text: Querying using advanced hunting
+ url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above
+ - linkListType: tutorial
+ links:
+ - text: Creating a policy from event logs
+ url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above
\ No newline at end of file
From 4e0b331d0c6b08c0b875d9319a8b0ece7b85f668 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Tue, 4 May 2021 16:11:39 +0500
Subject: [PATCH 005/148] Update
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../mdm/policy-csp-localpoliciessecurityoptions.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 8d384e1020..8beeba2c2e 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -1045,7 +1045,7 @@ GP Info:
-Valid values: from 0 to 599940, where the value is the amount of inactivity time (in seconds), after which the session will be locked. If it is set to zero (0), the setting is disabled.
+Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it is set to zero (0), the setting is disabled.
From 33813715be906532b5f00daea8b0c148288b4955 Mon Sep 17 00:00:00 2001
From: Dan Pandre <54847950+DanPandre@users.noreply.github.com>
Date: Wed, 5 May 2021 18:16:11 -0400
Subject: [PATCH 006/148] Document ProxyServers property
---
windows/client-management/mdm/surfacehub-csp.md | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index ff96d2c80a..745f408e3b 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -61,9 +61,9 @@ SurfaceHub
--------SleepTimeout
--------AllowSessionResume
--------AllowAutoProxyAuth
+--------ProxyServers
--------DisableSigninSuggestions
--------DoNotShowMyMeetingsAndFiles
-----ProxyServers
----Management
--------GroupName
--------GroupSid
@@ -571,6 +571,11 @@ SurfaceHub
If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
The data type is boolean. Supported operation is Get and Replace.
+
+**Properties/ProxyServers**
+
Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://).
+
+
The data type is string. Supported operation is Get and Replace.
**Properties/DisableSigninSuggestions**
Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
From 722f7ee58d424e1ab7068d71d9d1bca4b93a9a8a Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Wed, 5 May 2021 16:27:20 -0700
Subject: [PATCH 007/148] Update TOC2.yml
Made a small update.
---
.../windows-defender-application-control/TOC2.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
index cbd308449b..e8a04d9f6b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
@@ -27,7 +27,7 @@ landingContent:
url: applocker\applocker-overview.md
- text: WDAC and AppLocker feature availability
url: feature-availability.md
- # Card
+ # Card
- title: Learn about the Design Guide
linkLists:
- linkListType: overview
@@ -37,7 +37,7 @@ landingContent:
- text: Merging Policies
url: wdac-wizard-merging-policies.md
- text: Recommended blocks
- url: microsoft-recommended-block-rules.md #there are block rules and driver block rules, which link?
+ url: microsoft-recommended-block-rules.md #there are block rules and driver block rules, which link? Add both, actually.
- text: Example policies
url: example-wdac-base-policies.md
- text: LOB Win32 apps on S Mode
From 50e97e88a9b9bf5347ffa18cdaceeefd05ac04a5 Mon Sep 17 00:00:00 2001
From: Dan Pandre <54847950+DanPandre@users.noreply.github.com>
Date: Fri, 7 May 2021 09:25:49 -0400
Subject: [PATCH 008/148] Removed locale from links
---
windows/client-management/mdm/surfacehub-csp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index 745f408e3b..9755457f60 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -573,7 +573,7 @@ SurfaceHub
The data type is boolean. Supported operation is Get and Replace.
**Properties/ProxyServers**
-
Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://).
+
Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://).
The data type is string. Supported operation is Get and Replace.
From 1afb27049feb753e6f137b00a05964f9ec70caa8 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Fri, 7 May 2021 11:48:38 -0700
Subject: [PATCH 009/148] Created new page for Audit and Enforce WDAC
Merged Audit Events and Enforce WDAC policy pages, as well as updated the TOC2.
---
.../TOC2.yml | 12 +-
...s-defender-application-control-policies.md | 163 ++++++++++++++++++
2 files changed, 169 insertions(+), 6 deletions(-)
create mode 100644 windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
index e8a04d9f6b..6643f8980b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
@@ -37,7 +37,9 @@ landingContent:
- text: Merging Policies
url: wdac-wizard-merging-policies.md
- text: Recommended blocks
- url: microsoft-recommended-block-rules.md #there are block rules and driver block rules, which link? Add both, actually.
+ url: microsoft-recommended-block-rules.md
+ - text: Recommended driver blocks
+ url: microsoft-recommended-driver-block-rules.md
- text: Example policies
url: example-wdac-base-policies.md
- text: LOB Win32 apps on S Mode
@@ -83,7 +85,7 @@ landingContent:
- text: Signed policies
url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
- text: Audit and enforce policies
- url: audit-windows-defender-application-control-policies.md #(merge with enforce-windows-defender-application-control-policies.md)
+ url: audit-and-enforce-windows-defender-application-control-policies.md
- text: Disabling WDAC policies
url: disable-windows-defender-application-control-policies.md
- linkListType: tutorial
@@ -101,13 +103,11 @@ landingContent:
links:
- text: Event logs (tags, IDs)
url: event-id-explanations.md #(merge with event-tag-explanations.md)
- - text: Advanced hunting
- url: querying-application-control-events-centrally-using-advanced-hunting.md #same as below
- linkListType: how-to-guide
links:
- text: Querying using advanced hunting
url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above
- linkListType: tutorial
links:
- - text: Creating a policy from event logs
- url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above
\ No newline at end of file
+ - text: Creating a policy from event logs (video)
+ url: querying-application-control-events-centrally-using-advanced-hunting.md #Jordan will create a video for this
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
new file mode 100644
index 0000000000..c10855446f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -0,0 +1,163 @@
+---
+title: Use audit events to create then enforce WDAC policy rules (Windows 10)
+description: Learn how audits allow admins to discover apps, binaries, and scripts that should be added to a WDAC policy, then learn how to switch that WDAC policy from audit to enforced mode.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: jogeurte
+ms.reviewer: v-kikl
+ms.author: dansimp
+manager: dansimp
+ms.date: 05/03/2021
+ms.technology: mde
+---
+
+# Use audit events to create WDAC policy rules
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2016 and above
+
+Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.
+
+While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed.
+
+## Overview of the process to create WDAC policy to allow apps using audit events
+
+> [!Note]
+> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md).
+
+To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy.
+
+1. Install and run an application not allowed by the WDAC policy but that you want to allow.
+
+2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md).
+
+ **Figure 1. Exceptions to the deployed WDAC policy**
+ 
+
+3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
+
+ ```powershell
+ $PolicyName= "Lamna_FullyManagedClients_Audit"
+ $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
+ $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml"
+ $EventsPolicyWarnings=$env:userprofile+"\Desktop\EventsPolicyWarnings.txt"
+ ```
+
+4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**.
+
+ ```powershell
+ New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings
+ ```
+
+ > [!NOTE]
+ > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md).
+
+5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](wdac-wizard-editing-policy.md)).
+
+6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level.
+
+ > [!NOTE]
+ > New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the WDAC policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**.
+
+7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy.
+
+ For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md).
+
+8. Convert the Base or Supplemental policy to binary and deploy using your preferred method.
+
+
+
+## Convert WDAC **base** policy from audit to enforced
+
+As described in [common WDAC deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
+
+**Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout.
+
+Alice previously created and deployed a policy for the organization's [fully managed devices](create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode.
+
+1. Initialize the variables that will be used and create the enforced policy by copying the audit version.
+
+ ```powershell
+ $EnforcedPolicyName = "Lamna_FullyManagedClients_Enforced"
+ $AuditPolicyXML = $env:USERPROFILE+"\Desktop\Lamna_FullyManagedClients_Audit.xml"
+ $EnforcedPolicyXML = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+".xml"
+ cp $AuditPolicyXML $EnforcedPolicyXML
+ ```
+
+2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new policy a unique ID, and descriptive name. Changing the ID and name lets you deploy the enforced policy side by side with the audit policy. Do this step if you plan to harden your WDAC policy over time. If you prefer to replace the audit policy in-place, you can skip this step.
+
+ ```powershell
+ $EnforcedPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedPolicyXML -PolicyName $EnforcedPolicyName -ResetPolicyID
+ $EnforcedPolicyID = $EnforcedPolicyID.Substring(11)
+ ```
+
+ > [!NOTE]
+ > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
+
+3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment.
+
+ ```powershell
+ Set-RuleOption -FilePath $EnforcedPolicyXML -Option 9
+ Set-RuleOption -FilePath $EnforcedPolicyXML -Option 10
+ ```
+
+4. Use Set-RuleOption to delete the audit mode rule option, which changes the policy to enforcement:
+
+ ```powershell
+ Set-RuleOption -FilePath $EnforcedPolicyXML -Option 3 -Delete
+ ```
+
+5. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary:
+
+ > [!NOTE]
+ > If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML.
+
+ ```powershell
+ $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml"
+ ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary
+ ```
+
+## Make copies of any needed **supplemental** policies to use with the enforced base policy
+
+Since the enforced policy was given a unique PolicyID in the previous procedure, you need to duplicate any needed supplemental policies to use with the enforced policy. Supplemental policies always inherit the Audit or Enforcement mode from the base policy they modify. If you didn't reset the enforcement base policy's PolicyID, you can skip this procedure.
+
+1. Initialize the variables that will be used and create a copy of the current supplemental policy. Some variables and files from the previous procedure will also be used.
+
+ ```powershell
+ $SupplementalPolicyName = "Lamna_Supplemental1"
+ $CurrentSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Audit.xml"
+ $EnforcedSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Enforced.xml"
+ ```
+
+2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new supplemental policy a unique ID and descriptive name, and change which base policy to supplement.
+
+ ```powershell
+ $SupplementalPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedSupplementalPolicy -PolicyName $SupplementalPolicyName -SupplementsBasePolicyID $EnforcedPolicyID -BasePolicyToSupplementPath $EnforcedPolicyXML -ResetPolicyID
+ $SupplementalPolicyID = $SupplementalPolicyID.Substring(11)
+ ```
+
+ > [!NOTE]
+ > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
+
+3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC supplemental policy to binary:
+
+ ```powershell
+ $EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml"
+ ConvertFrom-CIPolicy $EnforcedSupplementalPolicy $EnforcedSuppPolicyBinary
+ ```
+4. Repeat the steps above if you have other supplemental policies to update.
+
+## Deploy your enforced policy and supplemental policies
+
+Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md).
+
From 5fa1ea84d48db26ba375704f49a5763c6c706995 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Tue, 11 May 2021 09:47:30 -0700
Subject: [PATCH 010/148] Event ID and Tags explanation
Merged event IDs and tag explanations into one file. Updated TOC with new link.
---
.../TOC2.yml | 2 +-
.../event-id-and-tag-explanations.md | 153 ++++++++++++++++++
2 files changed, 154 insertions(+), 1 deletion(-)
create mode 100644 windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
index 6643f8980b..3db9e8ccd7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
@@ -102,7 +102,7 @@ landingContent:
- linkListType: overview
links:
- text: Event logs (tags, IDs)
- url: event-id-explanations.md #(merge with event-tag-explanations.md)
+ url: event-id-and-tag-explanations.md
- linkListType: how-to-guide
links:
- text: Querying using advanced hunting
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
new file mode 100644
index 0000000000..81c7794f17
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
@@ -0,0 +1,153 @@
+---
+title: Understanding Application Control event IDs and tags (Windows 10)
+description: Learn what different Windows Defender Application Control event IDs and tags signify.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: jogeurte
+ms.reviewer: v-kikl
+ms.author: dansimp
+manager: dansimp
+ms.date: 5/7/2021
+ms.technology: mde
+---
+
+# Understanding Application Control event IDs and tags
+
+A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events include a number of fields, which provide helpful troubleshooting information to figure out exactly what an event means.
+
+These events are generated under two locations:
+
+ - Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+
+ - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+
+## Microsoft Windows CodeIntegrity Operational log event IDs
+
+| Event ID | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 3076 | Audit executable/dll file |
+| 3077 | Block executable/dll file |
+| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
+| 3099 | Indicates that a policy has been loaded |
+
+## Microsoft Windows Applocker MSI and Script log event IDs
+
+| Event ID | Explanation |
+|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. |
+| 8029 | Block script/MSI file |
+| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
+
+## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
+
+If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
+
+| Event ID | Explanation |
+|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 3090 | Allow executable/dll file |
+| 3091 | Audit executable/dll file |
+| 3092 | Block executable/dll file |
+
+3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated.
+
+### SmartLocker template
+
+Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.
+
+| Name | Explanation |
+|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
+| ManagedInstallerEnabled | Policy trusts a MI |
+| PassesManagedInstaller | File originated from a trusted MI |
+| SmartlockerEnabled | Policy trusts the ISG |
+| PassesSmartlocker | File had positive reputation |
+| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode |
+
+### Enabling ISG and MI diagnostic events
+
+In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command:
+
+```powershell
+reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
+```
+
+In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
+
+```powershell
+reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
+```
+
+
+
+## Event Tags
+
+Below, we have documented the values and meanings for a few useful event tags.
+
+## SignatureType
+
+Represents the type of signature which verified the image.
+
+| SignatureType Value | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Unsigned or verification has not been attempted |
+| 1 | Embedded signature |
+| 2 | Cached signature; presence of CI EA shows that file had been previously verified |
+| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly |
+| 5 | Successfully verified using an EA that informs CI which catalog to try first |
+|6 | AppX / MSIX package catalog verified |
+| 7 | File was verified |
+
+## ValidatedSigningLevel
+
+Represents the signature level at which the code was verified.
+
+| ValidatedSigningLevel Value | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Signing level has not yet been checked |
+| 1 | File is unsigned |
+| 2 | Trusted by WDAC policy |
+| 3 | Developer signed code |
+| 4 | Authenticode signed |
+| 5 | Microsoft Store signed app PPL (Protected Process Light) |
+| 6 | Microsoft Store-signed |
+| 7 | Signed by an Antimalware vendor whose product is using AMPPL |
+| 8 | Microsoft signed |
+| 11 | Only used for signing of the .NET NGEN compiler |
+| 12 | Windows signed |
+| 14 | Windows Trusted Computing Base signed |
+
+## VerificationError
+
+Represents why verification failed, or if it succeeded.
+
+| VerificationError Value | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Successfully verified signature |
+| 2 | File contains shared writable sections |
+| 4 | Revoked signature |
+| 5 | Expired signature |
+| 7 | Invalid root certificate |
+| 8 | Signature was unable to be validated; generic error |
+| 9 | Signing time not trusted |
+| 12 | Not valid for a PPL (Protected Process Light) |
+| 13 | Not valid for a PP (Protected Process) |
+| 15 | Failed WHQL check |
+| 16 | Default policy signing level not met |
+| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs |
+| 18 | Custom signing level not met; returned if signature fails to match CISigners in UMCI |
+| 19 | Binary is revoked by file hash |
+| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy |
+| 21 | Failed to pass WDAC policy |
+| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet |
+| 23 | Invalid image hash |
+| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS |
+| 26 | Explicitly denied by WADC policy |
+| 28 | Resource page hash mismatch |
From ecf67c7cab2e9f64e737f616419f6d2ec482b8ab Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 14 May 2021 19:16:52 +0530
Subject: [PATCH 011/148] removed link
as per user report #9518, so i removed security boundary link
---
.../applocker/applocker-overview.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index b7dcbcddd8..427198ae92 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -83,7 +83,7 @@ The following are examples of scenarios in which AppLocker can be used:
- In addition to other measures, you need to control the access to sensitive data through app usage.
> [!NOTE]
-> AppLocker is a defense-in-depth security feature and **not** a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
+> AppLocker is a defense-in-depth security feature and not a security boundary.[Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
From d2ac95dd42b02c1051e2fe8e938afc1675a10bb3 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Sat, 15 May 2021 12:54:39 +0530
Subject: [PATCH 012/148] Update
windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
accepted
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../applocker/applocker-overview.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index 427198ae92..0a97c8aeb0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -83,7 +83,7 @@ The following are examples of scenarios in which AppLocker can be used:
- In addition to other measures, you need to control the access to sensitive data through app usage.
> [!NOTE]
-> AppLocker is a defense-in-depth security feature and not a security boundary.[Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
+> AppLocker is a defense-in-depth security feature and not a security boundary. [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
@@ -143,4 +143,3 @@ For reference in your security planning, the following table identifies the base
| [AppLocker design guide](applocker-policies-design-guide.md) | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. |
| [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
| [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. |
-
From 3686a52369a093a6146e752564bfaa3ff5d5b6be Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Mon, 17 May 2021 10:15:43 +0300
Subject: [PATCH 013/148] Add info about UPN matching Azure AD domain name
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9386
---
.../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index d867b494ec..298d1d7986 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -74,6 +74,9 @@ The two directories used in hybrid deployments must be synchronized. You need A
Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema).
+> [!NOTE]
+> User accounts enrolling for Windows Hello for Business in Hybrid Certificate Trust scenario must have UPN matching a verified domain name in Azure AD. More details [here](https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-post-join-issues).
+
> [!NOTE]
> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory.
@@ -152,4 +155,4 @@ If your environment is already federated and supports Azure device registration,
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
\ No newline at end of file
+6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
From c04791063c19a5a607c355d9c9b38f4218006af0 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 17 May 2021 17:56:14 -0700
Subject: [PATCH 014/148] Updated existing pages and merged others
1. Added missing event tags from event-tag-explanations.
2. Corrected MD errors in event-tags and event-id files.
3. Added missing event tag to combined event-id-and-tag file and ensured there are no MD errors.
4. Edited WDAC and AppLocker overview file for grammar.
5. Combined audit WDAC policies file with enforce WDAC policies file.
6. Updated TOC2, which will replace the main TOC.
---
.../TOC2.yml | 4 ++--
...s-defender-application-control-policies.md | 6 ++---
.../event-id-and-tag-explanations.md | 23 +++++++++++-------
.../event-id-explanations.md | 12 +++++-----
.../event-tag-explanations.md | 13 ++++++++--
.../wdac-and-applocker-overview.md | 24 +++++++++----------
6 files changed, 48 insertions(+), 34 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
index 3db9e8ccd7..474b426029 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
@@ -106,8 +106,8 @@ landingContent:
- linkListType: how-to-guide
links:
- text: Querying using advanced hunting
- url: querying-application-control-events-centrally-using-advanced-hunting.md #same as above
+ url: querying-application-control-events-centrally-using-advanced-hunting.md
- linkListType: tutorial
links:
- text: Creating a policy from event logs (video)
- url: querying-application-control-events-centrally-using-advanced-hunting.md #Jordan will create a video for this
\ No newline at end of file
+ url: #Jordan will create a video for this
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
index c10855446f..31f6314425 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -19,7 +19,7 @@ ms.date: 05/03/2021
ms.technology: mde
---
-# Use audit events to create WDAC policy rules
+## Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced
**Applies to:**
@@ -75,8 +75,6 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
8. Convert the Base or Supplemental policy to binary and deploy using your preferred method.
-
-
## Convert WDAC **base** policy from audit to enforced
As described in [common WDAC deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
@@ -155,9 +153,9 @@ Since the enforced policy was given a unique PolicyID in the previous procedure,
$EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml"
ConvertFrom-CIPolicy $EnforcedSupplementalPolicy $EnforcedSuppPolicyBinary
```
+
4. Repeat the steps above if you have other supplemental policies to update.
## Deploy your enforced policy and supplemental policies
Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md).
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
index 81c7794f17..9b21c840e5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
@@ -19,15 +19,15 @@ ms.date: 5/7/2021
ms.technology: mde
---
-# Understanding Application Control event IDs and tags
+## Understanding Application Control event IDs and tags
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events include a number of fields, which provide helpful troubleshooting information to figure out exactly what an event means.
These events are generated under two locations:
- - Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+- Event IDs beginning with 30 appear in Applications and Services logs | Microsoft | Windows | CodeIntegrity | Operational
- - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+- Event IDs beginning with 80 appear in Applications and Services logs | Microsoft | Windows | AppLocker | MSI and Script
## Microsoft Windows CodeIntegrity Operational log event IDs
@@ -35,7 +35,7 @@ These events are generated under two locations:
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 3076 | Audit executable/dll file |
| 3077 | Block executable/dll file |
-| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
+| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
| 3099 | Indicates that a policy has been loaded |
## Microsoft Windows Applocker MSI and Script log event IDs
@@ -48,7 +48,7 @@ These events are generated under two locations:
## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
-If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
+If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
| Event ID | Explanation |
|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -84,9 +84,7 @@ In order to enable 3090 allow events as well as 3091 and 3092 events, you must i
```powershell
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
```
-
-
-
+
## Event Tags
Below, we have documented the values and meanings for a few useful event tags.
@@ -100,6 +98,7 @@ Represents the type of signature which verified the image.
| 0 | Unsigned or verification has not been attempted |
| 1 | Embedded signature |
| 2 | Cached signature; presence of CI EA shows that file had been previously verified |
+| 3 | Cached catalog verified via Catalog Database or searching catalog directly |
| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly |
| 5 | Successfully verified using an EA that informs CI which catalog to try first |
|6 | AppX / MSIX package catalog verified |
@@ -131,14 +130,20 @@ Represents why verification failed, or if it succeeded.
| VerificationError Value | Explanation |
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | Successfully verified signature |
+| 1 | File has an invalid hash |
| 2 | File contains shared writable sections |
+| 3 | File is not signed|
| 4 | Revoked signature |
| 5 | Expired signature |
+| 6 | File is signed using a weak hashing algorithm which does not meet the minimum policy |
| 7 | Invalid root certificate |
| 8 | Signature was unable to be validated; generic error |
| 9 | Signing time not trusted |
+| 10 | The file must be signed using page hashes for this scenario |
+| 11 | Page hash mismatch |
| 12 | Not valid for a PPL (Protected Process Light) |
| 13 | Not valid for a PP (Protected Process) |
+| 14 | The signature is missing the required ARM EKU |
| 15 | Failed WHQL check |
| 16 | Default policy signing level not met |
| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs |
@@ -149,5 +154,7 @@ Represents why verification failed, or if it succeeded.
| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet |
| 23 | Invalid image hash |
| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS |
+| 25 | Anti-cheat policy violation |
| 26 | Explicitly denied by WADC policy |
+| 27 | The signing chain appears to be tampered/invalid |
| 28 | Resource page hash mismatch |
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index b464707f61..8aab0d3c1b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -18,13 +18,13 @@ ms.date: 3/17/2020
ms.technology: mde
---
-# Understanding Application Control events
+## Understanding Application Control events
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
- - Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+- Event IDs beginning with 30 appear in Applications and Services logs | Microsoft | Windows | CodeIntegrity | Operational
- - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+- Event IDs beginning with 80 appear in Applications and Services logs | Microsoft | Windows | AppLocker | MSI and Script
## Microsoft Windows CodeIntegrity Operational log event IDs
@@ -32,7 +32,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 3076 | Audit executable/dll file |
| 3077 | Block executable/dll file |
-| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
+| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
| 3099 | Indicates that a policy has been loaded |
## Microsoft Windows Applocker MSI and Script log event IDs
@@ -45,7 +45,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
-If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
+If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
| Event ID | Explanation |
|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -75,7 +75,7 @@ In order to enable 3091 audit events and 3092 block events, you must create a Te
```powershell
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
```
-
+
In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
```powershell
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
index 6ee1d70486..e4a1e510ea 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -18,7 +18,7 @@ ms.date: 8/27/2020
ms.technology: mde
---
-# Understanding Application Control event tags
+## Understanding Application Control event tags
Windows Defender Application Control (WDAC) events include a number of fields which provide helpful troubleshooting information to figure out exactly what an event means. Below, we have documented the values and meanings for a few useful event tags.
@@ -31,9 +31,10 @@ Represents the type of signature which verified the image.
| 0 | Unsigned or verification has not been attempted |
| 1 | Embedded signature |
| 2 | Cached signature; presence of CI EA shows that file had been previously verified |
+| 3 | Cached catalog verified via Catalog Database or searching catalog directly |
| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly |
| 5 | Successfully verified using an EA that informs CI which catalog to try first |
-|6 | AppX / MSIX package catalog verified |
+| 6 | AppX / MSIX package catalog verified |
| 7 | File was verified |
## ValidatedSigningLevel
@@ -62,14 +63,20 @@ Represents why verification failed, or if it succeeded.
| VerificationError Value | Explanation |
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | Successfully verified signature |
+| 1 | File has an invalid hash |
| 2 | File contains shared writable sections |
+| 3 | File is not signed|
| 4 | Revoked signature |
| 5 | Expired signature |
+| 6 | File is signed using a weak hashing algorithm which does not meet the minimum policy |
| 7 | Invalid root certificate |
| 8 | Signature was unable to be validated; generic error |
| 9 | Signing time not trusted |
+| 10 | The file must be signed using page hashes for this scenario |
+| 11 | Page hash mismatch |
| 12 | Not valid for a PPL (Protected Process Light) |
| 13 | Not valid for a PP (Protected Process) |
+| 14 | The signature is missing the required ARM EKU |
| 15 | Failed WHQL check |
| 16 | Default policy signing level not met |
| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs |
@@ -80,5 +87,7 @@ Represents why verification failed, or if it succeeded.
| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet |
| 23 | Invalid image hash |
| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS |
+| 25 | Anti-cheat policy violation |
| 26 | Explicitly denied by WADC policy |
+| 27 | The signing chain appears to be tampered/invalid |
| 28 | Resource page hash mismatch |
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
index 03f0eb6f0d..0897007f32 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -19,18 +19,18 @@ ms.custom: asr
ms.technology: mde
---
-# Windows Defender Application Control and AppLocker Overview
+## Windows Defender Application Control and AppLocker Overview
**Applies to:**
- Windows 10
- Windows Server 2016 and above
-Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker.
+Windows 10 includes two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker.
## Windows Defender Application Control
-WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
+WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC).
WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
@@ -41,21 +41,21 @@ WDAC policies apply to the managed computer as a whole and affects all users of
- The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
- The process that launched the app or binary
-Note that prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features which comprised the now-defunct term 'Device Guard'.
+Note that prior to Windows 10 version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features that comprised the now-defunct term "Device Guard."
### WDAC System Requirements
-WDAC policies can be created on any client edition of Windows 10 build 1903+ or on Windows Server 2016 and above.
+WDAC policies can be created on any client edition of Windows 10 build 1903+, or on Windows Server 2016 and above.
-WDAC policies can be applied to devices running any edition of Windows 10 or Windows Server 2016 and above via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10.
+WDAC policies can be applied to devices running any edition of Windows 10, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, e.g. Intune; a management interface, e.g. Configuration Manager; or a script host, e.g. PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10.
-For more information on which individual WDAC features are available on which WDAC builds, see [WDAC feature availability](feature-availability.md).
+For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md).
## AppLocker
-AppLocker was introduced with Windows 7 and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end users from running unapproved software on their computers, but it does not meet the servicing criteria for being a security feature.
+AppLocker was introduced with Windows 7, and allows organizations to control which applications are allowed to run on their Windows clients. AppLocker helps to prevent end-users from running unapproved software on their computers but does not meet the servicing criteria for being a security feature.
-AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on:
+AppLocker policies can apply to all users on a computer, or to individual users and groups. AppLocker rules can be defined based on:
- Attributes of the codesigning certificate(s) used to sign an app and its binaries
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
@@ -68,13 +68,13 @@ AppLocker policies can be deployed using Group Policy or MDM.
## Choose when to use WDAC or AppLocker
-Generally, it is recommended that customers who are able to implement application control using WDAC rather than AppLocker do so. WDAC is undergoing continual improvements and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements.
+Generally, it is recommended that customers, who are able to implement application control using WDAC rather than AppLocker, do so. WDAC is undergoing continual improvements, and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements.
-In some cases, however, AppLocker may be the more appropriate technology for your organization. AppLocker is best when:
+However, in some cases, AppLocker may be the more appropriate technology for your organization. AppLocker is best when:
- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
- You need to apply different policies for different users or groups on shared computers.
- You do not want to enforce application control on application files such as DLLs or drivers.
-AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where it is important to prevent some users from running specific apps.
+AppLocker can also be deployed as a complement to WDAC to add user or group-specific rules for shared device scenarios, where it is important to prevent some users from running specific apps.
As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.
From 06e5b4213d600ad1af6bf167737003e6ad30e557 Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Tue, 18 May 2021 09:23:53 +0300
Subject: [PATCH 015/148] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 298d1d7986..28ff8d49c6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -75,7 +75,7 @@ The two directories used in hybrid deployments must be synchronized. You need A
Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema).
> [!NOTE]
-> User accounts enrolling for Windows Hello for Business in Hybrid Certificate Trust scenario must have UPN matching a verified domain name in Azure AD. More details [here](https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-post-join-issues).
+> User accounts enrolling for Windows Hello for Business in a Hybrid Certificate Trust scenario must have a UPN matching a verified domain name in Azure AD. For more details, see [Troubleshoot Post-Join issues](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-post-join-issues).
> [!NOTE]
> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory.
From 878d041fad0a101b7a29a7470d2e752ec06c76f8 Mon Sep 17 00:00:00 2001
From: "jogeurte@microsoft.com"
Date: Tue, 18 May 2021 15:23:52 -0700
Subject: [PATCH 016/148] updated guidance for signed policy deployment in the
script md file. #9495
---
.../deployment/deploy-wdac-policies-with-script.md | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index 3aed014401..a0308dfadc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -52,6 +52,20 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
& $RefreshPolicyTool
```
+### Deploying signed policies
+
+In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](deploy-windows-defender-application-control-policies-using-intune.md) or the [Application Control CSP](#Deploying-multiple-policies-via-ApplicationControl-CSP) will handle this step automatically.
+
+1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt:
+```powershell
+mountvol J: /S
+J:
+mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active
+```
+
+2. Copy the signed policy binary as `{PolicyGUID}.cip` to J:\EFI\Microsoft\Boot\CiPolicies\Active
+3. Reboot the system.
+
## Script-based deployment process for Windows 10 versions earlier than 1903
1. Initialize the variables to be used by the script.
From 8d499af45ea8eaac46d881b2511d7eef6c9fc775 Mon Sep 17 00:00:00 2001
From: "jogeurte@microsoft.com"
Date: Tue, 18 May 2021 15:37:48 -0700
Subject: [PATCH 017/148] Updated the enforcement doc which has the binary in
xml
Additionally, removed a note which is directly under the instructions on how to get the PolicyID.
---
.../enforce-windows-defender-application-control-policies.md | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
index 784baf06c2..6c3b04eb5a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
@@ -52,8 +52,6 @@ Alice previously created and deployed a policy for the organization's [fully man
$EnforcedPolicyID = $EnforcedPolicyID.Substring(11)
```
- > [!NOTE]
- > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment.
@@ -74,7 +72,7 @@ Alice previously created and deployed a policy for the organization's [fully man
> If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML.
```powershell
- $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml"
+ $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyID+".cip"
ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary
```
From 5e1be4d679c6dc264b91e186d0a62361400eced1 Mon Sep 17 00:00:00 2001
From: "jogeurte@microsoft.com"
Date: Tue, 18 May 2021 16:02:45 -0700
Subject: [PATCH 018/148] Updated steps for a signed wdac policy and noted the
nuance for uefi lock
---
...r-application-control-against-tampering.md | 46 +++++++++++++------
1 file changed, 31 insertions(+), 15 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index a654d57870..be2010c6e5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -37,7 +37,7 @@ Before signing WDAC policies for the first time, be sure to enable rule options
To sign a WDAC policy with SignTool.exe, you need the following components:
-- SignTool.exe, found in the Windows SDK (Windows 7 or later)
+- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk/) (Windows 7 or later)
- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you have created
@@ -47,26 +47,29 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
1. Initialize the variables that will be used:
- `$CIPolicyPath=$env:userprofile+"\Desktop\"`
-
- `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
-
- `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
+ ```powershell
+ $CIPolicyPath=$env:userprofile+"\Desktop\"
+ $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"
+ ```
> [!NOTE]
- > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
+ > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** variable with the correct information.
2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
4. Navigate to your desktop as the working directory:
-
- `cd $env:USERPROFILE\Desktop`
+
+ ```powershell
+ cd $env:USERPROFILE\Desktop
+ ```
5. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy:
- `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update`
+ ```powershell
+ Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update
+ ```
> [!NOTE]
> *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3.
@@ -74,17 +77,30 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
6. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
- `Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
+ ```powershell
+ Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete
+ ```
-7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format:
+7. Reset the policy ID and use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format:
- `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
+ ```powershell
+ $PolicyID= Set-CIPolicyIdInfo -FilePath $InitialCIPolicy -ResetPolicyID
+ $PolicyID = $PolicyID.Substring(11)
+ $CIPolicyBin = $env:userprofile + "\Desktop\" + $PolicyID + ".cip"
+ ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
+ ```
8. Sign the WDAC policy by using SignTool.exe:
- ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
+ ```powershell
+ sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin
+ ```
> [!NOTE]
> The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
-9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
\ No newline at end of file
+9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
+
+
+> [!NOTE]
+ > The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
\ No newline at end of file
From 1a5cbd6c594ef58a03da6744c434c1727661105e Mon Sep 17 00:00:00 2001
From: "jogeurte@microsoft.com"
Date: Tue, 18 May 2021 16:05:43 -0700
Subject: [PATCH 019/148] Small edit of the final binary filename/extension
---
...ct-windows-defender-application-control-against-tampering.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index be2010c6e5..7b136fa662 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -99,7 +99,7 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
> [!NOTE]
> The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
-9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
+9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
> [!NOTE]
From f8c73443282198524fa19649560e103b2e301e40 Mon Sep 17 00:00:00 2001
From: Lovina Saldanha
Date: Wed, 19 May 2021 14:01:42 +0530
Subject: [PATCH 020/148] Create bitlocker-deployment-comparison.md
created new topic per task 5120578
---
.../bitlocker-deployment-comparison.md | 91 +++++++++++++++++++
1 file changed, 91 insertions(+)
create mode 100644 windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
new file mode 100644
index 0000000000..9918e7eea1
--- /dev/null
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -0,0 +1,91 @@
+---
+title: BitLocker deployment comparison (Windows 10)
+description: This article for the IT professional explains how
+BitLocker features can be used to protect your data through drive
+encryption.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: v-lsaldanha
+ms.author: lovina-saldanha
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 02/28/2019
+ms.custom: bitlocker
+---
+
+# Bitlocker deployment comparison
+
+**Applies to**
+
+- Windows 10
+
+This article for the IT professional explains how BitLocker
+features can be used to protect your data through drive encryption.
+
+## Bitlocker deployment comparison chart
+
+
+
+| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* |
+|---------|---------|---------|---------|
+|**Requirements**||||
+|Minimum client operating system version |Windows 10 | Windows 10 and Windows 8.1 | Windows 7 and later |
+|Supported Windows 10 SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
+|Minimum Windows 10 version |1909** | None | None |
+|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined |
+|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
+|Cloud or on premises | Cloud | On premises | On premises |
+|Server components required? | | | |
+|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client |
+|Administrative plane | Microsoft Endpoint Manager
+admin center | Configuration Manager console | Group Policy Management Console
+and MBAM sites |
+|Administrative portal installation required | | | |
+|Compliance reporting capabilities | | | |
+|Force encryption | | | |
+|Encryption for storage cards (mobile) | | | |
+|Allow recovery password | | | |
+|Manage startup authentication | | | |
+|Select cipher strength and algorithms for fixed
+drives | | | |
+|Select cipher strength and algorithms for
+removable drives | | | |
+|Select cipher strength and algorithms for operating
+environment drives | | | |
+|Standard recovery password storage location | Azure AD or
+Active Directory | Configuration Manager site database | MBAM database |
+|Store recovery password for operating system and
+fixed drives to Azure AD or Active Directory | Yes (Active Directory and
+Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
+|Customize preboot message and recovery link | | | |
+|Allow/deny key file creation | | | |
+|Deny Write permission to unprotected drives | | | |
+|Can be administered outside company network | | | |
+|Support for organization unique IDs | | | |
+|Self-service recovery | Yes (through Azure AD or
+Company Portal app) | | |
+|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | | |
+|Wait to complete encryption until recovery information is backed up to Active Directory | | | |
+|Allow or deny Data Recovery Agent | | | |
+|Unlock a volume using certificate with custom object identifier | | | |
+|Prevent memory overwrite on restart | | | |
+|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | |
+|Manage auto-unlock functionality | | | |
+|Row6 | | | |
+|Row7 | | | |
+|Row6 | | | |
+|Row7 | | | |
+|Row6 | | | |
+|Row7 | | | |
+|Row6 | | | |
+|Row7 | | | |
+|Row6 | | | |
+|Row7 | | | |
+|Row6 | | | |
+|Row7 | | | |
+
From cc7ad8b42c92e4f747d51b9cfb1ba2550762ae6f Mon Sep 17 00:00:00 2001
From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com>
Date: Wed, 19 May 2021 14:04:36 +0530
Subject: [PATCH 021/148] new-img-5120578
Added newly per 5120578 task
---
.../bitlocker/images/dot.png | Bin 0 -> 674 bytes
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 windows/security/information-protection/bitlocker/images/dot.png
diff --git a/windows/security/information-protection/bitlocker/images/dot.png b/windows/security/information-protection/bitlocker/images/dot.png
new file mode 100644
index 0000000000000000000000000000000000000000..8dc160da790bb40082cb31ae078125c8dd9bcb14
GIT binary patch
literal 674
zcmV;T0$u%yP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0yjxSK~z{r?U%c2
zQ(+i~3&o|-O`SyPQlTKIn<%*U4{-J$=q_#54v~7JR1L+DMI0P-P%@>J22p54u|uqB
zn>0zyMVqvZxoR$_P2Qe2d<9A0ez$W18S=nyI`F;^-*>)SA9OK2IbC{ky4WJOUETv<
zqzvzZMewW^;ajQ#RinYa>Z2`}$k$V0grRRdcqIK3LAdff1}~R$+M>#G^}Pn%
zd7o)Dr=+NyxgUZ>b7WOflKWLK;Nr6=DIk+u-ZV6uO;$~ev|KW8z|bRl3RN=Z*^(BN
zlEbOIWMRbGGxs^mD)W(&yKVksR1@6{++Br@-5RTYJVLp2$$%4+bQ3GN@hZtW9FI`W
z;oByQTMe%E-$jFUp%KbmcoHFt+mWYB{C|%tS1~tFmHkXLH{YaKCmOC?V5>?NwJVpM
zQPzouE9Z~@Ba7OV;h7EAiH0lpCDB>Ak=Y3AM8lQC)kGDwE2A&stP>4a4v(4B_twe6
zc4T}$!#dG$^Jxq0HGXCEiQSgft5J@;=^Ak
zhpeQlww|w7T`}RPAyRS(UUR5MsySsYuxPfoh$%U3zl5bg>-30U^uP%Z6!0+5i9m07*qo
IM6N<$f`#cUv;Y7A
literal 0
HcmV?d00001
From 42430085302dd9383967037dedde47ecaffa4fb4 Mon Sep 17 00:00:00 2001
From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com>
Date: Wed, 19 May 2021 16:02:43 +0530
Subject: [PATCH 022/148] new-image-5120578
added new image per 5120578
---
.../bitlocker/images/dot1.png | Bin 0 -> 739 bytes
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 windows/security/information-protection/bitlocker/images/dot1.png
diff --git a/windows/security/information-protection/bitlocker/images/dot1.png b/windows/security/information-protection/bitlocker/images/dot1.png
new file mode 100644
index 0000000000000000000000000000000000000000..c9ec7c52ab41b4f5c567d7a8db90e7b679d47928
GIT binary patch
literal 739
zcmV<90v!E`P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0(eP8K~z{r?Uv1J
z6G0e8QliJp_RPmysB2_7-AR-DyPsKk#p<-_>^x&}`lwLfDf_l&vZ-PCE
z2r7D052@HHqK87HF-;efY-97WP3nw}r0vY4yPFNY_&~_KbC`W*-kEnsSt4Maaj^e&
z#qvrdGK-ju=b+_Fa40}?qZ|7I8{l!9pO-0#XsUp_?~-^lkw!GFv)(dJBGcJgkG@VH
zE*#iwSjdn>VX=g3ujX+5wThxa<(5Vl9`rWj)b5R}N6wlOGi1g+qfvbLkz+mP7z+Dw
z<4gdGLY7HFMTzez9o_e)F`eX>-VFW6w&K>gpj1SfG@63*W6`PwD7WAK#2xaJA(a>=
zdtkz13PcP&o5eRZ&!UwGCF1isM&76_vWEqI30I#dShNzM#Qpb4=p`1|$oMA>F^x~J
zP~!2V##;75kGE)SP9jT|;B!KpJ3ENXWLc{WC-GG+7%oUwn40A$$VvPv)L=6#BO@4}
zlc4p#mbmC`w+c?8b&H#|YQrwU_?$%3CKq;ioh-7SgH0aRD#J<8`W|lgvdDhI?G3C|
zhLfONKI&sFdkK+LoZiDA44&}AX=GzkXi6TE2Z@E3nv||kJ+6=|
zU4-;A`-2|b>
Date: Wed, 19 May 2021 16:20:57 +0530
Subject: [PATCH 023/148] Update bitlocker-deployment-comparison.md
added dot image
---
.../bitlocker/bitlocker-deployment-comparison.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index 9918e7eea1..ad4b1b82b8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -46,9 +46,9 @@ features can be used to protect your data through drive encryption.
admin center | Configuration Manager console | Group Policy Management Console
and MBAM sites |
|Administrative portal installation required | | | |
-|Compliance reporting capabilities | | | |
-|Force encryption | | | |
-|Encryption for storage cards (mobile) | | | |
+|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: |
+|Force encryption | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: |
+|Encryption for storage cards (mobile) | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | |
|Allow recovery password | | | |
|Manage startup authentication | | | |
|Select cipher strength and algorithms for fixed
From 8eb663502c57c6ed3a5a3d7db50d904f07d0809f Mon Sep 17 00:00:00 2001
From: Jordan Geurten
Date: Wed, 19 May 2021 08:43:49 -0700
Subject: [PATCH 024/148] Update
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
...-windows-defender-application-control-against-tampering.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index 7b136fa662..e2566ae779 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -37,7 +37,7 @@ Before signing WDAC policies for the first time, be sure to enable rule options
To sign a WDAC policy with SignTool.exe, you need the following components:
-- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk/) (Windows 7 or later)
+- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later)
- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you have created
@@ -103,4 +103,4 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
> [!NOTE]
- > The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
\ No newline at end of file
+ > The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
From cd644020c1802336d263881896eda53d04437d85 Mon Sep 17 00:00:00 2001
From: Jordan Geurten
Date: Wed, 19 May 2021 09:15:56 -0700
Subject: [PATCH 025/148] Update
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
...ct-windows-defender-application-control-against-tampering.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index e2566ae779..498c736696 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -103,4 +103,4 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
> [!NOTE]
- > The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
+> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
From 44a1e12b9d5208b4b18861fc3b064e0e59653abf Mon Sep 17 00:00:00 2001
From: Rick Munck <33725928+jmunck@users.noreply.github.com>
Date: Wed, 19 May 2021 17:32:36 -0500
Subject: [PATCH 026/148] Update security-compliance-toolkit-10.md
Updating versions supported.
---
.../security-compliance-toolkit-10.md | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 3662667af2..2a578d07ab 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -28,13 +28,13 @@ The SCT enables administrators to effectively manage their enterprise’s Group
The Security Compliance Toolkit consists of:
- Windows 10 security baselines
- - Windows 10 Version 20H2 (October 2020 Update)
- - Windows 10 Version 2004 (May 2020 Update)
- - Windows 10 Version 1909 (November 2019 Update)
- - Windows 10 Version 1809 (October 2018 Update)
- - Windows 10 Version 1803 (April 2018 Update)
- - Windows 10 Version 1607 (Anniversary Update)
- - Windows 10 Version 1507
+ - Windows 10, Version 21H1 (May 2021 Update)
+ - Windows 10, Version 20H2 (October 2020 Update)
+ - Windows 10, Version 2004 (May 2020 Update)
+ - Windows 10, Version 1909 (November 2019 Update)
+ - Windows 10, Version 1809 (October 2018 Update)
+ - Windows 10, Version 1607 (Anniversary Update)
+ - Windows 10, Version 1507
- Windows Server security baselines
- Windows Server 2019
@@ -42,7 +42,7 @@ The Security Compliance Toolkit consists of:
- Windows Server 2012 R2
- Microsoft Office security baseline
- - Microsoft 365 Apps for enterprise (Sept 2019)
+ - Microsoft 365 Apps for enterprise, Version 2104
- Microsoft Edge security baseline
- Version 88
From fdad2a91e3dd95bdea16f8528a7b9b96ac3fff7e Mon Sep 17 00:00:00 2001
From: Lovina Saldanha
Date: Thu, 20 May 2021 11:46:05 +0530
Subject: [PATCH 027/148] Update bitlocker-deployment-comparison.md
Created newly for task 5120578 - Bitlocker Comparison Chart
---
.../bitlocker-deployment-comparison.md | 79 +++++++------------
1 file changed, 28 insertions(+), 51 deletions(-)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index ad4b1b82b8..749082dd5f 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -1,8 +1,6 @@
---
title: BitLocker deployment comparison (Windows 10)
-description: This article for the IT professional explains how
-BitLocker features can be used to protect your data through drive
-encryption.
+description: This article shows the Bitlocker deployment comparison chart.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -14,7 +12,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 05/20/2021
ms.custom: bitlocker
---
@@ -24,13 +22,10 @@ ms.custom: bitlocker
- Windows 10
-This article for the IT professional explains how BitLocker
-features can be used to protect your data through drive encryption.
+This article for the IT professional depicts the BitLocker deployment comparison chart.
## Bitlocker deployment comparison chart
-
-
| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* |
|---------|---------|---------|---------|
|**Requirements**||||
@@ -40,52 +35,34 @@ features can be used to protect your data through drive encryption.
|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined |
|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
|Cloud or on premises | Cloud | On premises | On premises |
-|Server components required? | | | |
+|Server components required? | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client |
-|Administrative plane | Microsoft Endpoint Manager
-admin center | Configuration Manager console | Group Policy Management Console
-and MBAM sites |
-|Administrative portal installation required | | | |
-|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: |
-|Force encryption | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: |
-|Encryption for storage cards (mobile) | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | |
-|Allow recovery password | | | |
-|Manage startup authentication | | | |
-|Select cipher strength and algorithms for fixed
-drives | | | |
-|Select cipher strength and algorithms for
-removable drives | | | |
-|Select cipher strength and algorithms for operating
-environment drives | | | |
+|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
+|Administrative portal installation required | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Force encryption | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Encryption for storage cards (mobile) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |
+|Allow recovery password | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Manage startup authentication | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
|Standard recovery password storage location | Azure AD or
Active Directory | Configuration Manager site database | MBAM database |
|Store recovery password for operating system and
fixed drives to Azure AD or Active Directory | Yes (Active Directory and
Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
-|Customize preboot message and recovery link | | | |
-|Allow/deny key file creation | | | |
-|Deny Write permission to unprotected drives | | | |
-|Can be administered outside company network | | | |
-|Support for organization unique IDs | | | |
-|Self-service recovery | Yes (through Azure AD or
-Company Portal app) | | |
-|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | | |
-|Wait to complete encryption until recovery information is backed up to Active Directory | | | |
-|Allow or deny Data Recovery Agent | | | |
-|Unlock a volume using certificate with custom object identifier | | | |
-|Prevent memory overwrite on restart | | | |
-|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | |
-|Manage auto-unlock functionality | | | |
-|Row6 | | | |
-|Row7 | | | |
-|Row6 | | | |
-|Row7 | | | |
-|Row6 | | | |
-|Row7 | | | |
-|Row6 | | | |
-|Row7 | | | |
-|Row6 | | | |
-|Row7 | | | |
-|Row6 | | | |
-|Row7 | | | |
-
+|Customize preboot message and recovery link | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Allow/deny key file creation | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Deny Write permission to unprotected drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Can be administered outside company network | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |
+|Support for organization unique IDs | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | |
+|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Allow or deny Data Recovery Agent | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Prevent memory overwrite on restart | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Manage auto-unlock functionality | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
From f4006bb298f1047b8b2c162d2ba97caafed7ffac Mon Sep 17 00:00:00 2001
From: Lovina Saldanha
Date: Thu, 20 May 2021 11:57:10 +0530
Subject: [PATCH 028/148] Update bitlocker-deployment-comparison.md
To fix build issues
---
.../bitlocker/bitlocker-deployment-comparison.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index 749082dd5f..e01dbd312c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -6,8 +6,8 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: v-lsaldanha
-ms.author: lovina-saldanha
+author: lovina-saldanha
+ms.author: v-lsaldanha
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
From e67a850344a65aa8473a0cf9ee44550c909ec43d Mon Sep 17 00:00:00 2001
From: Lovina Saldanha
Date: Thu, 20 May 2021 12:19:06 +0530
Subject: [PATCH 029/148] Update bitlocker-deployment-comparison.md
updated
---
.../bitlocker/bitlocker-deployment-comparison.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index e01dbd312c..6ba03dc4d8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -22,7 +22,7 @@ ms.custom: bitlocker
- Windows 10
-This article for the IT professional depicts the BitLocker deployment comparison chart.
+This article depicts the BitLocker deployment comparison chart.
## Bitlocker deployment comparison chart
From 366544ec62a2b665fef59b2330af2d0ca4be9ae7 Mon Sep 17 00:00:00 2001
From: Lovina Saldanha
Date: Thu, 20 May 2021 13:56:05 +0530
Subject: [PATCH 030/148] Update TOC.yml
updated toc per task 5120578
---
windows/security/information-protection/TOC.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/security/information-protection/TOC.yml b/windows/security/information-protection/TOC.yml
index 9965f322db..bcaa9d74d7 100644
--- a/windows/security/information-protection/TOC.yml
+++ b/windows/security/information-protection/TOC.yml
@@ -29,6 +29,8 @@
href: bitlocker\bitlocker-using-with-other-programs-faq.yml
- name: "Prepare your organization for BitLocker: Planning and policies"
href: bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md
+ - name: BitLocker deployment comparison
+ href: bitlocker\bitlocker-deployment-comparison.md
- name: BitLocker basic deployment
href: bitlocker\bitlocker-basic-deployment.md
- name: "BitLocker: How to deploy on Windows Server 2012 and later"
From d1f23943124836f6438ab53e6107ca774c4a861d Mon Sep 17 00:00:00 2001
From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com>
Date: Thu, 20 May 2021 17:59:10 +0530
Subject: [PATCH 031/148] New-5120578
New image added
---
.../bitlocker/images/dot_new.png | Bin 0 -> 734 bytes
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 windows/security/information-protection/bitlocker/images/dot_new.png
diff --git a/windows/security/information-protection/bitlocker/images/dot_new.png b/windows/security/information-protection/bitlocker/images/dot_new.png
new file mode 100644
index 0000000000000000000000000000000000000000..af2bab3c631974672dd255ab793f124a34b980e1
GIT binary patch
literal 734
zcmV<40wMj0P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0&_`3K~z{r#g@x!
z6G0ruzng3xo7S}5pf<6MidIBL8xSjc>>(hER4-CcK`-i|`VZu)7mq#=JSd6>J(Q{!
z&B22RirRpJ6^l|IZPSObZ7`2Esm>%nXr`OZ=CL84OXfFB<}*9bpY)G`24SJ!hR{%X
z#nb*LnMGtGiI34V7E)PQBncZ@WCVN)cC2&2W|gR=F=fellkn(YTz?(I)6a1%>-B_md_x2d#i_26~9l@?944v}BA!`RvbVze-Qyshiqh>MZ
z8QUwN=hGC46qOG=nZ&P!3`Mnb_2qB88cR^Lf=2#jCXIWMd5X+|uWKkgl@AKg$ZxRY
zR1aQ!OW@N~ilRIkIX}ns;_<5ED#+*AjrBFQM3MPKCQ5wy=chx%no4;Dc{)?_
zva6YNR_tGp+beh!s$q5if_#g|My2|&)gwMOf?RdU*w|XX0R((bD&-O6oZz-*Dw$8P
zOYB=CKi|_vC36XQo!Hl@P?Sd_?`9dv5%v_CO{jM*B$o9QqLFiM_4#sHiCOgTX+hsk
zH$^KHm3!SbJUGz-ogAPdcDFll?WmU`5#8?j#v458&!t4w(#_U6e0CGsbY{^ohvP5N
z=||&uH!j}GMqFh1+hvx=x$OGWS623#Vb|i_;W^xV6T|xwgW$__e3u)S4tmhzcTufA
zWyuTS$;L2yojycUxmVE2c5wR|p0~53)S
Date: Thu, 20 May 2021 19:46:38 +0530
Subject: [PATCH 032/148] Update bitlocker-deployment-comparison.md
image correction
---
.../bitlocker/bitlocker-deployment-comparison.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index 6ba03dc4d8..dd32f174a6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -35,7 +35,7 @@ This article depicts the BitLocker deployment comparison chart.
|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined |
|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
|Cloud or on premises | Cloud | On premises | On premises |
-|Server components required? | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Server components required? | | :::image type="content" source="images/dot_new.png" alt-text="dots"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client |
|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
|Administrative portal installation required | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
From 37fbfbcde78be2867fa411c950656bd4b249e49b Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Thu, 20 May 2021 21:17:52 +0530
Subject: [PATCH 033/148] added Allow Update Compliance Processing
as per user feedback issue #9540, so I added **Allow Update Compliance Processing** policy-related settings in this article, after looking at GPO in windows 10 pre release build 21h1 19043.985.
---
.../mdm/policy-csp-system.md | 78 ++++++++++++++++++-
1 file changed, 77 insertions(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 3615cb2e3f..a9ccc9b578 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -49,6 +49,9 @@ manager: dansimp
System/AllowTelemetry
+
+ System/AllowUpdateComplianceProcessing
+
System/AllowUserToResetPhone
@@ -791,6 +794,77 @@ ADMX Info:
+
+
+
+**System/AllowUpdateComplianceProcessing**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+  |
+
+
+ | Pro |
+  6 |
+
+
+ | Business |
+ 6 |
+
+
+ | Enterprise |
+ 6 |
+
+
+ | Education |
+ 6 |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance.
+
+If you enable this setting, Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service.
+
+If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance.
+
+
+
+ADMX Info:
+- GP English name: *Allow Update Compliance Processing*
+- GP name: *AllowUpdateComplianceProcessing*
+- GP element: *AllowUpdateComplianceProcessing*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *DataCollection.admx*
+
+
+
+The following list shows the supported values:
+
+- 0 - Disabled.
+- 16 - Enabled.
+
+
+
+
@@ -1778,5 +1852,7 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
+- 9 - Available in Windows 10, version 20H2.
+- 10 - Available in Windows 10, version 21H1.
-
\ No newline at end of file
+
From 9a024df7b281dda143f89bd32ad6300ba49d2ce2 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Thu, 20 May 2021 22:43:25 +0530
Subject: [PATCH 034/148] Update
windows/client-management/mdm/policy-csp-system.md
accepted
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-system.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index a9ccc9b578..787fbbbb2a 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -50,7 +50,7 @@ manager: dansimp
System/AllowTelemetry
- System/AllowUpdateComplianceProcessing
+ System/AllowUpdateComplianceProcessing
System/AllowUserToResetPhone
From 6ae73515243ffa2be999d1be9c910e70fed145f2 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Thu, 20 May 2021 11:15:00 -0700
Subject: [PATCH 035/148] authorized apps merged configure managed installer
1. Created new page that merged "Authorize apps installed by a managed installer" with Configure a WDAC managed installer.
2. Updated TOC2 with merged file name.
---
.../TOC2.yml | 2 +-
...-apps-deployed-with-a-managed-installer.md | 194 ++++++++++++++++++
2 files changed, 195 insertions(+), 1 deletion(-)
create mode 100644 windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
index 474b426029..bb66da245a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
@@ -74,7 +74,7 @@ landingContent:
- linkListType: how-to-guide (written)
links:
- text: Allow managed installer and configure managed installer rules
- url: use-windows-defender-application-control-with-managed-installer.md
+ url: configure-authorized-apps-deployed-with-a-managed-installer.md
- text: Allow reputable apps with ISG
url: use-windows-defender-application-control-with-intelligent-security-graph.md
# Card
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
new file mode 100644
index 0000000000..3922be1e3b
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -0,0 +1,194 @@
+---
+title: Configure authorized apps deployed with a WDAC managed installer (Windows 10)
+description: Explains how to configure a custom Manged Installer.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 08/14/2020
+ms.technology: mde
+---
+
+## Configuring authorized apps deployed by a managed installer with AppLocker and Windows Defender Application Control
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2019
+
+Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called managed installer, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
+
+## How does a managed installer work?
+
+A new rule collection in AppLocker specifies binaries that are trusted by the organization as an authorized source for application deployment. When one of these binaries runs, Windows will monitor the binary's process (and processes it launches) then tag all files it writes as having originated from a managed installer. The managed installer rule collection is configured using Group Policy and can be applied with the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM.
+
+Having defined your managed installers using AppLocker, you can then configure WDAC to trust files installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. Once that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based on its managed installer origin.
+
+You should ensure that the WDAC policy allows the system/boot components and any other authorized applications that can't be deployed through a managed installer.
+
+## Security considerations with managed installer
+
+Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do.
+It is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM).
+
+Users with administrator privileges, or malware running as an administrator user on the system, may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed.
+
+If a managed installer process runs in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control.
+
+Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. To avoid that outcome, ensure that the application deployment solution used as a managed installer limits running applications as part of installation.
+
+## Known limitations with managed installer
+
+- Application control, based on managed installer, does not support applications that self-update. If an application deployed by a managed installer later updates itself, the updated application files won't include the managed installer origin information, and may not be able to run. When you rely on managed installers, you must deploy and install all application updates using a managed installer, or include rules to authorize the app in the WDAC policy. In some cases, it may be possible to also designate an application binary that performs self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method.
+
+- [Packaged apps (MSIX)](/windows/msix/) deployed through a managed installer aren't tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. See [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md).
+
+- Some applications or installers may extract, download, or generate binaries and immediately attempt to run them. Files run by such a process may not be allowed by the managed installer heuristic. In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. Proper review for functionality and security should be performed for the application before using this method.
+
+- The managed installer heuristic doesn't authorize kernel drivers. The WDAC policy must have rules that allow the necessary drivers to run.
+
+## Configuring the managed installer
+
+Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy, with specific rules and options enabled.
+There are three primary steps to keep in mind:
+
+- Specify managed installers, by using the Managed Installer rule collection in AppLocker policy.
+- Enable service enforcement in AppLocker policy.
+- Enable the managed installer option in a WDAC policy.
+
+## Specify managed installers using the Managed Installer rule collection in AppLocker policy
+
+The identity of the managed installer executable(s) is specified in an AppLocker policy, in a Managed Installer rule collection.
+
+### Create Managed Installer rule collection
+
+Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the simple changes needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
+
+1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability.
+
+ ```powershell
+ Get-ChildItem | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
+ ```
+
+2. Manually rename the rule collection to ManagedInstaller
+
+ Change
+
+ ```powershell
+
+ ```
+
+ to
+
+ ```powershell
+
+ ```
+
+An example of a valid Managed Installer rule collection using Microsoft Endpoint Config Manager (MEMCM) is shown below.
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+### Enable service enforcement in AppLocker policy
+
+Since many installation processes rely on services, it is typically necessary to enable tracking of services.
+Correct tracking of services requires the presence of at least one rule in the rule collection. So, a simple audit only rule will suffice. This can be added to the policy created above, which specifies your managed installer rule collection.
+
+For example:
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Enable the managed installer option in WDAC policy
+
+In order to enable trust for the binaries laid down by managed installers, the "Enabled: Managed Installer" option must be specified in your WDAC policy.
+This can be done by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13.
+
+Below are steps to create a WDAC policy which allows Windows to boot and enables the managed installer option.
+
+1. Copy the DefaultWindows_Audit policy into your working folder from "C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml"
+
+2. Reset the policy ID to ensure it is in multiple policy format, and give it a different GUID from the example policies. Also, give it a friendly name to help with identification.
+
+ For example:
+
+ ```powershell
+ Set-CIPolicyIdInfo -FilePath -PolicyName "" -ResetPolicyID
+ ```
+
+3. Set Option 13 (Enabled:Managed Installer)
+
+ ```powershell
+ Set-RuleOption -FilePath -Option 13
+ ```
+
+## Set the AppLocker filter driver to autostart
+
+To enable the managed installer, you need to set the AppLocker filter driver to autostart, and start it.
+
+To do so, run the following command as an Administrator:
+
+```console
+appidtel.exe start [-mionly]
+```
+
+Specify "-mionly" if you will not use the Intelligent Security Graph (ISG).
+
+## Enabling managed installer logging events
+
+Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events.
\ No newline at end of file
From 13f59c7b058804c40fdd1ea8b50d5e5775db00f9 Mon Sep 17 00:00:00 2001
From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com>
Date: Thu, 20 May 2021 14:02:10 -0700
Subject: [PATCH 036/148] Update policy-csp-authentication.md
updated description for web sign in policy
---
windows/client-management/mdm/policy-csp-authentication.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index d62b5b232d..0c1b971103 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -542,7 +542,7 @@ Value type is integer. Supported values:
> [!Warning]
> This policy is in preview mode only and therefore not meant or recommended for production purposes.
-"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML).
+"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials like Temporary Access Pass
> [!Note]
> Web Sign-in is only supported on Azure AD Joined PCs.
From 4867c75d1f89c3f1efe92ef338d4134b046f4137 Mon Sep 17 00:00:00 2001
From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com>
Date: Thu, 20 May 2021 15:29:01 -0700
Subject: [PATCH 037/148] Update
windows/client-management/mdm/policy-csp-authentication.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-authentication.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 0c1b971103..1b75bd9a6b 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -542,7 +542,7 @@ Value type is integer. Supported values:
> [!Warning]
> This policy is in preview mode only and therefore not meant or recommended for production purposes.
-"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials like Temporary Access Pass
+"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.
> [!Note]
> Web Sign-in is only supported on Azure AD Joined PCs.
From d2a7d0718fe7b8174f044b5ae646f3db717535e7 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Thu, 20 May 2021 17:15:23 -0700
Subject: [PATCH 038/148] Updated language about explicit allow or deny rules
Clarified language regarding when WDAC calls the cloud to determine a binary's reputation.
---
...der-application-control-with-intelligent-security-graph.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 7ad4a8467b..dcd705cd5b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -31,7 +31,9 @@ Beginning with Windows 10, version 1709, you can set an option to automatically
## How does the integration between WDAC and the Intelligent Security Graph work?
-The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having known good, known bad, or unknown reputation. When a binary runs on a system with WDAC enabled with the ISG option, WDAC checks the file's reputation by sending its hash and signing information to the cloud. If the ISG reports that the file has a known good reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. Every time the binary runs, it is allowed based on its positive reputation unless there is an explicit deny rule set in the WDAC policy. Conversely, a file that has unknown or known bad reputation will be allowed if your WDAC policy explicitly allows it.
+The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good," "known bad," or "unknown" reputation. When a binary runs on a system, with WDAC enabled with the ISG option, WDAC checks the file's reputation, by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file.
+
+If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud, rendering ISG reputation information as moot.
If the file with good reputation is an application installer, its reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer.
From 9de68009d2568d04aaa2e4d87fb5d2345c7a46f7 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Thu, 20 May 2021 17:36:16 -0700
Subject: [PATCH 039/148] Updated select-types-of-rules-to-create
Created a "More information about hashes," and placed it above the "Windows Defender Application Control filename rules" section.
---
.../select-types-of-rules-to-create.md | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 1314fa6e21..e91bfb3d64 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -126,6 +126,19 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
+## More information about hashes
+
+### Why does scan create 4 hash rules per XML file?
+
+(Hash Sha1, Hash Sha256, Hash Page Sha1, Hash Page Sha256)
+During validation CI will choose which hashes to calculate depending on how the file is signed. E.g. if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash.
+
+In the cmdlets, rather than try to predict which hash CI will use, we pre calculate and use the 4 hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient to if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
+
+### Why does scan create 8 hash rules for certain XML files?
+
+Separate rules are created for UMCI and KMCI. In some cases, files which are purely user-mode or purely kernel-mode may still generate both sets, as CI cannot always precisely determine what is purely user vs. kernel mode and errs on the side of caution.
+
## Windows Defender Application Control filename rules
File name rule levels let you specify file attributes to base a rule on. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules.
From 6c0242ca208802d1ba7b4430892d63942287f0b0 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 21 May 2021 14:16:50 +0530
Subject: [PATCH 040/148] Update
windows/client-management/mdm/policy-csp-system.md
accepted
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/mdm/policy-csp-system.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 787fbbbb2a..828bc97b2a 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -842,7 +842,7 @@ ADMX Info:
Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance.
-If you enable this setting, Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service.
+If you enable this setting, it enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service.
If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance.
From 64de74b17d47d461eb6c47200e47bac57946e5b8 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 21 May 2021 14:29:06 +0530
Subject: [PATCH 041/148] made boot to System/BootStartDriverInitialization
as per user feedback from @illfated under issue #9554 , so i made sentence **System/BootStartDriverInitialization** to bold.
---
windows/client-management/mdm/policy-csp-system.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 3615cb2e3f..3a5f16aba7 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -852,6 +852,7 @@ The following list shows the supported values:
+
**System/BootStartDriverInitialization**
@@ -1779,4 +1780,4 @@ Footnotes:
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
-
\ No newline at end of file
+
From 33d5c8c5867c7c413574cc96abc6f8d455b54575 Mon Sep 17 00:00:00 2001
From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com>
Date: Fri, 21 May 2021 10:00:18 -0700
Subject: [PATCH 042/148] Update
network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
updated the security considerations section as it does not take Azure AD joined devices into consideration, which are verified and authenticated by Azure AD
---
...requests-to-this-computer-to-use-online-identities.md | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index 716b1da171..671eb87720 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -74,17 +74,18 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is beneficial for workgroups or home groups. But in a domain-joined environment, it might circumvent established security policies.
+Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is not only beneficial, but required for Azure AD joined devices, where they are signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it does not pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate.
### Countermeasure
-Set this policy to *Disabled* or don't configure this security policy for domain-joined devices.
+Set this policy to *Disabled* or don't configure this security policy for *on-premises only* environments.
### Potential impact
-If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. If you enable this policy, you allow your users to authenticate by using local certificates between systems that aren't part of a domain that uses PKU2U. This configuration allows users to share resources between devices.
+If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. This is a valid configuration in *on-premises only* environments. Please be aware that some roles/features (such as Failover Clustering) do not utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy.
+
+If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. Without enabling this policy, remote connections to an Azure AD joined device will not work.
-Please be aware that some roles/features (such as Failover Clustering) do not utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy.
## Related topics
From 7bd22fdeb383508dfc31cac8927c6227d32a57a4 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Fri, 21 May 2021 14:47:28 -0700
Subject: [PATCH 043/148] Delete TOC2.yml
---
.../TOC2.yml | 113 ------------------
1 file changed, 113 deletions(-)
delete mode 100644 windows/security/threat-protection/windows-defender-application-control/TOC2.yml
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml b/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
deleted file mode 100644
index bb66da245a..0000000000
--- a/windows/security/threat-protection/windows-defender-application-control/TOC2.yml
+++ /dev/null
@@ -1,113 +0,0 @@
-
-### WDAC:Landing
-title: Application Control for Windows
-metadata:
- title: Application Control for Windows
- description: Landing page for Windows Defender Application Control
-# services: service
-# ms.service: microsoft-WDAC-AppLocker
-# ms.subservice: Application-Control
-# ms.topic: landing-page
-# author: Kim Klein
-# ms.author: Jordan Geurten
-# manager: Jeffrey Sutherland
-# ms.update: 04/30/2021
-# linkListType: overview | how-to-guide | tutorial | video
-landingContent:
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
- # Card
- - title: Learn about Application Control
- linkLists:
- - linkListType: overview
- links:
- - text: What is WDAC (WDAC Overview)?
- url: wdac-and-applocker-overview.md
- - text: What is AppLocker?
- url: applocker\applocker-overview.md
- - text: WDAC and AppLocker feature availability
- url: feature-availability.md
- # Card
- - title: Learn about the Design Guide
- linkLists:
- - linkListType: overview
- links:
- - text: Using code signing to simplify application control
- url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
- - text: Merging Policies
- url: wdac-wizard-merging-policies.md
- - text: Recommended blocks
- url: microsoft-recommended-block-rules.md
- - text: Recommended driver blocks
- url: microsoft-recommended-driver-block-rules.md
- - text: Example policies
- url: example-wdac-base-policies.md
- - text: LOB Win32 apps on S Mode
- url: LOB-win32-apps-on-s.md
- - linkListType: how-to-guide
- links:
- - text: Create a WDAC policy for a lightly managed device
- url: cardreate-wdac-policy-for-lightly-managed-devices.md
- - text: Create a WDAC policy for a fully managed device
- url: create-wdac-policy-for-fully-managed-devices.md
- - text: Create a WDAC policy for a fixed-workload
- url: create-initial-default-policy.md
- - text: Using catalog files
- url: deploy-catalog-files-to-support-windows-defender-application-control.md
- - text: WDAC Wizard tool
- url: wdac-wizard.md
- - linkListType: Tutorial (videos)
- links:
- - text: Using the WDAC Wizard
- url: video md
- - text: Specifying custom values
- url: video md
- # Card
- - title: Learn about Policy Configuration
- linkLists:
- - linkListType: overview
- links:
- - text: Understanding policy rules
- url:
- - text: Understanding File rules
- url:
- - linkListType: how-to-guide (written)
- links:
- - text: Allow managed installer and configure managed installer rules
- url: configure-authorized-apps-deployed-with-a-managed-installer.md
- - text: Allow reputable apps with ISG
- url: use-windows-defender-application-control-with-intelligent-security-graph.md
- # Card
- - title: Learn how to deploy WDAC Policies
- linkLists:
- - linkListType: overview
- links:
- - text: Signed policies
- url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
- - text: Audit and enforce policies
- url: audit-and-enforce-windows-defender-application-control-policies.md
- - text: Disabling WDAC policies
- url: disable-windows-defender-application-control-policies.md
- - linkListType: tutorial
- links:
- - text: Deployment with MDM
- url: deploy-windows-defender-application-control-policies-using-intune.md
- - text: Deployment with MEMCM
- url: deployment/deploy-wdac-policies-with-memcm.md
- - text: Deployment with script and refresh policy
- url: deployment/deploy-wdac-policies-with-script.md
- # Card
- - title: Learn how to monitor and reiterate WDAC Policies (operational)
- linkLists:
- - linkListType: overview
- links:
- - text: Event logs (tags, IDs)
- url: event-id-and-tag-explanations.md
- - linkListType: how-to-guide
- links:
- - text: Querying using advanced hunting
- url: querying-application-control-events-centrally-using-advanced-hunting.md
- - linkListType: tutorial
- links:
- - text: Creating a policy from event logs (video)
- url: #Jordan will create a video for this
\ No newline at end of file
From 988b07c78c4ec090e719c80b5f30be474e0c4730 Mon Sep 17 00:00:00 2001
From: Lovina Saldanha
Date: Mon, 24 May 2021 09:59:45 +0530
Subject: [PATCH 044/148] Update bitlocker-deployment-comparison.md
To fix edit issue
---
.../bitlocker/bitlocker-deployment-comparison.md | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index dd32f174a6..2ef7fbf2b9 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -49,9 +49,7 @@ This article depicts the BitLocker deployment comparison chart.
|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
|Standard recovery password storage location | Azure AD or
Active Directory | Configuration Manager site database | MBAM database |
-|Store recovery password for operating system and
-fixed drives to Azure AD or Active Directory | Yes (Active Directory and
-Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
+|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
|Customize preboot message and recovery link | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
|Allow/deny key file creation | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
|Deny Write permission to unprotected drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
From e57ba5b729344902306418ac00a608744c751d70 Mon Sep 17 00:00:00 2001
From: Asha Iyengar
Date: Mon, 24 May 2021 15:46:24 +0530
Subject: [PATCH 045/148] Changed instances of "Bitlocker" to BitLocker" to
keep the terminology consistent
---
.../bitlocker/bitlocker-deployment-comparison.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index 2ef7fbf2b9..d3e5e2f766 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -16,7 +16,7 @@ ms.date: 05/20/2021
ms.custom: bitlocker
---
-# Bitlocker deployment comparison
+# BitLocker deployment comparison
**Applies to**
@@ -24,7 +24,7 @@ ms.custom: bitlocker
This article depicts the BitLocker deployment comparison chart.
-## Bitlocker deployment comparison chart
+## BitLocker deployment comparison chart
| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* |
|---------|---------|---------|---------|
From d8b97435929ea25323d7e1447ccc181ea2b54802 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 11:09:43 -0700
Subject: [PATCH 046/148] Task ID 29550212
Made recommended edit.
---
.../select-types-of-rules-to-create.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index e91bfb3d64..000dc79659 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -126,14 +126,14 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
-## More information about hashes
+## More information about hashes
-### Why does scan create 4 hash rules per XML file?
+### Why does scan create four hash rules per XML file?
-(Hash Sha1, Hash Sha256, Hash Page Sha1, Hash Page Sha256)
-During validation CI will choose which hashes to calculate depending on how the file is signed. E.g. if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash.
+The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
+During validation CI will choose which hashes to calculate depending on how the file is signed. For example, if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash.
-In the cmdlets, rather than try to predict which hash CI will use, we pre calculate and use the 4 hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient to if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
+In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
### Why does scan create 8 hash rules for certain XML files?
From 5e53adc4effca1e0294803f0385c8ba9c95364af Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 11:13:53 -0700
Subject: [PATCH 047/148] Task ID 33324832
Made 2 recommended edits.
---
...d-enforce-windows-defender-application-control-policies.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
index 31f6314425..04664080a7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -32,7 +32,7 @@ While a WDAC policy is running in audit mode, any binary that runs but would hav
## Overview of the process to create WDAC policy to allow apps using audit events
-> [!Note]
+> [!NOTE]
> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md).
To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy.
@@ -75,7 +75,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
8. Convert the Base or Supplemental policy to binary and deploy using your preferred method.
-## Convert WDAC **base** policy from audit to enforced
+## Convert WDAC **BASE** policy from audit to enforced
As described in [common WDAC deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
From c1ae84c81f44ae1590a5e7830745c0bc1ab65e4e Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 11:34:24 -0700
Subject: [PATCH 048/148] Task ID 33324832
Fixed primary heading size.
---
...and-enforce-windows-defender-application-control-policies.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
index 04664080a7..4b1860ea36 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -19,7 +19,7 @@ ms.date: 05/03/2021
ms.technology: mde
---
-## Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced
+# Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced
**Applies to:**
From 75160b732405a061f12a6869ad46e40c3280566b Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 11:38:02 -0700
Subject: [PATCH 049/148] Task ID 31558721
Removed "rendering ISG reputation as moot"
---
...ender-application-control-with-intelligent-security-graph.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index dcd705cd5b..082eb3a3f1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -33,7 +33,7 @@ Beginning with Windows 10, version 1709, you can set an option to automatically
The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good," "known bad," or "unknown" reputation. When a binary runs on a system, with WDAC enabled with the ISG option, WDAC checks the file's reputation, by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file.
-If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud, rendering ISG reputation information as moot.
+If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud.
If the file with good reputation is an application installer, its reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer.
From b9fcf4421627b005f5db5268a4e90486e3260a20 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 11:40:32 -0700
Subject: [PATCH 050/148] Task ID 33324832
Fixed first heading.
---
...nfigure-authorized-apps-deployed-with-a-managed-installer.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
index 3922be1e3b..6612e9fbf7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -18,7 +18,7 @@ ms.date: 08/14/2020
ms.technology: mde
---
-## Configuring authorized apps deployed by a managed installer with AppLocker and Windows Defender Application Control
+# Configuring authorized apps deployed by a managed installer with AppLocker and Windows Defender Application Control
**Applies to:**
From 84458fe2ffb40b4f2165e5e07ac62cac9e721629 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 11:46:21 -0700
Subject: [PATCH 051/148] Updated wdac-and-applocker-overview document
Restored first heading size and made suggested text edit to the WDAC System Requirements section.
---
.../wdac-and-applocker-overview.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
index 0897007f32..2d7ae11177 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -19,7 +19,7 @@ ms.custom: asr
ms.technology: mde
---
-## Windows Defender Application Control and AppLocker Overview
+# Windows Defender Application Control and AppLocker Overview
**Applies to:**
@@ -47,7 +47,7 @@ Note that prior to Windows 10 version 1709, Windows Defender Application Control
WDAC policies can be created on any client edition of Windows 10 build 1903+, or on Windows Server 2016 and above.
-WDAC policies can be applied to devices running any edition of Windows 10, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, e.g. Intune; a management interface, e.g. Configuration Manager; or a script host, e.g. PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10.
+WDAC policies can be applied to devices running any edition of Windows 10, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition, or Windows Server 2016 and above, but cannot deploy policies to devices running non-Enterprise SKUs of Windows 10.
For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md).
From 087c522d61678843302f41f2abe6140ce448ab95 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 13:15:14 -0700
Subject: [PATCH 052/148] Task ID 29550212
Implemented last suggested edit to the "create eight hash rules" section.
---
.../select-types-of-rules-to-create.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 000dc79659..390b687187 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -135,7 +135,7 @@ During validation CI will choose which hashes to calculate depending on how the
In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
-### Why does scan create 8 hash rules for certain XML files?
+### Why does scan create eight hash rules for certain XML files?
Separate rules are created for UMCI and KMCI. In some cases, files which are purely user-mode or purely kernel-mode may still generate both sets, as CI cannot always precisely determine what is purely user vs. kernel mode and errs on the side of caution.
From 092c6bfb6c44603217a2f2d34d5d0593872c44d0 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 13:26:23 -0700
Subject: [PATCH 053/148] Task ID 33324832
Updated TOC and all articles that point to old managed installer documents with new combined managed installer link.
---
...lication-control-with-managed-installer.md | 59 -------------------
1 file changed, 59 deletions(-)
delete mode 100644 windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
deleted file mode 100644
index 66afc7f933..0000000000
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Authorize apps installed by a managed installer (Windows 10)
-description: Explains how to automatically allow applications deployed and installed by a managed installer.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-ms.collection: M365-security-compliance
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: dansimp
-manager: dansimp
-ms.date: 04/20/2021
-ms.technology: mde
----
-
-# Authorize apps deployed by a managed installer
-
-**Applies to:**
-
-- Windows 10
-- Windows Server 2019
-
-Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called managed installer, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
-
-## How does a managed installer work?
-
-A new rule collection in AppLocker specifies binaries that are trusted by the organization as an authorized source for application deployment. When one of these binaries runs, Windows will monitor the binary's process (and processes it launches) and tag all files it writes as having originated from a managed installer. The managed installer rule collection is configured using Group Policy and can be applied with the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM.
-
-Having defined your managed installers using AppLocker, you can then configure WDAC to trust files installed by a managed installer by adding the Enabled:Managed Installer option to your WDAC policy. Once that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based on its managed installer origin.
-
-You should ensure that the WDAC policy allows the system to boot and any other authorized applications that can't be deployed through a managed installer.
-
-For an example of a managed installer use case, see [Creating a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md).
-
-## Security considerations with managed installer
-
-Since managed installer is a heuristic-based mechanism, it doesn't provide the same security guarantees that explicit allow or deny rules do.
-It is best suited for use where each user operates as a standard user and where all software is deployed and installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager.
-
-Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed.
-
-If a managed installer process runs in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control.
-
-Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. To avoid that outcome, ensure that the application deployment solution used as a managed installer limits running applications as part of installation.
-
-## Known limitations with managed installer
-
-- Application control based on managed installer does not support applications that self-update. If an application deployed by a managed installer later updates itself, the updated application files won't include the managed installer origin information and may not be able to run. When you rely on managed installers, you must deploy and install all application updates using a managed installer or include rules to authorize the app in the WDAC policy. In some cases, it may be possible to also designate an application binary that performs self-updates as a managed installer. Proper review for functionality and security should be performed for the application before using this method.
-
-- [Packaged apps (MSIX)](/windows/msix/) deployed through a managed installer aren't tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. See [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md).
-
-- Some applications or installers may extract, download, or generate binaries and immediately attempt to run them. Files run by such a process may not be allowed by the managed installer heuristic. In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. Proper review for functionality and security should be performed for the application before using this method.
-
-- The managed installer heuristic doesn't authorize kernel drivers. The WDAC policy must have rules that allow the necessary drivers to run.
From a85b27f4bfa623752f94ff6cf89c0cf1c50ec8c7 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 24 May 2021 13:42:46 -0700
Subject: [PATCH 054/148] Task ID 33324832 continued
These are the other files that were updated for this task.
---
.../windows-defender-application-control/TOC.yml | 4 ++--
.../create-wdac-policy-for-fully-managed-devices.md | 2 +-
.../create-wdac-policy-for-lightly-managed-devices.md | 2 +-
.../feature-availability.md | 2 +-
.../plan-windows-defender-application-control-management.md | 2 +-
.../select-types-of-rules-to-create.md | 2 +-
...ws-defender-application-control-policy-design-decisions.md | 2 +-
.../wdac-and-applocker-overview.md | 2 +-
8 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index eaf0d1aa66..8fa33cfe26 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -21,9 +21,9 @@
href: select-types-of-rules-to-create.md
items:
- name: Allow apps installed by a managed installer
- href: use-windows-defender-application-control-with-managed-installer.md
+ href: configure-authorized-apps-deployed-with-a-managed-installer.md
- name: Configure managed installer rules
- href: configure-wdac-managed-installer.md
+ href: configure-authorized-apps-deployed-with-a-managed-installer.md
- name: Allow reputable apps with Intelligent Security Graph (ISG)
href: use-windows-defender-application-control-with-intelligent-security-graph.md
- name: Allow COM object registration
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index 8399532bab..cceb8da77d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -149,7 +149,7 @@ Alice has defined a policy for Lamna's fully-managed devices that makes some tra
Possible mitigations:
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- **Managed installer**
- See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
+ See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
Existing mitigations applied:
- Limit who can elevate to administrator on the device.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 08e82cbe13..c4dabcde4c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -155,7 +155,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- Limit who can elevate to administrator on the device.
- **Managed installer**
- See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
+ See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
Possible mitigations:
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 3f411ffb3e..16dd454c61 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -34,7 +34,7 @@ ms.technology: mde
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
| Kernel mode policies | Available on all Windows 10 versions | Not available |
| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |
-| Managed Installer (MI) | [Available on 1703+](./use-windows-defender-application-control-with-managed-installer.md) | Not available |
+| Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available |
| Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available |
| Multiple policy support | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md) | Not available |
| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 8c0156d01b..5d0dd83466 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -59,7 +59,7 @@ In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/con
### Policy rule updates
-As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](use-windows-defender-application-control-with-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates.
+As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates.
## WDAC event management
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 390b687187..add268e0ee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -63,7 +63,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. |
-| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md) |
+| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) |
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.|
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. NOTE: This option is only supported on Windows 10, version 1709, and above.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 9443134723..9bd69f5bee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -58,7 +58,7 @@ Organizations with well-defined, centrally-managed app management and deployment
| Possible answers | Design considerations|
| - | - |
-| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](use-windows-defender-application-control-with-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
+| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
| Some apps are centrally managed and deployed, but teams can install additional apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can leverage managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. |
| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. |
| Users and teams are free to download and install apps without restriction. | WDAC policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
index 2d7ae11177..ce2acde0e8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -37,7 +37,7 @@ WDAC policies apply to the managed computer as a whole and affects all users of
- Attributes of the codesigning certificate(s) used to sign an app and its binaries
- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
- The reputation of the app as determined by Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md)
-- The identity of the process that initiated the installation of the app and its binaries ([managed installer](use-windows-defender-application-control-with-managed-installer.md))
+- The identity of the process that initiated the installation of the app and its binaries ([managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md))
- The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903)
- The process that launched the app or binary
From 8faa81c72bea6f594a8828a26157afcc6a9c216b Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Tue, 25 May 2021 09:35:03 -0700
Subject: [PATCH 055/148] Task ID 23142312
Added "well-known root cert types" info to the document.
---
.../event-tag-explanations.md | 31 ++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
index e4a1e510ea..07690733e7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -18,7 +18,7 @@ ms.date: 8/27/2020
ms.technology: mde
---
-## Understanding Application Control event tags
+# Understanding Application Control event tags
Windows Defender Application Control (WDAC) events include a number of fields which provide helpful troubleshooting information to figure out exactly what an event means. Below, we have documented the values and meanings for a few useful event tags.
@@ -91,3 +91,32 @@ Represents why verification failed, or if it succeeded.
| 26 | Explicitly denied by WADC policy |
| 27 | The signing chain appears to be tampered/invalid |
| 28 | Resource page hash mismatch |
+
+## Microsoft Root CAs trusted by Windows
+
+The rule means trust anything signed by a cert that chains to this root CA. Enums without values start at 0, and increment by 1 as you go down the below list.
+
+typedef enum _MINCRYPT_KNOWN_ROOT_ID {
+ MincryptKnownRootNone, <-- 0
+ MincryptKnownRootUnknown,
+ MincryptKnownRootSelfsigned,
+ MincryptKnownRootMicrosoftAuthenticodeRoot,
+ MincryptKnownRootMicrosoftProductRoot1997,
+ MincryptKnownRootMicrosoftProductRoot2001,
+ MincryptKnownRootMicrosoftProductRoot2010,
+ MincryptKnownRootMicrosoftStandardRoot2011,
+ MincryptKnownRootMicrosoftCodeVerificationRoot2006,
+ MincryptKnownRootMicrosoftTestRoot1999,
+ MincryptKnownRootMicrosoftTestRoot2010,
+ MincryptKnownRootMicrosoftDMDTestRoot2005,
+ MincryptKnownRootMicrosoftDMDRoot2005,
+ MincryptKnownRootMicrosoftDMDPreviewRoot2005,
+ MincryptKnownRootMicrosoftFlightRoot2014,
+ MincryptKnownRootMicrosoftThirdPartyMarketplaceRoot,
+ MincryptKnownRootMicrosoftEccTestingRootCa2017,
+ MincryptKnownRootMicrosoftEccDevelopmentRootCa2018,
+ MincryptKnownRootMicrosoftEccProductRootCa2018,
+ MincryptKnownRootMicrosoftEccDevicesRootCa2017,
+} MINCRYPT_KNOWN_ROOT_ID, *PMINCRYPT_KNOWN_ROOT_ID;
+
+For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they don’t need to be listed as TBS hashes in the policy file.
\ No newline at end of file
From dadf73dea9676bac0304d2663515a50a52376dc2 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Tue, 25 May 2021 12:24:24 -0700
Subject: [PATCH 056/148] Task ID 23142312
Fine tuning Root Cert section.
---
.../event-tag-explanations.md | 46 +++++++++----------
1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
index 07690733e7..7d75cdc009 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -94,29 +94,29 @@ Represents why verification failed, or if it succeeded.
## Microsoft Root CAs trusted by Windows
-The rule means trust anything signed by a cert that chains to this root CA. Enums without values start at 0, and increment by 1 as you go down the below list.
+The rule means trust anything signed by a cert that chains to this root CA. Enums without values start at 0, and increment by 1 as you go down the below list.
-typedef enum _MINCRYPT_KNOWN_ROOT_ID {
- MincryptKnownRootNone, <-- 0
- MincryptKnownRootUnknown,
- MincryptKnownRootSelfsigned,
- MincryptKnownRootMicrosoftAuthenticodeRoot,
- MincryptKnownRootMicrosoftProductRoot1997,
- MincryptKnownRootMicrosoftProductRoot2001,
- MincryptKnownRootMicrosoftProductRoot2010,
- MincryptKnownRootMicrosoftStandardRoot2011,
- MincryptKnownRootMicrosoftCodeVerificationRoot2006,
- MincryptKnownRootMicrosoftTestRoot1999,
- MincryptKnownRootMicrosoftTestRoot2010,
- MincryptKnownRootMicrosoftDMDTestRoot2005,
- MincryptKnownRootMicrosoftDMDRoot2005,
- MincryptKnownRootMicrosoftDMDPreviewRoot2005,
- MincryptKnownRootMicrosoftFlightRoot2014,
- MincryptKnownRootMicrosoftThirdPartyMarketplaceRoot,
- MincryptKnownRootMicrosoftEccTestingRootCa2017,
- MincryptKnownRootMicrosoftEccDevelopmentRootCa2018,
- MincryptKnownRootMicrosoftEccProductRootCa2018,
- MincryptKnownRootMicrosoftEccDevicesRootCa2017,
-} MINCRYPT_KNOWN_ROOT_ID, *PMINCRYPT_KNOWN_ROOT_ID;
+| Root ID | Root Name |
+|---|----------|
+|0| None |
+|1| Unknown |
+|2 | Self-Signed |
+|3 | Authenticode |
+|4 | Microsoft Product Root 1997 |
+|5 | Microsoft Product Root 2001 |
+|6 | Microsoft Product Root 2010 |
+|7 | Microsoft Standard Root 2011 |
+|8 | Microsoft Code Verification Root 2006 |
+|9 | Microsoft Test Root 1999 |
+|10 | Microsoft Tes\t Root 2010 |
+|11 | Microsoft DMD Test Root 2005 |
+|12 | Microsoft DMDRoot 2005 |
+|13 | Microsoft DMD Preview Root 2005 |
+|14 | Microsoft Flight Root 2014 |
+|15 | Microsoft Third Party Marketplace Root |
+|16 | Microsoft Ecc Testing Root Ca2017 |
+|17 | Microsoft Ecc Developmen tRoot Ca 2018 |
+|18 | Microsoft Ecc Product Root Ca 2018 |
+|19 | Microsoft Ecc Devices Root Ca 2017 |
For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they don’t need to be listed as TBS hashes in the policy file.
\ No newline at end of file
From f3f7fe88390d7fa20eb126fd59c874094310cc1a Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Tue, 25 May 2021 12:38:05 -0700
Subject: [PATCH 057/148] Task ID 23142312
Removed the "Enums without value start..." line and reduced the dashes in the table columns headers.
---
.../event-tag-explanations.md | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
index 7d75cdc009..e1ea4e1926 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -27,7 +27,7 @@ Windows Defender Application Control (WDAC) events include a number of fields wh
Represents the type of signature which verified the image.
| SignatureType Value | Explanation |
-|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|---|----------|
| 0 | Unsigned or verification has not been attempted |
| 1 | Embedded signature |
| 2 | Cached signature; presence of CI EA shows that file had been previously verified |
@@ -42,7 +42,7 @@ Represents the type of signature which verified the image.
Represents the signature level at which the code was verified.
| ValidatedSigningLevel Value | Explanation |
-|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|---|----------|
| 0 | Signing level has not yet been checked |
| 1 | File is unsigned |
| 2 | Trusted by WDAC policy |
@@ -61,7 +61,7 @@ Represents the signature level at which the code was verified.
Represents why verification failed, or if it succeeded.
| VerificationError Value | Explanation |
-|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|---|----------|
| 0 | Successfully verified signature |
| 1 | File has an invalid hash |
| 2 | File contains shared writable sections |
@@ -94,8 +94,7 @@ Represents why verification failed, or if it succeeded.
## Microsoft Root CAs trusted by Windows
-The rule means trust anything signed by a cert that chains to this root CA. Enums without values start at 0, and increment by 1 as you go down the below list.
-
+The rule means trust anything signed by a cert that chains to this root CA.
| Root ID | Root Name |
|---|----------|
|0| None |
From 582ad407f366210a6cb504cb3ef6879df9fcd154 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Wed, 26 May 2021 14:49:40 +0500
Subject: [PATCH 058/148] Minor correction to remove the confusion
I have made a minor addition to the content to clarify the confusion.
Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9461
---
.../client-management/mdm/policy-csp-admx-windowsexplorer.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
index 234f5f9d6c..352dd76846 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
@@ -4521,7 +4521,7 @@ ADMX Info:
Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives.
-If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
+If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents (open the files in the folders or see the files in the folders). Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list.
@@ -5356,4 +5356,4 @@ ADMX Info:
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
-
\ No newline at end of file
+
From 1bf4abff9868c390ded6f4313b9e2d43f088b1b7 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Wed, 26 May 2021 10:22:15 -0700
Subject: [PATCH 059/148] Task ID 33123704
Deleted the merged event tags and id page to rework it under a different branch.
---
.../event-id-and-tag-explanations.md | 160 ------------------
1 file changed, 160 deletions(-)
delete mode 100644 windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
deleted file mode 100644
index 9b21c840e5..0000000000
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md
+++ /dev/null
@@ -1,160 +0,0 @@
----
-title: Understanding Application Control event IDs and tags (Windows 10)
-description: Learn what different Windows Defender Application Control event IDs and tags signify.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-ms.collection: M365-security-compliance
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.reviewer: v-kikl
-ms.author: dansimp
-manager: dansimp
-ms.date: 5/7/2021
-ms.technology: mde
----
-
-## Understanding Application Control event IDs and tags
-
-A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events include a number of fields, which provide helpful troubleshooting information to figure out exactly what an event means.
-
-These events are generated under two locations:
-
-- Event IDs beginning with 30 appear in Applications and Services logs | Microsoft | Windows | CodeIntegrity | Operational
-
-- Event IDs beginning with 80 appear in Applications and Services logs | Microsoft | Windows | AppLocker | MSI and Script
-
-## Microsoft Windows CodeIntegrity Operational log event IDs
-
-| Event ID | Explanation |
-|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 3076 | Audit executable/dll file |
-| 3077 | Block executable/dll file |
-| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
-| 3099 | Indicates that a policy has been loaded |
-
-## Microsoft Windows Applocker MSI and Script log event IDs
-
-| Event ID | Explanation |
-|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. |
-| 8029 | Block script/MSI file |
-| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
-
-## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
-
-If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
-
-| Event ID | Explanation |
-|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 3090 | Allow executable/dll file |
-| 3091 | Audit executable/dll file |
-| 3092 | Block executable/dll file |
-
-3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated.
-
-### SmartLocker template
-
-Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.
-
-| Name | Explanation |
-|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
-| ManagedInstallerEnabled | Policy trusts a MI |
-| PassesManagedInstaller | File originated from a trusted MI |
-| SmartlockerEnabled | Policy trusts the ISG |
-| PassesSmartlocker | File had positive reputation |
-| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode |
-
-### Enabling ISG and MI diagnostic events
-
-In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command:
-
-```powershell
-reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
-```
-
-In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
-
-```powershell
-reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
-```
-
-## Event Tags
-
-Below, we have documented the values and meanings for a few useful event tags.
-
-## SignatureType
-
-Represents the type of signature which verified the image.
-
-| SignatureType Value | Explanation |
-|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0 | Unsigned or verification has not been attempted |
-| 1 | Embedded signature |
-| 2 | Cached signature; presence of CI EA shows that file had been previously verified |
-| 3 | Cached catalog verified via Catalog Database or searching catalog directly |
-| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly |
-| 5 | Successfully verified using an EA that informs CI which catalog to try first |
-|6 | AppX / MSIX package catalog verified |
-| 7 | File was verified |
-
-## ValidatedSigningLevel
-
-Represents the signature level at which the code was verified.
-
-| ValidatedSigningLevel Value | Explanation |
-|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0 | Signing level has not yet been checked |
-| 1 | File is unsigned |
-| 2 | Trusted by WDAC policy |
-| 3 | Developer signed code |
-| 4 | Authenticode signed |
-| 5 | Microsoft Store signed app PPL (Protected Process Light) |
-| 6 | Microsoft Store-signed |
-| 7 | Signed by an Antimalware vendor whose product is using AMPPL |
-| 8 | Microsoft signed |
-| 11 | Only used for signing of the .NET NGEN compiler |
-| 12 | Windows signed |
-| 14 | Windows Trusted Computing Base signed |
-
-## VerificationError
-
-Represents why verification failed, or if it succeeded.
-
-| VerificationError Value | Explanation |
-|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0 | Successfully verified signature |
-| 1 | File has an invalid hash |
-| 2 | File contains shared writable sections |
-| 3 | File is not signed|
-| 4 | Revoked signature |
-| 5 | Expired signature |
-| 6 | File is signed using a weak hashing algorithm which does not meet the minimum policy |
-| 7 | Invalid root certificate |
-| 8 | Signature was unable to be validated; generic error |
-| 9 | Signing time not trusted |
-| 10 | The file must be signed using page hashes for this scenario |
-| 11 | Page hash mismatch |
-| 12 | Not valid for a PPL (Protected Process Light) |
-| 13 | Not valid for a PP (Protected Process) |
-| 14 | The signature is missing the required ARM EKU |
-| 15 | Failed WHQL check |
-| 16 | Default policy signing level not met |
-| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs |
-| 18 | Custom signing level not met; returned if signature fails to match CISigners in UMCI |
-| 19 | Binary is revoked by file hash |
-| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy |
-| 21 | Failed to pass WDAC policy |
-| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet |
-| 23 | Invalid image hash |
-| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS |
-| 25 | Anti-cheat policy violation |
-| 26 | Explicitly denied by WADC policy |
-| 27 | The signing chain appears to be tampered/invalid |
-| 28 | Resource page hash mismatch |
From 58ca97ae759646943a74b1d3fcb876fd7c63f2c5 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Wed, 26 May 2021 10:40:29 -0700
Subject: [PATCH 060/148] Updated TOC
Removed configure managed installer name and href.
---
.../windows-defender-application-control/TOC.yml | 2 --
1 file changed, 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index 8fa33cfe26..2a9d13497a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -22,8 +22,6 @@
items:
- name: Allow apps installed by a managed installer
href: configure-authorized-apps-deployed-with-a-managed-installer.md
- - name: Configure managed installer rules
- href: configure-authorized-apps-deployed-with-a-managed-installer.md
- name: Allow reputable apps with Intelligent Security Graph (ISG)
href: use-windows-defender-application-control-with-intelligent-security-graph.md
- name: Allow COM object registration
From 36673e5b5e4bc2325d6d16345265df3cc9b5a063 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Wed, 26 May 2021 10:45:33 -0700
Subject: [PATCH 061/148] Fixed title heading size
---
.../event-id-explanations.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 8aab0d3c1b..26a3b3fd6a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -18,7 +18,7 @@ ms.date: 3/17/2020
ms.technology: mde
---
-## Understanding Application Control events
+# Understanding Application Control events
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
From 09d4ac542c2acf8ddc9bc17c4a332f66c46f50de Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Wed, 26 May 2021 13:14:27 -0700
Subject: [PATCH 062/148] Task ID 23142312
fixed editing issues in root cert section.
---
.../event-tag-explanations.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
index e1ea4e1926..bcbeab1e3e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -107,15 +107,15 @@ The rule means trust anything signed by a cert that chains to this root CA.
|7 | Microsoft Standard Root 2011 |
|8 | Microsoft Code Verification Root 2006 |
|9 | Microsoft Test Root 1999 |
-|10 | Microsoft Tes\t Root 2010 |
+|10 | Microsoft Test Root 2010 |
|11 | Microsoft DMD Test Root 2005 |
|12 | Microsoft DMDRoot 2005 |
|13 | Microsoft DMD Preview Root 2005 |
|14 | Microsoft Flight Root 2014 |
|15 | Microsoft Third Party Marketplace Root |
-|16 | Microsoft Ecc Testing Root Ca2017 |
-|17 | Microsoft Ecc Developmen tRoot Ca 2018 |
-|18 | Microsoft Ecc Product Root Ca 2018 |
-|19 | Microsoft Ecc Devices Root Ca 2017 |
+|16 | Microsoft ECC Testing Root CA 2017 |
+|17 | Microsoft ECC Development Root CA 2018 |
+|18 | Microsoft ECC Product Root CA 2018 |
+|19 | Microsoft ECC Devices Root CA 2017 |
For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they don’t need to be listed as TBS hashes in the policy file.
\ No newline at end of file
From 6136ddc0d5d380854ea01aeb2c2fe9ebb336a459 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Wed, 26 May 2021 14:06:10 -0700
Subject: [PATCH 063/148] Updated event-id-explantions
Cleaned up the table formatting.
---
.../event-id-explanations.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 26a3b3fd6a..e0c8044cf1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -29,7 +29,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
## Microsoft Windows CodeIntegrity Operational log event IDs
| Event ID | Explanation |
-|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|---|----------|
| 3076 | Audit executable/dll file |
| 3077 | Block executable/dll file |
| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
@@ -38,7 +38,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
## Microsoft Windows Applocker MSI and Script log event IDs
| Event ID | Explanation |
-|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|---|----------|
| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. |
| 8029 | Block script/MSI file |
| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
@@ -48,7 +48,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
| Event ID | Explanation |
-|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|---|----------|
| 3090 | Allow executable/dll file |
| 3091 | Audit executable/dll file |
| 3092 | Block executable/dll file |
@@ -60,7 +60,7 @@ If either the ISG or MI is enabled in a WDAC policy, you can optionally choose t
Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.
| Name | Explanation |
-|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|---|----------|
| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
| ManagedInstallerEnabled | Policy trusts a MI |
| PassesManagedInstaller | File originated from a trusted MI |
From faee789b267ba90d691979a343b4bcf8c1432eb9 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Thu, 27 May 2021 09:37:24 -0700
Subject: [PATCH 064/148] Task ID 23142312 and 29028100
Made cosmetic changes to the certificate section in event-tags-explanation, and added a line break before the Figure 1 image in audit-and-enforce.
---
...s-defender-application-control-policies.md | 3 +-
.../event-tag-explanations.md | 42 +++++++++----------
2 files changed, 23 insertions(+), 22 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
index 4b1860ea36..b33cace078 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -41,7 +41,8 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md).
- **Figure 1. Exceptions to the deployed WDAC policy**
+ **Figure 1. Exceptions to the deployed WDAC policy**
+
3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
index bcbeab1e3e..76084853c5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -94,28 +94,28 @@ Represents why verification failed, or if it succeeded.
## Microsoft Root CAs trusted by Windows
-The rule means trust anything signed by a cert that chains to this root CA.
+The rule means trust anything signed by a certificate that chains to this root CA.
| Root ID | Root Name |
|---|----------|
-|0| None |
-|1| Unknown |
-|2 | Self-Signed |
-|3 | Authenticode |
-|4 | Microsoft Product Root 1997 |
-|5 | Microsoft Product Root 2001 |
-|6 | Microsoft Product Root 2010 |
-|7 | Microsoft Standard Root 2011 |
-|8 | Microsoft Code Verification Root 2006 |
-|9 | Microsoft Test Root 1999 |
-|10 | Microsoft Test Root 2010 |
-|11 | Microsoft DMD Test Root 2005 |
-|12 | Microsoft DMDRoot 2005 |
-|13 | Microsoft DMD Preview Root 2005 |
-|14 | Microsoft Flight Root 2014 |
-|15 | Microsoft Third Party Marketplace Root |
-|16 | Microsoft ECC Testing Root CA 2017 |
-|17 | Microsoft ECC Development Root CA 2018 |
-|18 | Microsoft ECC Product Root CA 2018 |
-|19 | Microsoft ECC Devices Root CA 2017 |
+| 0| None |
+| 1| Unknown |
+| 2 | Self-Signed |
+| 3 | Authenticode |
+| 4 | Microsoft Product Root 1997 |
+| 5 | Microsoft Product Root 2001 |
+| 6 | Microsoft Product Root 2010 |
+| 7 | Microsoft Standard Root 2011 |
+| 8 | Microsoft Code Verification Root 2006 |
+| 9 | Microsoft Test Root 1999 |
+| 10 | Microsoft Test Root 2010 |
+| 11 | Microsoft DMD Test Root 2005 |
+| 12 | Microsoft DMDRoot 2005 |
+| 13 | Microsoft DMD Preview Root 2005 |
+| 14 | Microsoft Flight Root 2014 |
+| 15 | Microsoft Third Party Marketplace Root |
+| 16 | Microsoft ECC Testing Root CA 2017 |
+| 17 | Microsoft ECC Development Root CA 2018 |
+| 18 | Microsoft ECC Product Root CA 2018 |
+| 19 | Microsoft ECC Devices Root CA 2017 |
For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they don’t need to be listed as TBS hashes in the policy file.
\ No newline at end of file
From fd4776ff535ca97031750985250fe33a4572f273 Mon Sep 17 00:00:00 2001
From: Tina Burden
Date: Thu, 27 May 2021 15:09:31 -0700
Subject: [PATCH 065/148] Acrolinx style suggestions
---
...lication-control-policy-design-decisions.md | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 9bd69f5bee..7640970646 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -40,13 +40,13 @@ You should consider using WDAC as part of your organization's application contro
## Decide what policies to create
-Beginning with Windows 10, version 1903, WDAC allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. While this opens up many new use cases for organizations, your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create.
+Beginning with Windows 10, version 1903, WDAC allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. This opens up many new use cases for organizations, but your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create.
The first step is to define the desired "circle-of-trust" for your WDAC policies. By "circle-of-trust", we mean a description of the business intent of the policy expressed in natural language. This "circle-of-trust" definition will guide you as you create the actual policy rules for your policy XML.
For example, the DefaultWindows policy, which can be found under %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies, establishes a "circle-of-trust" that allows Windows, 3rd-party hardware and software kernel drivers, and applications from the Microsoft Store.
-Microsoft Endpoint Configuration Manager, previously known as System Center Configuration Manager, uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for Configuration Manager's native WDAC integration.
+Microsoft Endpoint Configuration Manager, previously known as System Center Configuration Manager, uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator, which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for Configuration Manager's native WDAC integration.
The following questions can help you plan your WDAC deployment and determine the right "circle-of-trust" for your policies. They are not in priority or sequential order and are not meant to be an exhaustive set of design considerations.
@@ -54,31 +54,31 @@ The following questions can help you plan your WDAC deployment and determine the
### How are apps managed and deployed in your organization?
-Organizations with well-defined, centrally-managed app management and deployment processes can create more restrictive, more secure policies. Other organizations may be able to deploy WDAC with more relaxed rules or may choose to deploy WDAC in audit mode to gain better visibility to the apps being used in their organization.
+Organizations with well-defined, centrally managed app management and deployment processes can create more restrictive, more secure policies. Other organizations may be able to deploy WDAC with more relaxed rules or may choose to deploy WDAC in audit mode to gain better visibility to the apps being used in their organization.
| Possible answers | Design considerations|
| - | - |
| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
-| Some apps are centrally managed and deployed, but teams can install additional apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can leverage managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. |
+| Some apps are centrally managed and deployed, but teams can install other apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can use managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. |
| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. |
| Users and teams are free to download and install apps without restriction. | WDAC policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.|
-### Are internally-developed line-of-business (LOB) apps and apps developed by 3rd parties digitally signed?
+### Are internally developed line-of-business (LOB) apps and apps developed by third-party companies digitally signed?
Traditional Win32 apps on Windows can run without being digitally signed. This practice can expose Windows devices to malicious or tampered code and presents a security vulnerability to your Windows devices. Adopting code-signing as part of your organization's app development practices or augmenting apps with signed catalog files as part of your app ingestion and distribution can greatly improve the integrity and security of apps used.
| Possible answers | Design considerations |
| - | - |
| All apps used in your organization must be signed. | Organizations that enforce [codesigning](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. WDAC rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). |
-| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows 10 tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. |
+| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows 10 tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. |
### Are there specific groups in your organization that need customized application control policies?
-Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. There is overhead in managing policies which may lead you to choose between broad, organization-wide policies and multiple team-specific policies.
+Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. Consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. There is overhead in managing policies that might lead you to choose between broad, organization-wide policies and multiple team-specific policies.
| Possible answers | Design considerations |
| - | - |
-| Yes | WDAC policies can be created unique per team, or team-specific supplemental policies can be used to expand what is allowed by a common, centrally-defined base policy.|
+| Yes | WDAC policies can be created unique per team, or team-specific supplemental policies can be used to expand what is allowed by a common, centrally defined base policy.|
| No | WDAC policies can be applied globally to applications that are installed on PCs running Windows 10. Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.|
### Does your IT department have resources to analyze application usage, and to design and manage the policies?
@@ -87,7 +87,7 @@ The time and resources that are available to you to perform the research and ana
| Possible answers | Design considerations |
| - | - |
-| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.|
+| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are constructed as simply as possible.|
| No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. Alternatively, you can create a policy with a broad trust profile to authorize as many apps as possible. |
### Does your organization have Help Desk support?
From f0bfb149b761d7dbd7fd9f70c4153fe07b6dfb4a Mon Sep 17 00:00:00 2001
From: Tina Burden
Date: Thu, 27 May 2021 15:14:24 -0700
Subject: [PATCH 066/148] Acrolinx suggestions
---
.../event-id-explanations.md | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index e0c8044cf1..57043da075 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -35,17 +35,17 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
| 3099 | Indicates that a policy has been loaded |
-## Microsoft Windows Applocker MSI and Script log event IDs
+## Microsoft Windows AppLocker MSI and Script log event IDs
| Event ID | Explanation |
|---|----------|
-| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. |
+| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. |
| 8029 | Block script/MSI file |
-| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
+| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
-If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
+If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide more diagnostic information.
| Event ID | Explanation |
|---|----------|
@@ -53,11 +53,11 @@ If either the ISG or MI is enabled in a WDAC policy, you can optionally choose t
| 3091 | Audit executable/dll file |
| 3092 | Block executable/dll file |
-3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated.
+3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template that appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated.
### SmartLocker template
-Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.
+Below are the fields that help to diagnose what a 3090, 3091, or 3092 event indicates.
| Name | Explanation |
|---|----------|
@@ -76,7 +76,7 @@ In order to enable 3091 audit events and 3092 block events, you must create a Te
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
```
-In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
+To enable 3090 allow events, and 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
```powershell
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
From dd1035c3bea09135690426df189d95ee2f5f29a0 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Thu, 27 May 2021 15:29:19 -0700
Subject: [PATCH 067/148] Task ID 33452921
Created an Appendix table that lists other IDs and their descriptions.
---
.../event-id-explanations.md | 39 +++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index e0c8044cf1..80c6a5ba40 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -81,3 +81,42 @@ In order to enable 3090 allow events as well as 3091 and 3092 events, you must i
```powershell
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
```
+
+## Appendix
+A list of other relevant event IDs and their corresponding description.
+| Event ID | Description |
+|---|----------|
+| 3001 | An unsigned driver was attempted to load on the system. |
+| 3002 | Code Integrity could not verify the boot image as the page hash could not be found. |
+| 3004 | Code Integrity could not verify the file as the page hash could not be found. |
+| 3010 | The catalog containing the signature for the file under validation is invalid. |
+| 3011 | Code Integrity finished loading the signature catalog. |
+| 3012 | Code Integrity started loading the signature catalog. |
+| 3023 | The driver file under validation did not meet the requirements to pass the application control policy. |
+| 3024 | Windows application control was unable to refresh the boot catalog file. |
+| 3026 | The catalog loaded is signed by a signing certificate that has been revoked by Microsoft and/or the certificate issuing authority. |
+| 3033 | The file under validation did not meet the requirements to pass the application control policy. |
+| 3034 | The file under validation would not meet the requirements to pass the application control policy if the policy was enforced. The file was allowed since the policy is in audit mode. |
+| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
+| 3064 | A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. The DLL was allowed since the policy is in audit mode. |
+| 3065 | [Ignored] A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. |
+| 3074 | Page hash failure while hypervisor-protected code integrity was enabled. |
+| 3075 | This event monitors the performance of the Code Integrity policy check a file. |
+| 3079 | The file under validation did not meet the requirements to pass the application control policy. |
+| 3080 | The file under validation would not have me the requirements to pass the application control policy, if the policy was in enforced mode. |
+| 3081 | The file under validation did not meet the requirements to pass the application control policy. |
+| 3082 | The non-WHQL driver would have been denied by the policy, if the policy was in enforced mode. |
+| 3084 | Code Integrity will enforce theWHQL Required policy setting on this session. |
+| 3085 | Code Integrity will not enforce theWHQL Required policy setting on this session. |
+| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. |
+| 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. |
+| 3097 | The Code Integrity policy cannot be refreshed. |
+| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
+| 3101 | Code Integrity started refreshing the policy. |
+| 3102 | Code Integrity finished refreshing the policy. |
+| 3103 | Code Integrity is ignoring the policy refresh. |
+| 3104 | The file under validation does not meet the signing requirements for a PPL (protected process light) process. |
+| 3105 | Code Integrity is attempting to refresh the policy. |
+| 3108 | Windows mode change event was successful. |
+| 3110 | Windows mode change event was unsuccessful. |
+| 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. |
\ No newline at end of file
From d70b314e191ba01105099d7dd2bd7dad19356d6e Mon Sep 17 00:00:00 2001
From: Tina Burden
Date: Thu, 27 May 2021 15:55:49 -0700
Subject: [PATCH 068/148] Update
windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
---
...-and-enforce-windows-defender-application-control-policies.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
index b33cace078..c1d7ac7c71 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -12,7 +12,6 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: jogeurte
-ms.reviewer: v-kikl
ms.author: dansimp
manager: dansimp
ms.date: 05/03/2021
From 0cfeae94b048e6f419c24ef7dc61987cec8d40bb Mon Sep 17 00:00:00 2001
From: Tina Burden
Date: Thu, 27 May 2021 16:14:17 -0700
Subject: [PATCH 069/148] warning fix...hopefully
---
.../deployment/deploy-wdac-policies-with-script.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index a0308dfadc..7f2b24da54 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -54,7 +54,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
### Deploying signed policies
-In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](deploy-windows-defender-application-control-policies-using-intune.md) or the [Application Control CSP](#Deploying-multiple-policies-via-ApplicationControl-CSP) will handle this step automatically.
+In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md) or the [Application Control CSP](#Deploying-multiple-policies-via-ApplicationControl-CSP) will handle this step automatically.
1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt:
```powershell
From 8b92722dde241f87092e60f7d8dd00f78ff4493d Mon Sep 17 00:00:00 2001
From: Tina Burden
Date: Thu, 27 May 2021 16:21:24 -0700
Subject: [PATCH 070/148] bookmark not found warning
---
.../deployment/deploy-wdac-policies-with-script.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index 7f2b24da54..00adfbb261 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -54,7 +54,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
### Deploying signed policies
-In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md) or the [Application Control CSP](#Deploying-multiple-policies-via-ApplicationControl-CSP) will handle this step automatically.
+In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md) or the Application Control CSP will handle this step automatically.
1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt:
```powershell
From 33f8a4a189719cb68b8f9d4f017d469d5bdffc1b Mon Sep 17 00:00:00 2001
From: Tina Burden
Date: Thu, 27 May 2021 16:44:21 -0700
Subject: [PATCH 071/148] edit
---
.../deployment/deploy-wdac-policies-with-script.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index 00adfbb261..ca2d5fed65 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -54,7 +54,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
### Deploying signed policies
-In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md) or the Application Control CSP will handle this step automatically.
+In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically.
1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt:
```powershell
From 48d7e752113825973a1f2559ea6c14009dd7e3d6 Mon Sep 17 00:00:00 2001
From: Tina Burden
Date: Thu, 27 May 2021 16:55:49 -0700
Subject: [PATCH 072/148] Update
windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
---
.../event-tag-explanations.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
index 76084853c5..2ae5aa34a4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -95,6 +95,7 @@ Represents why verification failed, or if it succeeded.
## Microsoft Root CAs trusted by Windows
The rule means trust anything signed by a certificate that chains to this root CA.
+
| Root ID | Root Name |
|---|----------|
| 0| None |
@@ -118,4 +119,4 @@ The rule means trust anything signed by a certificate that chains to this root C
| 18 | Microsoft ECC Product Root CA 2018 |
| 19 | Microsoft ECC Devices Root CA 2017 |
-For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they don’t need to be listed as TBS hashes in the policy file.
\ No newline at end of file
+For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they don’t need to be listed as TBS hashes in the policy file.
From 1a2e96258aa3aa28174c0ff6bf0d467836fe5257 Mon Sep 17 00:00:00 2001
From: v-hearya
Date: Fri, 28 May 2021 22:14:28 +0530
Subject: [PATCH 073/148] faq-md-app-guard.md converted into yml
---
.../TOC.yml | 2 +-
.../faq-md-app-guard.yml | 200 ++++++++++++++++++
.../md-app-guard-overview.md | 2 +-
3 files changed, 202 insertions(+), 2 deletions(-)
create mode 100644 windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml
index c77a91d3e5..ee887e168a 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml
@@ -12,4 +12,4 @@
- name: Microsoft Defender Application Guard Extension
href: md-app-guard-browser-extension.md
- name: FAQ
- href: faq-md-app-guard.md
+ href: faq-md-app-guard.yml
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
new file mode 100644
index 0000000000..7b33d23616
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -0,0 +1,200 @@
+### YamlMime:FAQ
+metadata:
+ title: FAQ - Microsoft Defender Application Guard (Windows 10)
+ description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
+ ms.prod: m365-security
+ ms.mktglfcycl: manage
+ ms.sitesec: library
+ ms.pagetype: security
+ ms.localizationpriority: medium
+ author: denisebmsft
+ ms.author: deniseb
+ ms.date: 05/12/2021
+ ms.reviewer:
+ manager: dansimp
+ ms.custom: asr
+ ms.technology: mde
+
+title: Frequently asked questions - Microsoft Defender Application Guard
+summary: |
+ **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+ This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
+
+ ## Frequently Asked Questions
+
+sections:
+ - name: Frequently Asked Questions
+ questions:
+ - question: |
+ Can I enable Application Guard on machines equipped with 4-GB RAM?
+ answer: |
+ We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
+
+ `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
+
+ `HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
+
+ `HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
+
+ - question: |
+ Can employees download documents from the Application Guard Edge session onto host devices?
+ answer: |
+ In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
+
+ In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
+
+ - question: |
+ Can employees copy and paste between the host device and the Application Guard Edge session?
+ answer: |
+ Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.
+
+ - question: |
+ Why don't employees see their favorites in the Application Guard Edge session?
+ answer: |
+ Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard)
+
+ - question: |
+ Why aren’t employees able to see their extensions in the Application Guard Edge session?
+ answer: |
+ Make sure to enable the extensions policy on your Application Guard configuration.
+
+ - question: |
+ How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
+ answer: |
+ Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
+
+ - question: |
+ Which Input Method Editors (IME) in 19H1 are not supported?
+ answer: |
+ The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
+
+ - Vietnam Telex keyboard
+ - Vietnam number key-based keyboard
+ - Hindi phonetic keyboard
+ - Bangla phonetic keyboard
+ - Marathi phonetic keyboard
+ - Telugu phonetic keyboard
+ - Tamil phonetic keyboard
+ - Kannada phonetic keyboard
+ - Malayalam phonetic keyboard
+ - Gujarati phonetic keyboard
+ - Odia phonetic keyboard
+ - Punjabi phonetic keyboard
+
+ - question: |
+ I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
+ answer: |
+ This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
+
+ - question: |
+ What is the WDAGUtilityAccount local account?
+ answer: |
+ WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error:
+
+ **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
+
+ We recommend that you do not modify this account.
+
+ - question: |
+ How do I trust a subdomain in my site list?
+ answer: |
+ To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
+
+ - question: |
+ Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
+ answer: |
+ When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
+
+ - question: |
+ Is there a size limit to the domain lists that I need to configure?
+ answer: |
+ Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit.
+
+ - question: |
+ Why does my encryption driver break Microsoft Defender Application Guard?
+ answer: |
+ Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
+
+ - question: |
+ Why do the Network Isolation policies in Group Policy and CSP look different?
+ answer: |
+ There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
+
+ - Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
+
+ - Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
+
+ - For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
+
+ Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
+
+ - question: |
+ Why did Application Guard stop working after I turned off hyperthreading?
+ answer: |
+ If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
+
+ - question: |
+ Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
+ answer: |
+ Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
+
+ - question: |
+ Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
+ answer: |
+ This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
+
+ - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
+ - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+
+ - question: |
+ Why can I not launch Application Guard when Exploit Guard is enabled?
+ answer: |
+ There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
+
+ - question: |
+ How can I disable portions of ICS without breaking Application Guard?
+ answer: |
+ ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
+
+ 1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
+
+ 2. Disable IpNat.sys from ICS load as follows:
+ `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
+
+ 3. Configure ICS (SharedAccess) to enabled as follows:
+ `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
+
+ 4. (This is optional) Disable IPNAT as follows:
+ `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
+
+ 5. Reboot the device.
+
+ - question: |
+ Why doesn't the container fully load when device control policies are enabled?
+ answer: |
+ Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly.
+
+ Policy: Allow installation of devices that match any of the following device IDs:
+
+ - `SCSI\DiskMsft____Virtual_Disk____`
+ - `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
+ - `VMS_VSF`
+ - `root\Vpcivsp`
+ - `root\VMBus`
+ - `vms_mp`
+ - `VMS_VSP`
+ - `ROOT\VKRNLINTVSP`
+ - `ROOT\VID`
+ - `root\storvsp`
+ - `vms_vsmp`
+ - `VMS_PP`
+
+ Policy: Allow installation of devices using drivers that match these device setup classes
+ - `{71a27cdd-812a-11d0-bec7-08002be2092f}`
+
+additionalContent: |
+
+ ## See also
+
+ [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 9c41f91b39..83850f5a21 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -52,5 +52,5 @@ Application Guard has been created to target several types of devices:
|[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
| [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
-|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
+|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
\ No newline at end of file
From a2805311479b72e7604e7ff21fd28d6d919a18c9 Mon Sep 17 00:00:00 2001
From: v-hearya
Date: Fri, 28 May 2021 22:57:26 +0530
Subject: [PATCH 074/148] faq-md-app-guard.md deleted & updated .yml
---
.../faq-md-app-guard.md | 210 ------------------
.../faq-md-app-guard.yml | 35 +++
2 files changed, 35 insertions(+), 210 deletions(-)
delete mode 100644 windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
deleted file mode 100644
index 0e4406aaa5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ /dev/null
@@ -1,210 +0,0 @@
----
-title: FAQ - Microsoft Defender Application Guard (Windows 10)
-description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.date: 05/12/2021
-ms.reviewer:
-manager: dansimp
-ms.custom: asr
-ms.technology: mde
----
-
-# Frequently asked questions - Microsoft Defender Application Guard
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
-
-## Frequently Asked Questions
-
-### Can I enable Application Guard on machines equipped with 4-GB RAM?
-
-We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
-
-`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
-
-`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
-
-`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
-
-### Can employees download documents from the Application Guard Edge session onto host devices?
-
-In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
-
-In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
-
-### Can employees copy and paste between the host device and the Application Guard Edge session?
-
-Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.
-
-### Why don't employees see their favorites in the Application Guard Edge session?
-
-Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard)
-
-### Why aren’t employees able to see their extensions in the Application Guard Edge session?
-
-Make sure to enable the extensions policy on your Application Guard configuration.
-
-### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
-
-Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
-
-### Which Input Method Editors (IME) in 19H1 are not supported?
-
-The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
-
-- Vietnam Telex keyboard
-- Vietnam number key-based keyboard
-- Hindi phonetic keyboard
-- Bangla phonetic keyboard
-- Marathi phonetic keyboard
-- Telugu phonetic keyboard
-- Tamil phonetic keyboard
-- Kannada phonetic keyboard
-- Malayalam phonetic keyboard
-- Gujarati phonetic keyboard
-- Odia phonetic keyboard
-- Punjabi phonetic keyboard
-
-### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
-
-This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
-
-### What is the WDAGUtilityAccount local account?
-
-WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error:
-
-**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
-
-We recommend that you do not modify this account.
-
-### How do I trust a subdomain in my site list?
-
-To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
-
-### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-
-When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
-
-### Is there a size limit to the domain lists that I need to configure?
-
-Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit.
-
-### Why does my encryption driver break Microsoft Defender Application Guard?
-
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
-
-### Why do the Network Isolation policies in Group Policy and CSP look different?
-
-There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
-
-- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
-
-- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
-
-- For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
-
-Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
-
-### Why did Application Guard stop working after I turned off hyperthreading?
-
-If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
-
-### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
-
-Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
-
-### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
-
-This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
-
-- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
-- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
-
-#### First rule (DHCP Server)
-1. Program path: `%SystemRoot%\System32\svchost.exe`
-
-2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
-
-3. Protocol UDP
-
-4. Port 67
-
-#### Second rule (DHCP Client)
-This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps:
-
-1. Right-click on inbound rules, and then create a new rule.
-
-2. Choose **custom rule**.
-
-3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
-
-4. Specify the following settings:
- - Protocol Type: UDP
- - Specific ports: 67
- - Remote port: any
-
-5. Specify any IP addresses.
-
-6. Allow the connection.
-
-7. Specify to use all profiles.
-
-8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
-
-9. In the **Programs and services** tab, under the **Services** section, select **settings**.
-
-10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
-
-### Why can I not launch Application Guard when Exploit Guard is enabled?
-
-There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
-
-### How can I disable portions of ICS without breaking Application Guard?
-
-ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
-
-1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
-
-2. Disable IpNat.sys from ICS load as follows:
-`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
-
-3. Configure ICS (SharedAccess) to enabled as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
-
-4. (This is optional) Disable IPNAT as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
-
-5. Reboot the device.
-
-### Why doesn't the container fully load when device control policies are enabled?
-
-Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly.
-
-Policy: Allow installation of devices that match any of the following device IDs:
-
-- `SCSI\DiskMsft____Virtual_Disk____`
-- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
-- `VMS_VSF`
-- `root\Vpcivsp`
-- `root\VMBus`
-- `vms_mp`
-- `VMS_VSP`
-- `ROOT\VKRNLINTVSP`
-- `ROOT\VID`
-- `root\storvsp`
-- `vms_vsmp`
-- `VMS_PP`
-
-Policy: Allow installation of devices using drivers that match these device setup classes
-- `{71a27cdd-812a-11d0-bec7-08002be2092f}`
-
-## See also
-
-[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index 7b33d23616..aef33b9815 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -146,6 +146,41 @@ sections:
- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+
+ ### First rule (DHCP Server)
+ 1. Program path: `%SystemRoot%\System32\svchost.exe`
+
+ 2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
+
+ 3. Protocol UDP
+
+ 4. Port 67
+
+ ### Second rule (DHCP Client)
+ This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps:
+
+ 1. Right-click on inbound rules, and then create a new rule.
+
+ 2. Choose **custom rule**.
+
+ 3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
+
+ 4. Specify the following settings:
+ - Protocol Type: UDP
+ - Specific ports: 67
+ - Remote port: any
+
+ 5. Specify any IP addresses.
+
+ 6. Allow the connection.
+
+ 7. Specify to use all profiles.
+
+ 8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
+
+ 9. In the **Programs and services** tab, under the **Services** section, select **settings**.
+
+ 10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
- question: |
Why can I not launch Application Guard when Exploit Guard is enabled?
From 1f87678437a9f81518b72325058fd4ed9dff4e15 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Fri, 28 May 2021 12:13:29 -0700
Subject: [PATCH 075/148] Task ID 33452921 - edited some appendix items
Also increased column spacing for the tables.
---
.../event-id-explanations.md | 22 +++++++++----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 80c6a5ba40..0e97655117 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -29,7 +29,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
## Microsoft Windows CodeIntegrity Operational log event IDs
| Event ID | Explanation |
-|---|----------|
+| -------- | ----------- |
| 3076 | Audit executable/dll file |
| 3077 | Block executable/dll file |
| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
@@ -38,7 +38,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
## Microsoft Windows Applocker MSI and Script log event IDs
| Event ID | Explanation |
-|---|----------|
+| -------- | ----------- |
| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. |
| 8029 | Block script/MSI file |
| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
@@ -48,7 +48,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.
| Event ID | Explanation |
-|---|----------|
+| -------- | ----------- |
| 3090 | Allow executable/dll file |
| 3091 | Audit executable/dll file |
| 3092 | Block executable/dll file |
@@ -60,7 +60,7 @@ If either the ISG or MI is enabled in a WDAC policy, you can optionally choose t
Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.
| Name | Explanation |
-|---|----------|
+| -------- | ----------- |
| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
| ManagedInstallerEnabled | Policy trusts a MI |
| PassesManagedInstaller | File originated from a trusted MI |
@@ -85,7 +85,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x
## Appendix
A list of other relevant event IDs and their corresponding description.
| Event ID | Description |
-|---|----------|
+| -------- | ----------- |
| 3001 | An unsigned driver was attempted to load on the system. |
| 3002 | Code Integrity could not verify the boot image as the page hash could not be found. |
| 3004 | Code Integrity could not verify the file as the page hash could not be found. |
@@ -98,16 +98,16 @@ A list of other relevant event IDs and their corresponding description.
| 3033 | The file under validation did not meet the requirements to pass the application control policy. |
| 3034 | The file under validation would not meet the requirements to pass the application control policy if the policy was enforced. The file was allowed since the policy is in audit mode. |
| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
-| 3064 | A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. The DLL was allowed since the policy is in audit mode. |
-| 3065 | [Ignored] A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. |
+| 3064 | If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. The DLL was allowed since the policy is in audit mode. |
+| 3065 | [Ignored] If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. |
| 3074 | Page hash failure while hypervisor-protected code integrity was enabled. |
| 3075 | This event monitors the performance of the Code Integrity policy check a file. |
| 3079 | The file under validation did not meet the requirements to pass the application control policy. |
-| 3080 | The file under validation would not have me the requirements to pass the application control policy, if the policy was in enforced mode. |
+| 3080 | If the policy was in enforced mode, the file under validation would not have meet the requirements to pass the application control policy. |
| 3081 | The file under validation did not meet the requirements to pass the application control policy. |
-| 3082 | The non-WHQL driver would have been denied by the policy, if the policy was in enforced mode. |
-| 3084 | Code Integrity will enforce theWHQL Required policy setting on this session. |
-| 3085 | Code Integrity will not enforce theWHQL Required policy setting on this session. |
+| 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. |
+| 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. |
+| 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. |
| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. |
| 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. |
| 3097 | The Code Integrity policy cannot be refreshed. |
From beebe88cac054ccf99f32b09d7a64273fe7c11c9 Mon Sep 17 00:00:00 2001
From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com>
Date: Sat, 29 May 2021 21:54:11 -0400
Subject: [PATCH 076/148] Update
required-windows-diagnostic-data-events-and-fields-2004.md
Minor spelling errors
---
.../required-windows-diagnostic-data-events-and-fields-2004.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 67158554c1..7a756bffcb 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -6355,7 +6355,7 @@ The following fields are available:
### Microsoft.Windows.WERVertical.OSCrash
-This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. This is the OneCore version of this event.
The following fields are available:
From 6ac2a0bc368fced5f672d96224d9e54f53891fa1 Mon Sep 17 00:00:00 2001
From: Sinead O'Sullivan
Date: Mon, 31 May 2021 12:51:27 +0100
Subject: [PATCH 077/148] Update policy-csp-system.md
---
.../client-management/mdm/policy-csp-system.md | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 61558a2ca2..9497ff874d 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -748,11 +748,14 @@ The following list shows the supported values for Windows 10 version 1809 and ol
Most restricted value is 0.
-The following list shows the supported values for Windows 10 version 19H1 and later:
+For Windows 10 version 19H1 and later we simplified your diagnostic data controls by moving from four diagnostic data controls to three. The following list shows the supported values:
-- **Diagnostic data off** - No Windows diagnostic data sent.
-- **Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected.
-- **Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.
+- **0 - Diagnostic data off** - No Windows diagnostic data sent.
+- **1 - Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected.
+- **3 - Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.
+
+> [!NOTE]
+> If your devices are set to Enhanced when they are upgraded, the device settings will be migrated to the more privacy-preserving setting of Required diagnostic data. For more information, see [Changes to Windows diagnostic data](/windows/privacy/changes-to-windows-diagnostic-data-collection).
\ No newline at end of file
+
From e41479bca6a0e65258440054adaec42a36b7a21b Mon Sep 17 00:00:00 2001
From: Sinead O'Sullivan
Date: Mon, 31 May 2021 12:59:35 +0100
Subject: [PATCH 078/148] Update policy-csp-system.md
---
windows/client-management/mdm/policy-csp-system.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 9497ff874d..905ec90ac2 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -748,7 +748,7 @@ The following list shows the supported values for Windows 10 version 1809 and ol
Most restricted value is 0.
-For Windows 10 version 19H1 and later we simplified your diagnostic data controls by moving from four diagnostic data controls to three. The following list shows the supported values:
+For Windows 10 version 19H1 and later, we simplified your diagnostic data controls by moving from four diagnostic data controls to three. The following list shows the supported values:
- **0 - Diagnostic data off** - No Windows diagnostic data sent.
- **1 - Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected.
From 7107ab412c37ffd773259e679092a50de0d09c0a Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Mon, 31 May 2021 18:47:32 +0530
Subject: [PATCH 079/148] Update
windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
accepted
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../applocker/applocker-overview.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index 0a97c8aeb0..29d54546be 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -83,7 +83,7 @@ The following are examples of scenarios in which AppLocker can be used:
- In addition to other measures, you need to control the access to sensitive data through app usage.
> [!NOTE]
-> AppLocker is a defense-in-depth security feature and not a security boundary. [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
+> AppLocker is a defense-in-depth security feature and not a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
From 626b77e4ed9b834bf19a1fa8aa9be371d04c6ef3 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Mon, 31 May 2021 19:03:44 +0530
Subject: [PATCH 080/148] removed invalid link added new link
as per user report issue #9584 , so I removed invalid link and added new link
---
windows/whats-new/ltsc/whats-new-windows-10-2019.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 74b961fb89..92a7eacf49 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -484,9 +484,9 @@ Previously, the customized taskbar could only be deployed using Group Policy or
### Windows Insider for Business
-We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business).
+We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
-You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business).
+You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
### Optimize update delivery
@@ -642,4 +642,4 @@ See the following example:
## See Also
-[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.
\ No newline at end of file
+[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.
From 8ba8da2d5f4821141134ef596bef6c249dd1d714 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Tue, 1 Jun 2021 11:53:18 +0530
Subject: [PATCH 081/148] Update
windows/whats-new/ltsc/whats-new-windows-10-2019.md
accepted
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/whats-new/ltsc/whats-new-windows-10-2019.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 92a7eacf49..cd82d2c618 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -484,7 +484,7 @@ Previously, the customized taskbar could only be deployed using Group Policy or
### Windows Insider for Business
-We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
+We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
From 1cabfc785fefc65becce43d25f18c73d708671cc Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Tue, 1 Jun 2021 09:18:00 -0700
Subject: [PATCH 082/148] Corrected a typo for task ID 33452921
---
.../event-id-explanations.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 0e97655117..d12d89b766 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -103,7 +103,7 @@ A list of other relevant event IDs and their corresponding description.
| 3074 | Page hash failure while hypervisor-protected code integrity was enabled. |
| 3075 | This event monitors the performance of the Code Integrity policy check a file. |
| 3079 | The file under validation did not meet the requirements to pass the application control policy. |
-| 3080 | If the policy was in enforced mode, the file under validation would not have meet the requirements to pass the application control policy. |
+| 3080 | If the policy was in enforced mode, the file under validation would not have met the requirements to pass the application control policy. |
| 3081 | The file under validation did not meet the requirements to pass the application control policy. |
| 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. |
| 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. |
From d5fd5aa78687402fc4ab076b86720236c227e68c Mon Sep 17 00:00:00 2001
From: Charles
Date: Tue, 1 Jun 2021 13:10:36 -0400
Subject: [PATCH 083/148] added docs specifically for MEM(Intune) devices
---
windows/deployment/TOC.yml | 2 +
.../update-compliance-configuration-manual.md | 19 ++---
.../update-compliance-configuration-mem.md | 76 +++++++++++++++++++
.../update-compliance-configuration-script.md | 13 +---
.../update/update-compliance-get-started.md | 9 ++-
5 files changed, 94 insertions(+), 25 deletions(-)
create mode 100644 windows/deployment/update/update-compliance-configuration-mem.md
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index c8a3334ac2..4e078e7f35 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -193,6 +193,8 @@
href: update/update-compliance-configuration-script.md
- name: Manually configuring devices for Update Compliance
href: update/update-compliance-configuration-manual.md
+ - name: Configuring MEM-enrolled devices for Update Compliance
+ href: update/update-compliance-configuration-mem.md
- name: Update Compliance monitoring
items:
- name: Use Update Compliance
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
index ccdb293504..10b6032442 100644
--- a/windows/deployment/update/update-compliance-configuration-manual.md
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -41,16 +41,13 @@ Update Compliance has a number of policies that must be appropriately configured
Each MDM Policy links to its documentation in the CSP hierarchy, providing its exact location in the hierarchy and more details.
-| Policy | Value | Function |
-|---------------------------|-|------------------------------------------------------------|
-|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
-|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
-|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
-|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
-| **System/AllowUpdateComplianceProcessing** | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
-
-> [!NOTE]
-> If you use Microsoft Intune, set the **ProviderID** to *MS DM Server*. If you use another MDM product, check with its vendor. See also [DMClient CSP](/windows/client-management/mdm/dmclient-csp).
+| Policy | Data type | Value | Function |
+|--------------------------|-|-|------------------------------------------------------------|
+|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |String |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
+|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
+|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
+|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
+| **System/AllowUpdateComplianceProcessing** |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
### Group policies
@@ -89,6 +86,6 @@ Census is a service that runs on a regular schedule on Windows devices. A number
A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps:
-1. For every device you are manually configuring for Update Compliance, add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**.
+1. For every device you are manually configuring for Update Compliance and do not plan to use the [Update Compliance Configuration Script](update-compliance-configuration-script.md), add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**.
2. Run Devicecensus.exe with administrator privileges on every device. Devicecensus.exe is in the System32 folder. No additional run parameters are required.
3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**.
diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md
new file mode 100644
index 0000000000..09eeaed357
--- /dev/null
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@@ -0,0 +1,76 @@
+---
+title: Configuring MEM devices for Update Compliance
+ms.reviewer:
+manager: laurawi
+description: Configuring MEM-enrolled devices for Update Compliance
+keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav, intune, mem
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: deploy
+audience: itpro
+author: jaimeo
+ms.author: jaimeo
+ms.localizationpriority: medium
+ms.collection: M365-analytics
+ms.topic: article
+---
+
+# Configuring Microsoft Endpoint Manager devices for Update Compliance
+
+> [!NOTE]
+> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
+
+This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) (MEM) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps:
+
+1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured.
+2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured.
+3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md##enroll-devices-in-update-compliance).
+
+## Create a configuration profile
+
+Take the following steps to create a configuration profile that will set required policies for Update Compliance:
+
+1. Go to your MEM admin portal and navigate to **Devices/Windows/Configuration profiles**.
+2. On the Configuration profiles view, select **Create a profile**.
+3. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
+4. For **Template name**, select "Custom", then hit **Create**.
+5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
+6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
+ 1. Add a setting for **Commercial ID**, with the following values:
+ - **Name**: Commercial ID
+ - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace.
+ - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID`
+ - **Data type**: String
+ - **Value**: *Set this to your Commercial ID*
+ 2. Add a setting configuring devices' **Windows Diagnostic Data level**:
+ - **Name**: Allow Telemetry
+ - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance.
+ - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry`
+ - **Data type**: Integer
+ - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*).
+ 3. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance:
+ - **Name**: Disable Telemetry opt-in interface
+ - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
+ - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx`
+ - **Data type**: Integer
+ - **Value**: 1
+ 4. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance:
+ - **Name**: Allow device name in Diagnostic Data
+ - **Description**: Allows device name in Diagnostic Data.
+ - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData`
+ - **Data type**: Integer
+ - **Value**: 1
+ 5. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance:
+ - **Name**: Allow Update Compliance Processing
+ - **Description**: Opts device data into Update Compliance processing. Required to see data.
+ - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing`
+ - **Data type**: Integer
+ - **Value**: 16
+7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
+8. Review and **create**.
+
+## Deploy the configuration script
+
+The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices to Update Compliance, though is not strictly necessary. It checks to ensure devices have required services running and checks connectivity to the endpoints detaield in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). Deploying the configuration script can be done by deploying the script as a Win32 app. Documentation for this can be found in the Intune documentation for [Win32 app management in Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-win32-app-management).
+
+When deploying the configuration script as a Win32 app, you will be unable to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices.
\ No newline at end of file
diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md
index 2bdf88323c..4821714cb4 100644
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@@ -18,22 +18,15 @@ ms.topic: article
# Configuring devices through the Update Compliance Configuration Script
> [!NOTE]
-> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. We don't recommend using this script if you configure devices using MDM. Instead, configure the policies listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) by using your MDM provider. You should check devices to ensure that there aren't any policy configurations in any existing tool that conflict with how policies should be configured.
+> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured.
-The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more.
+The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured.
> [!NOTE]
-> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), there can be issues with device enrollment.
+> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), there may be issues with device data appearing in Update Compliance.
You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
-## Script FAQ
-
-- I manage my devices with MDM. Should I use this script?
-No, you should not use this script. Instead configure the policies through your MDM provider.
-- Does this script configure devices for Delivery Optimization?
-No. You must do that separately.
-
## How this script is organized
This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the `.bat` itself, which will then run `ConfigScript.ps1` with the parameters entered to `RunConfig.bat`. There are two ways of using the script: in **Pilot** mode or **Deployment** mode.
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index a224816f2b..d84e9ccac6 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -26,7 +26,7 @@ This topic introduces the high-level steps required to enroll to the Update Comp
2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription.
3. [Configure devices](#enroll-devices-in-update-compliance) to send data to Update Compliance.
-After adding the solution to Azure and configuring devices, it could take up to 72 hours before you can begin to see devices in the solution. Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
+After adding the solution to Azure and configuring devices, it can take some time before all devices appear, this is discussed in more detail in the [enrollment section](#enroll-devices-in-update-compliance). Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
## Update Compliance prerequisites
@@ -100,10 +100,11 @@ To find your CommercialID within Azure:
## Enroll devices in Update Compliance
-Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance:
+Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are a few steps to follow when enrolling devices to Update Compliance:
-- If you use Group Policy to manage device policies, use the [Update Compliance Configuration Script](update-compliance-configuration-script.md).
-- If you manage devices through MDM providers like Intune, [manually configure device for Update Compliance](update-compliance-configuration-manual.md).
+1. Check the policies, services, and other device enrollment requirements in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
+2. If you are a [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) customer, you can follow the MEM enrollment process documented at [Configuring MEM-enrolled devices for Update Compliance](update-compliance-configuration-mem.md).
+3. Finally, you should run the [Update Compliance Configuration Script](update-compliance-configuration-script.md) on all devices to ensure they are appropriately configured and troubleshoot any enrollment issues.
After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
From 102cc4d8c2d89be9254eb298429906c9157a87c0 Mon Sep 17 00:00:00 2001
From: Jaime Ondrusek
Date: Tue, 1 Jun 2021 10:18:59 -0700
Subject: [PATCH 084/148] Update TOC.yml
Do not use "MEM."
---
windows/deployment/TOC.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 4e078e7f35..487cf680c0 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -193,7 +193,7 @@
href: update/update-compliance-configuration-script.md
- name: Manually configuring devices for Update Compliance
href: update/update-compliance-configuration-manual.md
- - name: Configuring MEM-enrolled devices for Update Compliance
+ - name: Configuring devices for Update Compliance in Microsoft Endpoint Manager
href: update/update-compliance-configuration-mem.md
- name: Update Compliance monitoring
items:
@@ -543,4 +543,4 @@
href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
- name: Install fonts in Windows 10
- href: windows-10-missing-fonts.md
\ No newline at end of file
+ href: windows-10-missing-fonts.md
From e2169d5b6a6dda2bec7953e5bc89a246841531c0 Mon Sep 17 00:00:00 2001
From: Jaime Ondrusek
Date: Tue, 1 Jun 2021 10:25:32 -0700
Subject: [PATCH 085/148] Update update-compliance-configuration-mem.md
Removing "MEM" (do not use "MEM") and a few tweaks for voice/tone.
---
.../update-compliance-configuration-mem.md | 20 +++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md
index 09eeaed357..e9b66d2a5d 100644
--- a/windows/deployment/update/update-compliance-configuration-mem.md
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@@ -1,8 +1,8 @@
---
-title: Configuring MEM devices for Update Compliance
+title: Configuring for Update Compliance in Microsoft Endpoint Manager
ms.reviewer:
manager: laurawi
-description: Configuring MEM-enrolled devices for Update Compliance
+description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance
keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav, intune, mem
ms.prod: w10
ms.mktglfcycl: deploy
@@ -20,7 +20,7 @@ ms.topic: article
> [!NOTE]
> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
-This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) (MEM) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps:
+This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps:
1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured.
2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured.
@@ -30,10 +30,10 @@ This article is specifically targeted at configuring devices enrolled to [Micros
Take the following steps to create a configuration profile that will set required policies for Update Compliance:
-1. Go to your MEM admin portal and navigate to **Devices/Windows/Configuration profiles**.
-2. On the Configuration profiles view, select **Create a profile**.
+1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**.
+2. On the **Configuration profiles** view, select **Create a profile**.
3. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
-4. For **Template name**, select "Custom", then hit **Create**.
+4. For **Template name**, select **Custom**, and then press **Create**.
5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
1. Add a setting for **Commercial ID**, with the following values:
@@ -42,7 +42,7 @@ Take the following steps to create a configuration profile that will set require
- **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID`
- **Data type**: String
- **Value**: *Set this to your Commercial ID*
- 2. Add a setting configuring devices' **Windows Diagnostic Data level**:
+ 2. Add a setting configuring the **Windows Diagnostic Data level** for devices:
- **Name**: Allow Telemetry
- **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry`
@@ -67,10 +67,10 @@ Take the following steps to create a configuration profile that will set require
- **Data type**: Integer
- **Value**: 16
7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
-8. Review and **create**.
+8. Review and select **Create**.
## Deploy the configuration script
-The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices to Update Compliance, though is not strictly necessary. It checks to ensure devices have required services running and checks connectivity to the endpoints detaield in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). Deploying the configuration script can be done by deploying the script as a Win32 app. Documentation for this can be found in the Intune documentation for [Win32 app management in Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-win32-app-management).
+The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-win32-app-management).
-When deploying the configuration script as a Win32 app, you will be unable to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices.
\ No newline at end of file
+When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices.
From 343d9db640693cf2692fd81b1b72151a1f8f2eb7 Mon Sep 17 00:00:00 2001
From: Jaime Ondrusek
Date: Tue, 1 Jun 2021 10:27:01 -0700
Subject: [PATCH 086/148] Update update-compliance-configuration-script.md
---
.../deployment/update/update-compliance-configuration-script.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md
index 4821714cb4..085bf545d6 100644
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@@ -23,7 +23,7 @@ ms.topic: article
The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured.
> [!NOTE]
-> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), there may be issues with device data appearing in Update Compliance.
+> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), device data might not appear in Update Compliance correctly.
You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
From ce4773f0a6d1aef55b21f203bb65909b475a2699 Mon Sep 17 00:00:00 2001
From: Jaime Ondrusek
Date: Tue, 1 Jun 2021 10:28:54 -0700
Subject: [PATCH 087/148] Update update-compliance-get-started.md
---
windows/deployment/update/update-compliance-get-started.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index d84e9ccac6..d1bcb967b9 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -26,7 +26,7 @@ This topic introduces the high-level steps required to enroll to the Update Comp
2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription.
3. [Configure devices](#enroll-devices-in-update-compliance) to send data to Update Compliance.
-After adding the solution to Azure and configuring devices, it can take some time before all devices appear, this is discussed in more detail in the [enrollment section](#enroll-devices-in-update-compliance). Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
+After adding the solution to Azure and configuring devices, it can take some time before all devices appear. For more information, see the [enrollment section](#enroll-devices-in-update-compliance). Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
## Update Compliance prerequisites
From 441adf9cacfeaa6c8508b89e6b289eadcfde1212 Mon Sep 17 00:00:00 2001
From: Jaime Ondrusek
Date: Tue, 1 Jun 2021 10:30:17 -0700
Subject: [PATCH 088/148] Update update-compliance-get-started.md
---
windows/deployment/update/update-compliance-get-started.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index d1bcb967b9..e975c71cf9 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -103,7 +103,7 @@ To find your CommercialID within Azure:
Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are a few steps to follow when enrolling devices to Update Compliance:
1. Check the policies, services, and other device enrollment requirements in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
-2. If you are a [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) customer, you can follow the MEM enrollment process documented at [Configuring MEM-enrolled devices for Update Compliance](update-compliance-configuration-mem.md).
+2. If you use [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), you can follow the enrollment process documented at [Configuring devices for Update Compliance in Microsoft Endpoint Manager](update-compliance-configuration-mem.md).
3. Finally, you should run the [Update Compliance Configuration Script](update-compliance-configuration-script.md) on all devices to ensure they are appropriately configured and troubleshoot any enrollment issues.
After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
From 815910f0c7cf49399da0ba1037a14349163ca25d Mon Sep 17 00:00:00 2001
From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com>
Date: Tue, 1 Jun 2021 11:31:57 -0700
Subject: [PATCH 089/148] Update update-compliance-configuration-mem.md
bookmark fix; attempt to replace absolute links
---
.../update/update-compliance-configuration-mem.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md
index e9b66d2a5d..aefc6bdaaf 100644
--- a/windows/deployment/update/update-compliance-configuration-mem.md
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@@ -20,11 +20,11 @@ ms.topic: article
> [!NOTE]
> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
-This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps:
+This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps:
1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured.
2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured.
-3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md##enroll-devices-in-update-compliance).
+3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance).
## Create a configuration profile
@@ -71,6 +71,6 @@ Take the following steps to create a configuration profile that will set require
## Deploy the configuration script
-The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-win32-app-management).
+The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices.
From 1feed94c3aa7b2ebbf5b1418f159fedaadfbdd2a Mon Sep 17 00:00:00 2001
From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com>
Date: Tue, 1 Jun 2021 11:35:13 -0700
Subject: [PATCH 090/148] Update update-compliance-get-started.md
switch to rel link
---
windows/deployment/update/update-compliance-get-started.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index e975c71cf9..f1c18585dd 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -103,7 +103,7 @@ To find your CommercialID within Azure:
Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are a few steps to follow when enrolling devices to Update Compliance:
1. Check the policies, services, and other device enrollment requirements in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
-2. If you use [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), you can follow the enrollment process documented at [Configuring devices for Update Compliance in Microsoft Endpoint Manager](update-compliance-configuration-mem.md).
+2. If you use [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), you can follow the enrollment process documented at [Configuring devices for Update Compliance in Microsoft Endpoint Manager](update-compliance-configuration-mem.md).
3. Finally, you should run the [Update Compliance Configuration Script](update-compliance-configuration-script.md) on all devices to ensure they are appropriately configured and troubleshoot any enrollment issues.
After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
From 0ea039011830844a17359aa17bffc66723a54bbd Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Wed, 2 Jun 2021 14:29:53 +0500
Subject: [PATCH 091/148] Update in Changing the PIN
Made some update in Changing the PIN
Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9475
---
.../virtual-smart-card-use-virtual-smart-cards.md | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index cb9d870d46..f5d0883f98 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -80,8 +80,12 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf
## Changing the PIN
-The PIN for virtual smart card can be changed by pressing Ctrl+Alt+Del, and then selecting the TPM virtual smart card under **Sign in options**.
-
+The PIN for virtual smart card can be changed by following steps:
+- Log on with the old pin or password.
+- Press Ctrl+Alt+Del and choose **Change a password**.
+- Click ""Sign-in Options**.
+- Click the **Virtual smart card icon**.
+- Change the pin.
## Resolving issues
### TPM not provisioned
@@ -100,4 +104,4 @@ Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter
## See also
-For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md).
\ No newline at end of file
+For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md).
From 24f4911e7e52468364a83e2477d2b91cf8f495b4 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Wed, 2 Jun 2021 15:24:17 +0530
Subject: [PATCH 092/148] added may 2021 admx link
as per user feedback #9636 , so i added may 2021 admx template link.
---
...-a-windows-10-device-automatically-using-group-policy.md | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 75c2d3f601..939ecd1a60 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -195,6 +195,8 @@ Requirements:
- 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
+ - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
+
2. Install the package on the Domain Controller.
3. Navigate, depending on the version to the folder:
@@ -211,6 +213,8 @@ Requirements:
- 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)**
+ - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)**
+
4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
5. Copy PolicyDefinitions folder to **\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions**.
@@ -294,7 +298,7 @@ To collect Event Viewer logs:
- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
### Useful Links
-
+- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124)
- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
From 70acd1d2b6e65ecdce2dbf73fa5a8bfc84416a25 Mon Sep 17 00:00:00 2001
From: Sinead O'Sullivan
Date: Wed, 2 Jun 2021 13:01:35 +0100
Subject: [PATCH 093/148] updates for AllowTelemetry
---
.../mdm/policy-csp-system.md | 20 +++++++------------
...s-to-windows-diagnostic-data-collection.md | 2 +-
2 files changed, 8 insertions(+), 14 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 905ec90ac2..89ff9b9090 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -740,22 +740,16 @@ In Windows 10, you can configure this policy setting to decide what level of dia
The following list shows the supported values for Windows 10 version 1809 and older:
-- 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender.
- **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
-- 1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data.
-- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data.
-- 3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices.
+- 0 – (**Security**) This turns Windows diagnostic data off.
+- **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1.
+- 1 – (**Required**) Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
+- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data, such as limited crash dumps.
+- 3 – (**Optional**) Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs.
-Most restricted value is 0.
-
-For Windows 10 version 19H1 and later, we simplified your diagnostic data controls by moving from four diagnostic data controls to three. The following list shows the supported values:
-
-- **0 - Diagnostic data off** - No Windows diagnostic data sent.
-- **1 - Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected.
-- **3 - Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.
+Most restrictive value is 0.
> [!NOTE]
-> If your devices are set to Enhanced when they are upgraded, the device settings will be migrated to the more privacy-preserving setting of Required diagnostic data. For more information, see [Changes to Windows diagnostic data](/windows/privacy/changes-to-windows-diagnostic-data-collection).
+> If your devices are set to Enhanced when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of Required diagnostic data. For more information, see [Changes to Windows diagnostic data](/windows/privacy/changes-to-windows-diagnostic-data-collection).
+
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
+
+## Human-operated ransomware
+
+Unlike auto-spreading ransomware like WannaCry or NotPetya, human-operated ransomware is the result of active and ongoing attacks that target an organization rather than a single device. Cybercriminals use their knowledge of common system and security misconfigurations and vulnerabilities to infiltrate the organization, navigate the enterprise network, adapt to the environment, and exploit its weaknesses as they go.
+
+Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement and can result in deployment of ransomware payloads to high business impact resources that attackers choose. Once deployed, the attackers contact the organization with their ransom demands.
+
+The same primary prevention techniques described in this article should be implemented to prevent human-operated ransomware. For additional preventative measures against human-operated ransomware, see this [article](/security/compass/human-operated-ransomware).
+
+See [this blog post](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) from the Microsoft 365 Defender Threat Intelligence Team for more information and attack chain analysis of actual human-operated ransomware attacks.
From 1174cb4b333f2ebca7c124e6a51b379eac330ea7 Mon Sep 17 00:00:00 2001
From: Joe Davies
Date: Fri, 4 Jun 2021 13:02:07 -0700
Subject: [PATCH 117/148] Update ransomware-malware.md
---
.../intelligence/ransomware-malware.md | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md
index 00bd93579d..2eee3a6421 100644
--- a/windows/security/threat-protection/intelligence/ransomware-malware.md
+++ b/windows/security/threat-protection/intelligence/ransomware-malware.md
@@ -66,7 +66,7 @@ To provide the best protection against ransomware attacks, Microsoft recommends
2. Deploy regular hardware and software systems patching and effective vulnerability management
- A vital defense against cybersecurity attacks is the application of security updates and patches as soon as the software vendors release them.
+ A vital defense against cybersecurity attacks is the application of security updates and patches as soon as the software publishers release them.
A prominent example of this failure was the WannaCry ransomware events in 2017, one of the largest global cybersecurity attacks in the history of the internet, which used a leaked vulnerability in Windows networking Server Message Block (SMB) protocol, for which Microsoft had released a patch nearly two months before the first publicized incident.
@@ -74,9 +74,9 @@ To provide the best protection against ransomware attacks, Microsoft recommends
**HOW:** Use [update channels](/microsoft-365/enterprise/deploy-update-channels-examples) for recommendations on updates for Windows 10 and Microsoft 365 Apps for Enterprise (Windows 10).
-3. Use up-to-date antivirus and an endpoint detection and response (EDR) solutions
+3. Use up to date antivirus and an endpoint detection and response (EDR) solutions
- While owning an antivirus solution alone does not ensure absolute protection against viruses and other advanced computer threats, it’s very important to ensure that your antivirus solutions are kept up-to-date with your software vendors.
+ While owning an antivirus solution alone does not ensure absolute protection against viruses and other advanced computer threats, ensure that your antivirus solutions are kept up to date with your software publishers.
Attackers invest heavily in the creation of new viruses and exploits, while vendors are left playing catch-up by releasing daily updates to their antivirus database engines.
@@ -88,11 +88,11 @@ To provide the best protection against ransomware attacks, Microsoft recommends
**HOW:** To effectively reduce your credential attack surface, use Microsoft support for [Azure Multi-Factor Authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks) to require stronger authentication for privileged accounts, [Azure Privileged Identity Management (PIM)](/azure/active-directory/privileged-identity-management/) for just-in-time use of privileged accounts, and [Privileged Access Management (PAM)](/microsoft-365/compliance/privileged-access-management-solution-overview) for just-in-time access to Microsoft 365 tasks that need elevated permissions.
-5. Implement effective application allow lists
+5. Implement effective application allowlists
- It’s very important as part of a ransomware prevention strategy to restrict the applications that can run within an IT infrastructure. Application allow lists ensure only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective.
+ You need to restrict the applications that can run within an IT infrastructure. Application allowlists ensure only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective.
- **HOW:** For Microsoft 365 apps, use [Azure AD Conditional Access](azure/active-directory/conditional-access/app-based-conditional-access) to require approved apps.
+ **HOW:** For Microsoft 365 apps, use [Azure AD Conditional Access](/azure/active-directory/conditional-access/app-based-conditional-access) to require approved apps.
6. Regularly back up critical systems and files
From 9f96ebfac501647c03b74cfc94a93bac1c7032bd Mon Sep 17 00:00:00 2001
From: Joe Davies
Date: Fri, 4 Jun 2021 15:57:28 -0700
Subject: [PATCH 118/148] Update ransomware-malware.md
---
.../threat-protection/intelligence/ransomware-malware.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md
index 2eee3a6421..f09ebe1af1 100644
--- a/windows/security/threat-protection/intelligence/ransomware-malware.md
+++ b/windows/security/threat-protection/intelligence/ransomware-malware.md
@@ -62,7 +62,7 @@ To provide the best protection against ransomware attacks, Microsoft recommends
By adopting an enterprise-grade email protection solution, most cybersecurity threats against an organization will be blocked at ingress and egress.
- **HOW:** Use [Exchange Online Protection (EOP)](/microsoft-365/security/office-365-security/exchange-online-protection-overview), the Microsoft 365 and Office 365 cloud-based filtering service that protects your organization' Exchange Online mailboxes against spam, malware, and other email threats.
+ **HOW:** Use [Exchange Online Protection (EOP)](/microsoft-365/security/office-365-security/exchange-online-protection-overview), the Microsoft 365 and Office 365 cloud-based filtering service that protects your organization's Exchange Online mailboxes against spam, malware, and other email threats.
2. Deploy regular hardware and software systems patching and effective vulnerability management
From d55e19b1fb18b23c3fc84817a9e0b98eebe68456 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Sat, 5 Jun 2021 12:01:29 +0530
Subject: [PATCH 119/148] Update
windows/deployment/update/feature-update-maintenance-window.md
accepted
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/deployment/update/feature-update-maintenance-window.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
index 3214cc878a..a045a86cc0 100644
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@@ -126,7 +126,7 @@ There are potentially a thousand or more feature updates displayed in the Config
Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment.
1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**.
-2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**,
+2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**.
The **Download Software Updates Wizard** opens.
3. On the **Deployment Package** page, configure the following settings:
**Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings:
From aab9c1f49a47a4ec695871db8436ed75194e6de6 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Sat, 5 Jun 2021 12:09:52 +0530
Subject: [PATCH 120/148] Update
windows/deployment/update/feature-update-maintenance-window.md
accepted
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/deployment/update/feature-update-maintenance-window.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
index a045a86cc0..b1ee4d2dd8 100644
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@@ -127,6 +127,7 @@ Before you deploy the feature updates, you can download the content as a separat
1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**.
2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**.
+
The **Download Software Updates Wizard** opens.
3. On the **Deployment Package** page, configure the following settings:
**Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings:
From 4976757337aa37e7c23e5e7cf7a304086585426f Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Sat, 5 Jun 2021 12:10:06 +0530
Subject: [PATCH 121/148] Update
windows/deployment/update/feature-update-maintenance-window.md
accepted
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/deployment/update/feature-update-maintenance-window.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
index b1ee4d2dd8..630c2b6867 100644
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@@ -185,6 +185,7 @@ After you determine which feature updates you intend to deploy, you can manually
1. In the Configuration Manager console, click **Software Library**.
2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**.
3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**,
+
The **Deploy Software Updates Wizard** opens.
4. On the General page, configure the following settings:
- **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\**
From 7687ee2034c302e019134cbd28184475802b256c Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Sat, 5 Jun 2021 12:10:39 +0530
Subject: [PATCH 122/148] Update
windows/deployment/update/feature-update-maintenance-window.md
accepted
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/deployment/update/feature-update-maintenance-window.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
index 630c2b6867..6f359c369a 100644
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@@ -251,7 +251,7 @@ After you determine which feature updates you intend to deploy, you can manually
- Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection.
> [!NOTE]
- > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content Source Priority](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#content-source-priority).
+ > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source priority](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#content-source-priority).
10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting.
11. Click **Next** to deploy the feature update(s).
From cfb6ec4f44efa773f610febb8bafbcbf18cdd1db Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Sat, 5 Jun 2021 12:11:02 +0530
Subject: [PATCH 123/148] Update
windows/deployment/update/feature-update-maintenance-window.md
accepted
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/deployment/update/feature-update-maintenance-window.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
index 6f359c369a..771a7648f8 100644
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@@ -184,7 +184,7 @@ After you determine which feature updates you intend to deploy, you can manually
1. In the Configuration Manager console, click **Software Library**.
2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**.
-3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**,
+3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**.
The **Deploy Software Updates Wizard** opens.
4. On the General page, configure the following settings:
From 4551a1a6c5824a305885e0821bbaf3f6515c82ee Mon Sep 17 00:00:00 2001
From: Joe Davies
Date: Mon, 7 Jun 2021 07:35:30 -0700
Subject: [PATCH 124/148] Update ransomware-malware.md
---
.../intelligence/ransomware-malware.md | 47 +------------------
1 file changed, 1 insertion(+), 46 deletions(-)
diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md
index f09ebe1af1..5a04348f87 100644
--- a/windows/security/threat-protection/intelligence/ransomware-malware.md
+++ b/windows/security/threat-protection/intelligence/ransomware-malware.md
@@ -56,58 +56,13 @@ Organizations can be targeted specifically by attackers, or they can be caught i
To provide the best protection against ransomware attacks, Microsoft recommends that you:
-1. Use an effective email filtering solution
-
- According to the [Microsoft Security Intelligence Report Volume 24 of 2018](https://clouddamcdnprodep.azureedge.net/gdc/gdc09FrGq/original), spam and phishing emails are still the most common delivery method for ransomware infections. To effectively stop ransomware at its entry point, you must adopt an email security service that ensures all email content and headers entering and leaving the organization are scanned for spam, viruses, and other advanced malware threats.
-
- By adopting an enterprise-grade email protection solution, most cybersecurity threats against an organization will be blocked at ingress and egress.
-
- **HOW:** Use [Exchange Online Protection (EOP)](/microsoft-365/security/office-365-security/exchange-online-protection-overview), the Microsoft 365 and Office 365 cloud-based filtering service that protects your organization's Exchange Online mailboxes against spam, malware, and other email threats.
-
-2. Deploy regular hardware and software systems patching and effective vulnerability management
-
- A vital defense against cybersecurity attacks is the application of security updates and patches as soon as the software publishers release them.
-
- A prominent example of this failure was the WannaCry ransomware events in 2017, one of the largest global cybersecurity attacks in the history of the internet, which used a leaked vulnerability in Windows networking Server Message Block (SMB) protocol, for which Microsoft had released a patch nearly two months before the first publicized incident.
-
- Regular patching and an effective vulnerability management program are important measures to defend against ransomware and other forms of malware.
-
- **HOW:** Use [update channels](/microsoft-365/enterprise/deploy-update-channels-examples) for recommendations on updates for Windows 10 and Microsoft 365 Apps for Enterprise (Windows 10).
-
-3. Use up to date antivirus and an endpoint detection and response (EDR) solutions
-
- While owning an antivirus solution alone does not ensure absolute protection against viruses and other advanced computer threats, ensure that your antivirus solutions are kept up to date with your software publishers.
-
- Attackers invest heavily in the creation of new viruses and exploits, while vendors are left playing catch-up by releasing daily updates to their antivirus database engines.
-
- EDR solutions collect and store large volumes of data from endpoints and provide real-time host-based, file-level monitoring and visibility to systems. The data sets and alerts generated by an EDR solution can help stop advanced threats and are often leveraged for responding to security incidents.
-
-4. Separate administrative and privileged credentials from standard credentials
-
- Separate your system administrative accounts from your standard user accounts to ensure those administrative accounts are not useable across multiple systems. Separating these privileged accounts not only enforces proper access control but also ensures that a compromise of a single standard user account doesn’t lead to the compromise of your entire IT infrastructure.
-
- **HOW:** To effectively reduce your credential attack surface, use Microsoft support for [Azure Multi-Factor Authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks) to require stronger authentication for privileged accounts, [Azure Privileged Identity Management (PIM)](/azure/active-directory/privileged-identity-management/) for just-in-time use of privileged accounts, and [Privileged Access Management (PAM)](/microsoft-365/compliance/privileged-access-management-solution-overview) for just-in-time access to Microsoft 365 tasks that need elevated permissions.
-
-5. Implement effective application allowlists
-
- You need to restrict the applications that can run within an IT infrastructure. Application allowlists ensure only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective.
-
- **HOW:** For Microsoft 365 apps, use [Azure AD Conditional Access](/azure/active-directory/conditional-access/app-based-conditional-access) to require approved apps.
-
-6. Regularly back up critical systems and files
-
- The ability to recover to a known good state is the most critical strategy of any information security incident plan, especially ransomware. Therefore, to ensure the success of this process, an organization must validate that all its critical systems, applications, and files are regularly backed up and that those backups are regularly tested to ensure they are recoverable. Ransomware is known to encrypt or destroy any file it comes across, and it can often make them unrecoverable; consequently, it’s of utmost importance that all impacted files can be easily recovered from a good backup stored at a secondary location not impacted by the ransomware attack.
-
+- [Implement controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom.
For more general tips, see [prevent malware infection](prevent-malware-infection.md).
From eb5fb0cf09ae5feade62a76072c5bc0884d789b0 Mon Sep 17 00:00:00 2001
From: Paul Huijbregts <30799281+pahuijbr@users.noreply.github.com>
Date: Mon, 7 Jun 2021 08:45:00 -0700
Subject: [PATCH 125/148] Update defender-csp.md
---
windows/client-management/mdm/defender-csp.md | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 2c20894dcf..ff10761a52 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -59,6 +59,9 @@ Defender
--------TamperProtection (Added in Windows 10, version 1903)
--------EnableFileHashComputation (Added in Windows 10, version 1903)
--------SupportLogLocation (Added in the next major release of Windows 10)
+--------PlatformUpdatesChannel (Added with the 4.18.2105.4 Defender platform release)
+--------EngineUpdatesChannel (Added with the 4.18.2105.4 Defender platform release)
+--------DefinitionUpdatesChannel (Added with the 4.18.2105.4 Defender platform release)
----Scan
----UpdateSignature
----OfflineScan (Added in Windows 10 version 1803)
@@ -521,6 +524,71 @@ More details:
- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
+**Configuration/PlatformUpdatesChannel**
+Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
+
+Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
+
+Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
+
+Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+
+Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+
+If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+• 0: Not configured (Default)
+• 1: Beta Channel - Prerelease
+• 2: Current Channel (Preview)
+• 3: Current Channel (Staged)
+• 4: Current Channel (Broad)
+
+**Configuration/EngineUpdatesChannel**
+Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
+
+Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
+
+Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
+
+Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+
+Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+
+If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+• 0: Not configured (Default)
+• 1: Beta Channel - Prerelease
+• 2: Current Channel (Preview)
+• 3: Current Channel (Staged)
+• 4: Current Channel (Broad)
+
+**Configuration/DefinitionUpdatesChannel**
+Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.
+
+Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%)
+
+Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+
+If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
+
+The data type is integer.
+Supported operations are Add, Delete, Get, Replace.
+
+Valid Values are:
+• 0: Not configured (Default)
+• 3: Current Channel (Staged)
+• 4: Current Channel (Broad)
+
**Scan**
Node that can be used to start a Windows Defender scan on a device.
From c18073c830e580029fdf78314f953f82a6753e31 Mon Sep 17 00:00:00 2001
From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com>
Date: Mon, 7 Jun 2021 14:44:15 -0400
Subject: [PATCH 126/148] corrected OMA-URI for Commercial ID
@jaimeo
---
.../deployment/update/update-compliance-configuration-mem.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md
index c4ce3579f9..01de3567bf 100644
--- a/windows/deployment/update/update-compliance-configuration-mem.md
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@@ -40,7 +40,7 @@ Take the following steps to create a configuration profile that will set require
2. Add a setting for **Commercial ID** ) with the following values:
- **Name**: Commercial ID
- **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace.
- - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID`
+ - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID`
- **Data type**: String
- **Value**: *Set this to your Commercial ID*
2. Add a setting configuring the **Windows Diagnostic Data level** for devices:
From baba2c8823d9e23078aff23dd22e34c020748feb Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 7 Jun 2021 12:42:30 -0700
Subject: [PATCH 127/148] Update defender-csp.md
---
windows/client-management/mdm/defender-csp.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index ff10761a52..acc2fed615 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
-ms.date: 06/02/2021
+ms.date: 06/07/2021
---
# Defender CSP
@@ -521,7 +521,7 @@ When enabled or disabled exists on the client and admin moves the setting to not
More details:
-- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
+- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
**Configuration/PlatformUpdatesChannel**
From 560d09e0e55760ffc4b97bf4242133b7203d0af2 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 7 Jun 2021 15:26:17 -0700
Subject: [PATCH 128/148] Added a section for supplemental policies.
---
.../select-types-of-rules-to-create.md | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index add268e0ee..f5e5b8c109 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -71,6 +71,16 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. |
| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. |
+### The following options are valid for supplemental policies. However, number 5 is not implemented as it is reserved for future work, and number 7 is not supported.
+| Rule option | Description |
+|------------ | ----------- |
+| 5 | Enabled: Inherit Default Policy |
+| **6** | **Enabled: Unsigned System Integrity Policy** |
+| 7 | Allowed: Debug Policy Augmented |
+| **13** | **Enabled: Managed Installer** |
+| **14** | **Enabled: Intelligent Security Graph Authorization** |
+| **18** | **Disabled: Runtime FilePath Rule Protection** |
+
## Windows Defender Application Control file rule levels
File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary or as general as a CA certificate. You specify file rule levels when using WDAC PowerShell cmdlets to create and modify policies.
From bb345aa0690e2344aca3f2b0de66b5e0440f730b Mon Sep 17 00:00:00 2001
From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com>
Date: Tue, 8 Jun 2021 10:18:28 +0530
Subject: [PATCH 129/148] added-for-5120578
new image for 5120578
---
.../bitlocker/images/yes-icon.png | Bin 0 -> 916 bytes
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 windows/security/information-protection/bitlocker/images/yes-icon.png
diff --git a/windows/security/information-protection/bitlocker/images/yes-icon.png b/windows/security/information-protection/bitlocker/images/yes-icon.png
new file mode 100644
index 0000000000000000000000000000000000000000..bbae7d30522832e4ebf00c52e1c2af7f11e5e952
GIT binary patch
literal 916
zcmeAS@N?(olHy`uVBq!ia0vp^f*{Pn1|+R>-G2co&H|6fVxatW5N34Jm|X!BWH0gb
zb!C6TCcvg7pm3r3FIdPmqQtSZBqP6wVdc6r9zY?U5}=SvYH@N=WQ0!XYD{Sc8LDcqU2PDum780
z!<0Ga=jNv7l`woeGi^Umj18nLB(o$Zm0`uZOX>^^O!1yBjv*Gky;EX6L;^*Q|NnmP
z=FG_Q@Y}wJ_X%9S)1_4KyW%82OS4@^+@k3shnm(12y1HebXC1r+N8i0T=UVD_tQ!N
zXJ$?AGizK`E_j`};*cGkKIiUCOWPL1-9Jm`>HRPMZ-35mPPL@qLCMC|jaN$gD_tLL
zIlbjZ+T}Dx&j1&(FDExeRv2l;&f8}wTUa$ic+=;;{MS9_su#6!BuxBpV%ogfa{4c=
z7JogLUGuMCNucdFTcy_NObiEde0CfbKJ|LBZd)_cZXd7PWjDht*_&~WqJ-j>
z!gWu6YVPg+`TEbwxSPMEdOJf;ONw?b;9}k1Bf)Us?WQCiofF13&%RD&U|6tg0aLSh
z`$PYaj0|6POkmc$7OQ8`8pfn?;$GXWMYk)=u5?Mh-EJ)UWZBuGxn1FmMzxxp4W)MG
zQKzg7*Y+-c^|H0)&YY8GA9frSirN_x)7>~ru;m*2f2Y(1&;L~4NLl>hU|z<@BR7xh
zK6|L=$hp;YPc4V;y2XD}*qbDcc4=Eboch<|#s=}p7jM+(?qYd)NA<<#;6FyfM;9Ki
zRw!h(O?TgzS!$QJ&!WBYV?Oseuc;YL!W;Wfb{$|&u9lw&-9kyq~gPwpn
zi|1x&o6oXjD4BCDUhG*$Y174`d-V;M_T2ont!S~NN7d1G>8s3tlf8E5aa~VhaNYE_
z_GXo9_RNbW>o-36ukt!9s%%!)ef2|Phm*3C#fnci@q{k&JZEsoGIa0izP7pZ?3>TN
WbFAMm`zSE+F?hQAxvXxtI@
literal 0
HcmV?d00001
From 236f5143deb430b86426fb70c329aff141097034 Mon Sep 17 00:00:00 2001
From: Lovina Saldanha
Date: Tue, 8 Jun 2021 10:31:46 +0530
Subject: [PATCH 130/148] Update bitlocker-deployment-comparison.md
Updated the image to yes icon
---
.../bitlocker-deployment-comparison.md | 48 +++++++++----------
1 file changed, 24 insertions(+), 24 deletions(-)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index d3e5e2f766..f4d29550e4 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -35,32 +35,32 @@ This article depicts the BitLocker deployment comparison chart.
|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined |
|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
|Cloud or on premises | Cloud | On premises | On premises |
-|Server components required? | | :::image type="content" source="images/dot_new.png" alt-text="dots"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client |
|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
-|Administrative portal installation required | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Force encryption | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Encryption for storage cards (mobile) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |
-|Allow recovery password | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Manage startup authentication | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |
+|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Standard recovery password storage location | Azure AD or
Active Directory | Configuration Manager site database | MBAM database |
|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
-|Customize preboot message and recovery link | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Allow/deny key file creation | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Deny Write permission to unprotected drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Can be administered outside company network | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |
-|Support for organization unique IDs | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | |
-|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Allow or deny Data Recovery Agent | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Prevent memory overwrite on restart | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
-|Manage auto-unlock functionality | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: |
+|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |
+|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | |
+|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
From 2b82513f59cc8d11340fb7074376ac64553d7a5c Mon Sep 17 00:00:00 2001
From: Lovina Saldanha
Date: Tue, 8 Jun 2021 11:06:56 +0530
Subject: [PATCH 131/148] delete-irrelevant-images
deleted unwanted images that i added earlier for this task
---
.../bitlocker/images/dot.png | Bin 674 -> 0 bytes
.../bitlocker/images/dot1.png | Bin 739 -> 0 bytes
.../bitlocker/images/dot_new.png | Bin 734 -> 0 bytes
3 files changed, 0 insertions(+), 0 deletions(-)
delete mode 100644 windows/security/information-protection/bitlocker/images/dot.png
delete mode 100644 windows/security/information-protection/bitlocker/images/dot1.png
delete mode 100644 windows/security/information-protection/bitlocker/images/dot_new.png
diff --git a/windows/security/information-protection/bitlocker/images/dot.png b/windows/security/information-protection/bitlocker/images/dot.png
deleted file mode 100644
index 8dc160da790bb40082cb31ae078125c8dd9bcb14..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 674
zcmV;T0$u%yP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0yjxSK~z{r?U%c2
zQ(+i~3&o|-O`SyPQlTKIn<%*U4{-J$=q_#54v~7JR1L+DMI0P-P%@>J22p54u|uqB
zn>0zyMVqvZxoR$_P2Qe2d<9A0ez$W18S=nyI`F;^-*>)SA9OK2IbC{ky4WJOUETv<
zqzvzZMewW^;ajQ#RinYa>Z2`}$k$V0grRRdcqIK3LAdff1}~R$+M>#G^}Pn%
zd7o)Dr=+NyxgUZ>b7WOflKWLK;Nr6=DIk+u-ZV6uO;$~ev|KW8z|bRl3RN=Z*^(BN
zlEbOIWMRbGGxs^mD)W(&yKVksR1@6{++Br@-5RTYJVLp2$$%4+bQ3GN@hZtW9FI`W
z;oByQTMe%E-$jFUp%KbmcoHFt+mWYB{C|%tS1~tFmHkXLH{YaKCmOC?V5>?NwJVpM
zQPzouE9Z~@Ba7OV;h7EAiH0lpCDB>Ak=Y3AM8lQC)kGDwE2A&stP>4a4v(4B_twe6
zc4T}$!#dG$^Jxq0HGXCEiQSgft5J@;=^Ak
zhpeQlww|w7T`}RPAyRS(UUR5MsySsYuxPfoh$%U3zl5bg>-30U^uP%Z6!0+5i9m07*qo
IM6N<$f`#cUv;Y7A
diff --git a/windows/security/information-protection/bitlocker/images/dot1.png b/windows/security/information-protection/bitlocker/images/dot1.png
deleted file mode 100644
index c9ec7c52ab41b4f5c567d7a8db90e7b679d47928..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 739
zcmV<90v!E`P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0(eP8K~z{r?Uv1J
z6G0e8QliJp_RPmysB2_7-AR-DyPsKk#p<-_>^x&}`lwLfDf_l&vZ-PCE
z2r7D052@HHqK87HF-;efY-97WP3nw}r0vY4yPFNY_&~_KbC`W*-kEnsSt4Maaj^e&
z#qvrdGK-ju=b+_Fa40}?qZ|7I8{l!9pO-0#XsUp_?~-^lkw!GFv)(dJBGcJgkG@VH
zE*#iwSjdn>VX=g3ujX+5wThxa<(5Vl9`rWj)b5R}N6wlOGi1g+qfvbLkz+mP7z+Dw
z<4gdGLY7HFMTzez9o_e)F`eX>-VFW6w&K>gpj1SfG@63*W6`PwD7WAK#2xaJA(a>=
zdtkz13PcP&o5eRZ&!UwGCF1isM&76_vWEqI30I#dShNzM#Qpb4=p`1|$oMA>F^x~J
zP~!2V##;75kGE)SP9jT|;B!KpJ3ENXWLc{WC-GG+7%oUwn40A$$VvPv)L=6#BO@4}
zlc4p#mbmC`w+c?8b&H#|YQrwU_?$%3CKq;ioh-7SgH0aRD#J<8`W|lgvdDhI?G3C|
zhLfONKI&sFdkK+LoZiDA44&}AX=GzkXi6TE2Z@E3nv||kJ+6=|
zU4-;A`-2|b>Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0&_`3K~z{r#g@x!
z6G0ruzng3xo7S}5pf<6MidIBL8xSjc>>(hER4-CcK`-i|`VZu)7mq#=JSd6>J(Q{!
z&B22RirRpJ6^l|IZPSObZ7`2Esm>%nXr`OZ=CL84OXfFB<}*9bpY)G`24SJ!hR{%X
z#nb*LnMGtGiI34V7E)PQBncZ@WCVN)cC2&2W|gR=F=fellkn(YTz?(I)6a1%>-B_md_x2d#i_26~9l@?944v}BA!`RvbVze-Qyshiqh>MZ
z8QUwN=hGC46qOG=nZ&P!3`Mnb_2qB88cR^Lf=2#jCXIWMd5X+|uWKkgl@AKg$ZxRY
zR1aQ!OW@N~ilRIkIX}ns;_<5ED#+*AjrBFQM3MPKCQ5wy=chx%no4;Dc{)?_
zva6YNR_tGp+beh!s$q5if_#g|My2|&)gwMOf?RdU*w|XX0R((bD&-O6oZz-*Dw$8P
zOYB=CKi|_vC36XQo!Hl@P?Sd_?`9dv5%v_CO{jM*B$o9QqLFiM_4#sHiCOgTX+hsk
zH$^KHm3!SbJUGz-ogAPdcDFll?WmU`5#8?j#v458&!t4w(#_U6e0CGsbY{^ohvP5N
z=||&uH!j}GMqFh1+hvx=x$OGWS623#Vb|i_;W^xV6T|xwgW$__e3u)S4tmhzcTufA
zWyuTS$;L2yojycUxmVE2c5wR|p0~53)S
Date: Tue, 8 Jun 2021 09:38:41 -0700
Subject: [PATCH 132/148] Removed the heading format for the new text
and also swapped out "number" for "option."
---
.../select-types-of-rules-to-create.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index f5e5b8c109..7a56e31130 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -71,7 +71,8 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. |
| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. |
-### The following options are valid for supplemental policies. However, number 5 is not implemented as it is reserved for future work, and number 7 is not supported.
+The following options are valid for supplemental policies. However, option 5 is not implemented as it is reserved for future work, and option 7 is not supported.
+
| Rule option | Description |
|------------ | ----------- |
| 5 | Enabled: Inherit Default Policy |
From d0c4483edec560d839288689bfc3557412a17c7f Mon Sep 17 00:00:00 2001
From: Gary Moore
Date: Tue, 8 Jun 2021 13:55:32 -0700
Subject: [PATCH 133/148] Acrolinx "Bitlocker"
---
.../bitlocker/bitlocker-deployment-comparison.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index f4d29550e4..de76b10cc5 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -1,6 +1,6 @@
---
title: BitLocker deployment comparison (Windows 10)
-description: This article shows the Bitlocker deployment comparison chart.
+description: This article shows the BitLocker deployment comparison chart.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
From e3aa788ac7f136c183a7480b70ee08247bed97c0 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 8 Jun 2021 15:06:15 -0700
Subject: [PATCH 134/148] Update windows/client-management/mdm/defender-csp.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/client-management/mdm/defender-csp.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index acc2fed615..dbdc03e3aa 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -566,11 +566,11 @@ The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
-• 0: Not configured (Default)
-• 1: Beta Channel - Prerelease
-• 2: Current Channel (Preview)
-• 3: Current Channel (Staged)
-• 4: Current Channel (Broad)
+- 0 - Not configured (Default)
+- 1 - Beta Channel - Prerelease
+- 2 - Current Channel (Preview)
+- 3 - Current Channel (Staged)
+- 4 - Current Channel (Broad)
**Configuration/DefinitionUpdatesChannel**
Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.
From ccb70b243bcf508a3355b1d1194b5577eedb6c00 Mon Sep 17 00:00:00 2001
From: Marysia Kaminska <85372436+marysiakam9889@users.noreply.github.com>
Date: Tue, 8 Jun 2021 16:35:35 -0700
Subject: [PATCH 135/148] Update defender-ddf.md
adding new csp's for Defender Update controls: DisableGradualRelease, DefinitionUpdatesChannel, EngineUpdatesChannel, and PlatformUpdatesChannel
---
windows/client-management/mdm/defender-ddf.md | 180 ++++++++++++++++++
1 file changed, 180 insertions(+)
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index a63f4dec92..b4c21b747a 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -757,6 +757,186 @@ The XML below is the current version for this CSP.
+
+ DisableGradualRelease
+
+
+
+
+
+
+
+ Enable this policy to disable gradual rollout of Defender updates.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ 99.9.99999
+ 1.3
+
+
+
+ 1
+ Gradual release is disabled
+
+
+ 0
+ Gradual release is enabled
+
+
+
+
+
+ DefinitionUpdatesChannel
+
+
+
+
+
+
+
+ Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ 99.9.99999
+ 1.3
+
+
+
+ 0
+ Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+
+
+ 4
+ Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+
+
+ 5
+ Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+
+
+
+
+
+ EngineUpdatesChannel
+
+
+
+
+
+
+
+ Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ 99.9.99999
+ 1.3
+
+
+
+ 0
+ Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+
+
+ 2
+ Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
+
+
+ 3
+ Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
+
+
+ 4
+ Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+
+
+ 5
+ Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+
+
+
+
+
+ PlatformUpdatesChannel
+
+
+
+
+
+
+
+ Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ 99.9.99999
+ 1.3
+
+
+
+ 0
+ Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+
+
+ 2
+ Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
+
+
+ 3
+ Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
+
+
+ 4
+ Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+
+
+ 5
+ Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+
+
+
+
Scan
From cd99516b0029f122bc575c93c7344caa6869ebda Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Tue, 8 Jun 2021 16:46:25 -0700
Subject: [PATCH 136/148] fix
---
windows/application-management/index.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml
index dc786fd289..95053b27f0 100644
--- a/windows/application-management/index.yml
+++ b/windows/application-management/index.yml
@@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r
metadata:
title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars.
- description: Learn about managing applications in Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars.
+ description: Learn about managing applications in Windows 10. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
From e640603aef1d3eb2aaadcf5db4fbdb6bacc66e20 Mon Sep 17 00:00:00 2001
From: Gary Moore
Date: Tue, 8 Jun 2021 21:14:03 -0700
Subject: [PATCH 137/148] Applied "> [!NOTE]" style
---
...policy-csp-localpoliciessecurityoptions.md | 23 +++++++++++++------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 8beeba2c2e..1d2f90b193 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -1241,7 +1241,8 @@ If you click Force Logoff in the Properties dialog box for this policy, the user
If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
-Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+> [!NOTE]
+> Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
Default: This policy is not defined, which means that the system treats it as No action.
@@ -2457,7 +2458,8 @@ If you select "Enable auditing for all accounts", the server will log events for
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
-Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+> [!NOTE]
+> Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
@@ -2535,7 +2537,8 @@ If you select "Deny all accounts," the server will deny NTLM authentication requ
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
-Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+> [!NOTE]
+> Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
@@ -2613,7 +2616,8 @@ If you select "Deny all," the client computer cannot authenticate identities to
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
-Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+> [!NOTE]
+> Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
@@ -2897,7 +2901,9 @@ This policy setting controls the behavior of the elevation prompt for administra
The options are:
-- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
+ > [!NOTE]
+ > Use this option only in the most constrained environments.
- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
@@ -3172,7 +3178,8 @@ This policy setting controls whether applications that request to run with a Use
- …\Windows\system32\
- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
-Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+> [!NOTE]
+> Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
The options are:
- 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
@@ -3240,7 +3247,9 @@ User Account Control: Turn on Admin Approval Mode
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
The options are:
-- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled.
+ > [!NOTE]
+ > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
From 36f4a8e1e005f397d9df19b4738db1131d4270c9 Mon Sep 17 00:00:00 2001
From: Gary Moore
Date: Tue, 8 Jun 2021 21:14:54 -0700
Subject: [PATCH 138/148] =?UTF-8?q?Replaced=20"=C3=A2=E2=82=AC=C2=A6"=20in?=
=?UTF-8?q?=20file=20path=20with=20"."?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../mdm/policy-csp-localpoliciessecurityoptions.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 1d2f90b193..0d4580ee4b 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -3174,9 +3174,9 @@ User Account Control: Only elevate UIAccess applications that are installed in s
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
-- …\Program Files\, including subfolders
-- …\Windows\system32\
-- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
+- .\Program Files\, including subfolders
+- .\Windows\system32\
+- .\Program Files (x86)\, including subfolders for 64-bit versions of Windows
> [!NOTE]
> Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
From 0df3a52c4af3656c945bfb7848ab32d0d1f37a73 Mon Sep 17 00:00:00 2001
From: msarcletti <56821677+msarcletti@users.noreply.github.com>
Date: Wed, 9 Jun 2021 09:13:30 +0200
Subject: [PATCH 139/148] Update filter-origin-documentation.md
Fixing a typo in the auditpol commands to enable WFP packet drop auditing
---
.../windows-firewall/filter-origin-documentation.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
index c1121baa73..90d5fd2514 100644
--- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
+++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
@@ -67,7 +67,7 @@ To enable a specific audit event, run the corresponding command in an administra
|**Audit #**|**Enable command**|**Link**|
|:-----|:-----|:-----|
|**5157**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5157(F): The Windows Filtering Platform has blocked a connection.](../auditing/event-5157.md)|
-|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)|
+|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Packet Drop" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)|
## Example flow of debugging packet drops with filter origin
@@ -168,4 +168,4 @@ For more information on how to debug drops caused by UWP default block filters,
**WSH default**
-Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected.
\ No newline at end of file
+Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected.
From d383abf06cf5469119d5549a6cc6c7b86cb81c6e Mon Sep 17 00:00:00 2001
From: Joey Caparas
Date: Wed, 9 Jun 2021 11:05:13 -0700
Subject: [PATCH 140/148] revert
---
windows/client-management/mdm/defender-csp.md | 74 +------------------
1 file changed, 3 insertions(+), 71 deletions(-)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index dbdc03e3aa..a97b4484db 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
-ms.date: 06/07/2021
+ms.date: 06/02/2021
---
# Defender CSP
@@ -59,9 +59,6 @@ Defender
--------TamperProtection (Added in Windows 10, version 1903)
--------EnableFileHashComputation (Added in Windows 10, version 1903)
--------SupportLogLocation (Added in the next major release of Windows 10)
---------PlatformUpdatesChannel (Added with the 4.18.2105.4 Defender platform release)
---------EngineUpdatesChannel (Added with the 4.18.2105.4 Defender platform release)
---------DefinitionUpdatesChannel (Added with the 4.18.2105.4 Defender platform release)
----Scan
----UpdateSignature
----OfflineScan (Added in Windows 10 version 1803)
@@ -521,74 +518,9 @@ When enabled or disabled exists on the client and admin moves the setting to not
More details:
-- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
+- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
-**Configuration/PlatformUpdatesChannel**
-Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
-
-Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
-
-Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
-
-Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
-
-Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, Replace.
-
-Valid values are:
-• 0: Not configured (Default)
-• 1: Beta Channel - Prerelease
-• 2: Current Channel (Preview)
-• 3: Current Channel (Staged)
-• 4: Current Channel (Broad)
-
-**Configuration/EngineUpdatesChannel**
-Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
-
-Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
-
-Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
-
-Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
-
-Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, Replace.
-
-Valid values are:
-- 0 - Not configured (Default)
-- 1 - Beta Channel - Prerelease
-- 2 - Current Channel (Preview)
-- 3 - Current Channel (Staged)
-- 4 - Current Channel (Broad)
-
-**Configuration/DefinitionUpdatesChannel**
-Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.
-
-Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%)
-
-Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
-
-The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
-
-Valid Values are:
-• 0: Not configured (Default)
-• 3: Current Channel (Staged)
-• 4: Current Channel (Broad)
-
**Scan**
Node that can be used to start a Windows Defender scan on a device.
@@ -610,4 +542,4 @@ Supported operations are Get and Execute.
## Related topics
-[Configuration service provider reference](configuration-service-provider-reference.md)
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
From c19599c11a1f5a02bbdcb61d8d7124d10474c363 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 9 Jun 2021 11:20:21 -0700
Subject: [PATCH 141/148] Update defender-csp.md
---
windows/client-management/mdm/defender-csp.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index a97b4484db..a423b48612 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -94,11 +94,11 @@ The data type is integer.
The following list shows the supported values:
-- 0 = Unknown
-- 1 = Low
-- 2 = Moderate
-- 4 = High
-- 5 = Severe
+- 0 = Unknown
+- 1 = Low
+- 2 = Moderate
+- 4 = High
+- 5 = Severe
Supported operation is Get.
From ab77e37ba969b67c526233351346af25df4d4089 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 9 Jun 2021 11:20:46 -0700
Subject: [PATCH 142/148] Update defender-csp.md
---
windows/client-management/mdm/defender-csp.md | 22 +++++++++----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index a423b48612..eeb53adf0b 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -171,17 +171,17 @@ The data type is integer.
The following list shows the supported values:
-- 0 = Active
-- 1 = Action failed
-- 2 = Manual steps required
-- 3 = Full scan required
-- 4 = Reboot required
-- 5 = Remediated with noncritical failures
-- 6 = Quarantined
-- 7 = Removed
-- 8 = Cleaned
-- 9 = Allowed
-- 10 = No Status ( Cleared)
+- 0 = Active
+- 1 = Action failed
+- 2 = Manual steps required
+- 3 = Full scan required
+- 4 = Reboot required
+- 5 = Remediated with noncritical failures
+- 6 = Quarantined
+- 7 = Removed
+- 8 = Cleaned
+- 9 = Allowed
+- 10 = No Status ( Cleared)
Supported operation is Get.
From 3a0889b5734ecd753d7682e8ff761d7febc12b15 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 9 Jun 2021 11:26:44 -0700
Subject: [PATCH 143/148] Update defender-ddf.md
---
windows/client-management/mdm/defender-ddf.md | 180 ------------------
1 file changed, 180 deletions(-)
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index b4c21b747a..7aa0520e15 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -10,7 +10,6 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 08/11/2020
---
# Defender DDF file
@@ -758,185 +757,6 @@ The XML below is the current version for this CSP.
- DisableGradualRelease
-
-
-
-
-
-
-
- Enable this policy to disable gradual rollout of Defender updates.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- 99.9.99999
- 1.3
-
-
-
- 1
- Gradual release is disabled
-
-
- 0
- Gradual release is enabled
-
-
-
-
-
- DefinitionUpdatesChannel
-
-
-
-
-
-
-
- Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- 99.9.99999
- 1.3
-
-
-
- 0
- Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
-
- 4
- Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
-
-
- 5
- Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-
-
-
-
- EngineUpdatesChannel
-
-
-
-
-
-
-
- Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- 99.9.99999
- 1.3
-
-
-
- 0
- Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
-
- 2
- Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
-
-
- 3
- Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
-
-
- 4
- Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
-
-
- 5
- Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-
-
-
-
- PlatformUpdatesChannel
-
-
-
-
-
-
-
- Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- 99.9.99999
- 1.3
-
-
-
- 0
- Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
-
- 2
- Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
-
-
- 3
- Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
-
-
- 4
- Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
-
-
- 5
- Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-
-
-
Scan
From 8a70374af83826fb4d9816ab68328ade757ff3b4 Mon Sep 17 00:00:00 2001
From: mapalko
Date: Wed, 9 Jun 2021 14:47:50 -0700
Subject: [PATCH 144/148] updateing multi camera support in FAQ
---
.../identity-protection/hello-for-business/hello-faq.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index eb89236d09..405b6710ad 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -69,9 +69,9 @@ sections:
answer: |
It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users.
- - question: Can I use an external camera when my laptop is closed or docked?
+ - question: Can I use an external Windows Hello compatible camera when my laptop is closed or docked?
answer: |
- No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.
+ Yes. Starting with Windows 10, version 21H2 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103).
- question: Why does authentication fail immediately after provisioning hybrid key trust?
answer: |
@@ -118,7 +118,7 @@ sections:
Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
- question: |
- Which is better or more secure: key trust or certificate trust?
+ Which is better or more secure, key trust or certificate trust?
answer: |
The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types are:
- Required domain controllers
From 85b745c30f703a915dcd7df61c0f04a342a5f8b0 Mon Sep 17 00:00:00 2001
From: Lovina Saldanha
Date: Thu, 10 Jun 2021 09:35:38 +0530
Subject: [PATCH 145/148] Update bitlocker-deployment-comparison.md
Removed the asterisk for note. Row alignment corrected.
---
.../bitlocker/bitlocker-deployment-comparison.md | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index de76b10cc5..0fbc7f9f48 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -26,12 +26,12 @@ This article depicts the BitLocker deployment comparison chart.
## BitLocker deployment comparison chart
-| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* |
+| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) |
|---------|---------|---------|---------|
|**Requirements**||||
|Minimum client operating system version |Windows 10 | Windows 10 and Windows 8.1 | Windows 7 and later |
|Supported Windows 10 SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
-|Minimum Windows 10 version |1909** | None | None |
+|Minimum Windows 10 version |1909 | None | None |
|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined |
|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
|Cloud or on premises | Cloud | On premises | On premises |
@@ -47,8 +47,7 @@ This article depicts the BitLocker deployment comparison chart.
|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Standard recovery password storage location | Azure AD or
-Active Directory | Configuration Manager site database | MBAM database |
+|Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database |
|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
From 7f56a2952658469dc42f84edfef33467bd2bc04b Mon Sep 17 00:00:00 2001
From: Sinead O'Sullivan
Date: Fri, 11 Jun 2021 10:57:19 +0100
Subject: [PATCH 146/148] Update policy-csp-system.md
---
windows/client-management/mdm/policy-csp-system.md | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 28a1cdf6e0..c7611518d4 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -741,13 +741,13 @@ The following list shows the supported values for Windows 8.1:
In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft.
-The following list shows the supported values for Windows 10 version 1809 and older:
-
-- 0 – (**Security**) This turns Windows diagnostic data off.
+The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets):
+- 0 – **Off (Security)** This turns Windows diagnostic data off.
**Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1.
-- 1 – (**Required**) Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
+- 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps.
-- 3 – (**Optional**) Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs.
+ **Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1.
+- 3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs.
Most restrictive value is 0.
@@ -1683,7 +1683,7 @@ To enable this behavior, you must complete two steps:
- Enable this policy setting
- Set the **AllowTelemetry** level:
- - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced
+ - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1.)
- For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full)
From 4bee7439bbe2fbf69ca199e666301f8f9e1e0d04 Mon Sep 17 00:00:00 2001
From: Sinead O'Sullivan
Date: Fri, 11 Jun 2021 11:29:53 +0100
Subject: [PATCH 147/148] Update policy-csp-system.md
---
windows/client-management/mdm/policy-csp-system.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index c7611518d4..4d1e1393b7 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -745,8 +745,8 @@ The following list shows the supported values for Windows 10 version 1809 and ol
- 0 – **Off (Security)** This turns Windows diagnostic data off.
**Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1.
- 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
-- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps.
- **Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1.
+- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps.
+ **Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1.
- 3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs.
Most restrictive value is 0.
@@ -1683,7 +1683,7 @@ To enable this behavior, you must complete two steps:
- Enable this policy setting
- Set the **AllowTelemetry** level:
- - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1.)
+ - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1)
- For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full)
From 237301056a6c8112fbaca4532a276f881ae3aeed Mon Sep 17 00:00:00 2001
From: Gary Moore
Date: Fri, 11 Jun 2021 15:03:58 -0700
Subject: [PATCH 148/148] Changed numbered list to bullets; added missing
period
The list under "First rule (DHCP Server)" appeared to NOT be a sequential list, so by style guidelines, it should not use numbers for its list items.
---
.../faq-md-app-guard.yml | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index aef33b9815..cb0bff0dc0 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -52,7 +52,7 @@ sections:
- question: |
Why don't employees see their favorites in the Application Guard Edge session?
answer: |
- Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard)
+ Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard).
- question: |
Why aren’t employees able to see their extensions in the Application Guard Edge session?
@@ -148,13 +148,13 @@ sections:
- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
### First rule (DHCP Server)
- 1. Program path: `%SystemRoot%\System32\svchost.exe`
+ - Program path: `%SystemRoot%\System32\svchost.exe`
- 2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
+ - Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
- 3. Protocol UDP
+ - Protocol UDP
- 4. Port 67
+ - Port 67
### Second rule (DHCP Client)
This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: