-
+
- + NetworkListManager/AllowedTlsAuthenticationEndpoints + +
- + NetworkListManager/ConfiguredTLSAuthenticationNetworkName + +
- +
-
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index 819bc7b7e0..90192d37ac 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -73,6 +73,9 @@ manager: dansimp
- Experience/AllowWindowsTips +
- + Experience/ConfigureChatIcon +
- Experience/ConfigureWindowsSpotlightOnLockScreen @@ -499,7 +502,7 @@ The values for this policy are 1 and 0. This policy defaults to 1.
- + NetworkListManager/AllowedTlsAuthenticationEndpoints + +
- + NetworkListManager/ConfiguredTLSAuthenticationNetworkName + +
- Check that protected app data doesn't appear on the Lock screen of a Windows 10 Mobile phone. -
PCR0 measurement
-Secure Boot enabled
-Secure Boot db is default
-Secure Boot dbx is up to date
-Secure Boot policy GUID is default
-Device Encryption enabled
-Code Integrity revocation list timestamp/version is up to date
-
-**Experience/AllowSaveAsOfOfficeFiles** +Experience/AllowSaveAsOfOfficeFiles
@@ -1150,6 +1153,64 @@ The following list shows the supported values:
+ +**Experience/ConfigureChatIcon** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine +
+ + +This policy setting allows you to configure the Chat icon on the taskbar. + + + +The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not enabled. + +- 0 - Not Configured: The Chat icon will be configured according to the defaults for your Windows edition. +- 1 - Show: The Chat icon will be displayed on the taskbar by default. Users can show or hide it in Settings. +- 2 - Hide: The Chat icon will be hidden by default. Users can show or hide it in Settings. +- 3 - Disabled: The Chat icon will not be displayed, and users cannot show or hide it in Settings. + + + + +
+ **Experience/ConfigureWindowsSpotlightOnLockScreen** diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md new file mode 100644 index 0000000000..9bbe04d477 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -0,0 +1,135 @@ +--- +title: Policy CSP - NetworkListManager +description: The Policy CSP - NetworkListManager setting creates a new MDM policy that allows admins to configure a list of URIs of HTTPS endpoints that are considered secure. +ms.author: v-nsatapathy +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.localizationpriority: medium +ms.date: 7/10/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - NetworkListManager + + +
+ + +## NetworkListManager policies + +
-
+
+ + +**NetworkListManager/AllowedTlsAuthenticationEndpoints** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. + +
+ + +
+ + +**NetworkListManager/ConfiguredTLSAuthenticationNetworkName** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting provides the string to be used to name the network authenticated against one of the endpoints listed in NetworkListManager/AllowedTlsAuthenticationEndpoints policy. + +
+ + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 8680bff0db..1d385366fb 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -725,6 +725,8 @@ items: href: policy-csp-multitasking.md - name: NetworkIsolation href: policy-csp-networkisolation.md + - name: NetworkListManager + href: policy-csp-networklistmanager.md - name: Notifications href: policy-csp-notifications.md - name: Power diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 4f41f66ba5..633a032f7c 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -18,6 +18,8 @@ items: href: change-default-removal-policy-external-storage-media.md - name: Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education href: group-policies-for-enterprise-and-education-editions.md + - name: Manage Device Installation with Group Policy + href: manage-device-installation-with-group-policy.md - name: Manage the Settings app with Group Policy href: manage-settings-app-with-group-policy.md - name: What version of Windows am I running diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index ae0fdee1a2..048a630323 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -11,6 +11,8 @@ href: update/waas-quick-start.md - name: Windows update fundamentals href: update/waas-overview.md + - name: Monthly quality updates + href: update/quality-updates.md - name: Basics of Windows updates, channels, and tools href: update/get-started-updates-channels-tools.md - name: Servicing the Windows 10 operating system diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index d2e0935b7d..6c5df77f39 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -35,12 +35,12 @@ Check out the following new articles about Windows 11: - [Plan for Windows 11](/windows/whats-new/windows-11-plan) - [Prepare for Windows 11](/windows/whats-new/windows-11-prepare) +The [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.
+ [SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.
-The [Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install) is available.
New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
VPN support is added to [Windows Autopilot](#windows-autopilot)
An in-place upgrade wizard is available in [Configuration Manager](#microsoft-endpoint-configuration-manager).
-The [Windows ADK](#windows-assessment-and-deployment-kit-adk) for Windows 10, version 2004 is available.
The Windows 10 deployment and update [landing page](index.yml) has been redesigned, with additional content added and more content coming soon.
## The Modern Desktop Deployment Center @@ -186,9 +186,9 @@ For the latest information about MDT, see the [MDT release notes](/mem/configmgr The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. -Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](/windows-hardware/get-started/adk-install). +Download the Windows ADK and Windows PE add-on for Windows 11 [here](/windows-hardware/get-started/adk-install). -For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004). +For information about what's new in the ADK, see [What's new in the Windows ADK](/windows-hardware/get-started/what-s-new-in-kits-and-tools). Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md index 2c3f12e36a..7d1c05e34c 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md @@ -140,4 +140,4 @@ In-place upgrade with Configuration Manager ## Related topics [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109) \ No newline at end of file +[Configuration Manager Team blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/bg-p/ConfigurationManagerBlog) \ No newline at end of file diff --git a/windows/deployment/update/quality-updates.md b/windows/deployment/update/quality-updates.md new file mode 100644 index 0000000000..2f90ee99e0 --- /dev/null +++ b/windows/deployment/update/quality-updates.md @@ -0,0 +1,77 @@ +--- +title: Monthly quality updates (Windows 10/11) +description: Learn about Windows monthly quality updates to stay productive and protected. +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +author: greg-lindsay +ms.localizationpriority: medium +ms.author: greglin +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Monthly quality updates + +**Applies to** + +- Windows 10 +- Windows 11 + +Windows monthly quality updates help you to stay productive and protected. They provide your users and IT administrators with the security fixes they need, and protect devices so that unpatched vulnerabilities can't be exploited. Quality updates are cumulative; they include all previously released fixes to guard against fragmentation of the operating system (OS). Reliability and vulnerability issues can occur when only a subset of fixes is installed. + +This article provides details on the types of monthly quality updates that Microsoft provides, and how they help make the overall user experience simple and consistent. + +## Quality updates + +Quality updates are provided on a monthly schedule, as two types of releases: + +1. Non-security releases +2. Combined security + non-security releases + +Non-security releases provide IT admins an opportunity for early validation of that content prior to the combined release. Releases can also be provided outside of the monthly schedule when there is an exceptional need. + +### B releases + +Most people are familiar with what is commonly referred to as **Patch Tuesday** or **Update Tuesday**. These updates are released on the second Tuesday of each month, and are known as the **B release** (where “**B**” refers to the second week in the month). B releases are typically published at 10:00 AM Pacific Time (PST/PDT). + +Because they are cumulative, B releases include both new and previously released security fixes, along with non-security content introduced in the prior month’s **Preview C release** (see the next section). These updates help keep Windows devices secure and compliant by deploying stability fixes and addressing security vulnerabilities. B releases are mandatory. + +Channels for availability of B releases include: Windows Update, Windows Server Update Services (WSUS), and the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). + +### C releases + +IT admins have the option to test and validate production-quality releases ahead of the planned B release for the following month. These updates are optional, cumulative, non-security preview releases known as **C releases**. These releases are only offered to the most recent, supported versions of Windows. For example, new features like [News and Interests](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/group-configuration-news-and-interests-on-the-windows-taskbar/ba-p/2281005) might initially be deployed in the prior month’s C preview release, then ship in the following month’s B release. + +For customers to access the C releases, they must navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**. + +IT admins can also validate fixes and features in a preview update by leveraging the [Windows Insider Program for Business](https://insider.windows.com/for-business) or via the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). + +### OOB releases + +Out-of-band (OOB) releases might be provided to fix a recently identified issue or vulnerability. They are used in atypical cases when an issue is detected and cannot wait for the next monthly release, because devices must be updated immediately to address security vulnerabilities or to resolve a quality issue impacting many devices. + +Some key considerations about OOB releases include: + +- OOB releases are always cumulative, and they supersede any prior B or C release. +- The OOB releases will generally require IT admins to deploy off-cycle. +- Some OOB releases are classified as critical and will automatically be pushed to Windows Server Update Services and Windows Update for Business, just like the B releases. +- Some OOB releases are non-critical and only go to the Microsoft Update Catalog for users or organizations to voluntarily seek out the update. + +## More information + +For additional details about the different types of Windows updates like critical, security, drivers, service packs, and more, please see the [Description of the standard terminology used to describe Microsoft software updates](https://support.microsoft.com/help/824684) and [Introducing a new deployment service for driver and firmware updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-a-new-deployment-service-for-driver-and-firmware/ba-p/2176942). + +## Related topics + +- [Overview of Windows as a service](waas-overview.md) +- [Update Windows 10 in the enterprise](index.md) +- [Quick guide to Windows as a service](waas-quick-start.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index 01de3567bf..f700affa62 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -22,9 +22,9 @@ ms.topic: article This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps: -1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured. -2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured. -3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). +1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured. +2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured. +3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). ## Create a configuration profile @@ -37,7 +37,7 @@ Take the following steps to create a configuration profile that will set require 5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. 6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). 1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-get-started.md#get-your-commercialid). - 2. Add a setting for **Commercial ID** ) with the following values: + 2. Add a setting for **Commercial ID** with the following values: - **Name**: Commercial ID - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace. - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID` @@ -61,17 +61,17 @@ Take the following steps to create a configuration profile that will set require - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData` - **Data type**: Integer - **Value**: 1 - 5. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance: + 5. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance: - **Name**: Allow Update Compliance Processing - - **Description**: Opts device data into Update Compliance processing. Required to see data. + - **Description**: Opts device data into Update Compliance processing. Required to see data. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing` - **Data type**: Integer - **Value**: 16 -7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. -8. Review and select **Create**. +7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. +8. Review and select **Create**. ## Deploy the configuration script -The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). +The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). -When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices. +When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices. diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index e5f3884b86..ba8a01ba32 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -5,7 +5,7 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature, ms.prod: w10 ms.mktglfcycl: manage author: jaimeo -ms.localizationpriority: medium +ms.localizationpriority: high ms.author: jaimeo ms.reviewer: manager: laurawi @@ -74,4 +74,4 @@ See [Build deployment rings for Windows 10 updates](waas-deployment-rings-window - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index da30d6f337..98e9be1e49 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -49,7 +49,7 @@ When run by Windows Setup, the following [parameters](#parameters) are used: - /Output:%windir%\logs\SetupDiag\SetupDiagResults.xml - /RegPath:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupDiag\Results -The resulting SetupDiag analysis can be found at **%WinDir%\Logs\SetupDiag\SetupDiagResults.xml** and in the registry under **HKLM\SYSTEM\Setup\SetupDiag\Results**. +The resulting SetupDiag analysis can be found at **%WinDir%\Logs\SetupDiag\SetupDiagResults.xml** and in the registry under **HKLM\SYSTEM\Setup\SetupDiag\Results**. Please note that this is not the same as the default registry path when SetupDiag is run manually. When SetupDiag is run manually, and the /RegPath parameter is not specificed, data is stored in the registry at HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag. > [!IMPORTANT] > When SetupDiag indicates that there were multiple failures, the last failure in the log file is typically the fatal error, not the first one. diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md index f8d35246e7..6e27022a54 100644 --- a/windows/deployment/usmt/usmt-overview.md +++ b/windows/deployment/usmt/usmt-overview.md @@ -15,39 +15,35 @@ ms.topic: article --- # User State Migration Tool (USMT) Overview + You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md). USMT enables you to do the following: - Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md). - - Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md). - - Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md). ## Benefits + USMT provides the following benefits to businesses that are deploying Windows operating systems: - Safely migrates user accounts, operating system and application settings. - - Lowers the cost of deploying Windows by preserving user state. - - Reduces end-user downtime required to customize desktops and find missing files. - - Reduces help-desk calls. - - Reduces the time needed for the user to become familiar with the new operating system. - - Increases employee satisfaction with the migration experience. ## Limitations -USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink. + +USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover is not a free utility. PCmover Express is a tool created by Microsoft's partner, Laplink. There are some scenarios in which the use of USMT is not recommended. These include: - Migrations that require end-user interaction. - - Migrations that require customization on a machine-by-machine basis. ## Related topics + - [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index af4d82ad1b..447ea81cfb 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -57,7 +57,7 @@ Inherited Activation is a new feature available in Windows 10, version 1803 that When a user with Windows 10 E3/E5 or A3/A5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. -To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. +To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. The hypervisor platform must also be Windows Hyper-V. ## The evolution of deployment diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index f582ab8f63..86e8ebcf13 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -50,7 +50,7 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience ## Behavioral changes -In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see [Configure a Windows 10 device to limit crash dumps and logs](#configure-a-windows-10-device-to-limit-crash-dumps-and-logs). For more information on services that rely on Enhanced diagnostic data, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). +In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see [Configure a Windows 11 device to limit crash dumps and logs](#configure-a-windows-11-device-to-limit-crash-dumps-and-logs). For more information on services that rely on Enhanced diagnostic data, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Additionally, you will see the following policy changes in an upcoming release of Windows 10: @@ -72,7 +72,7 @@ A final set of changes includes two new policies that can help you fine-tune dia >[!Important] >All the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier. -## Configure a Windows 10 device to limit crash dumps and logs +## Configure a Windows 11 device to limit crash dumps and logs With the Enhanced diagnostic data level being split out into new policies, we're providing additional controls to manage what types of crash dumps are collected and whether to send additional diagnostic logs. Here are some steps on how to configure them: diff --git a/windows/security/identity-protection/TOC.yml b/windows/security/identity-protection/TOC.yml index 6d3b4a3ff6..5e4680879e 100644 --- a/windows/security/identity-protection/TOC.yml +++ b/windows/security/identity-protection/TOC.yml @@ -101,11 +101,9 @@ href: virtual-smart-cards\virtual-smart-card-tpmvscmgr.md - name: Enterprise Certificate Pinning href: enterprise-certificate-pinning.md - - name: Install digital certificates on Windows 10 Mobile - href: installing-digital-certificates-on-windows-10-mobile.md - name: Windows 10 credential theft mitigation guide abstract href: windows-credential-theft-mitigation-guide-abstract.md - - name: Configure S/MIME for Windows 10 and Windows 10 Mobile + - name: Configure S/MIME for Windows 10 href: configure-s-mime.md - name: VPN technical guide href: vpn\vpn-guide.md diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index f4d8e44b09..e770d29de4 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -188,91 +188,108 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID | SID | Display Name | Description | | - | - | - | -| S-1-5-1 | Dialup | A group that includes all users who are logged on to the system by means of a dial-up connection.| +| S-1-5-1 | Dialup | A group that includes all users who are logged on to the system by means of a dial-up connection.| | S-1-5-113 | Local account| You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named.| | S-1-5-114| Local account and member of Administrators group | You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named. | | S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.| -| S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.| -| S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.| -| S-1-5-5- *X*-*Y* | Logon Session| The *X* and *Y* values for these SIDs uniquely identify a particular logon session.| +| S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.| +| S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.| +| S-1-5-5- *X*-*Y* | Logon Session| The *X* and *Y* values for these SIDs uniquely identify a particular logon session.| | S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.| -| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.| -| S-1-5-8| Proxy| Does not currently apply: this SID is not used.| +| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.| +| S-1-5-8| Proxy| Does not currently apply: this SID is not used.| | S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.| -| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.| +| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.| | S-1-5-11 | Authenticated Users| A group that includes all users and computers with identities that have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password.
This group includes authenticated security principals from any trusted domain, not only the current domain.| -| S-1-5-12 | Restricted Code| An identity that is used by a process that is running in a restricted security context. In Windows and Windows Server operating systems, a software restriction policy can assign one of three security levels to code: unrestricted, restricted, or disallowed. When code runs at the restricted security level, the Restricted SID is added to the user's access token.| -| S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.| -| S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.| -| S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.| -| S-1-5-17 | IIS_USRS| An account that is used by the default Internet Information Services (IIS) user.| -| S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.
System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.| -| S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.| -| S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.| -| S-1-5-*domain*-500 | Administrator| A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account.
The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed.
By default, the Administrator account is a member of the Administrators group, and it cannot be removed from that group.| -| S-1-5-*domain*-501 | Guest| A user account for people who do not have individual accounts. Every computer has a local Guest account, and every domain has a domain Guest account.
By default, Guest is a member of the Everyone and the Guests groups. The domain Guest account is also a member of the Domain Guests and Domain Users groups.
Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. The Guest account does not require a password, but it can have one.| -| S-1-5-*domain*-502| krbtgt| A user account that is used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.| -| S-1-5-*domain*-512| Domain Admins| A global group with members that are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers.
Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.| -| S-1-5-*domain*-513| Domain Users| A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group.| -| S-1-5-*domain*-514| Domain Guests| A global group, which by default, has only one member: the domain's built-in Guest account.| -| S-1-5-*domain*-515 | Domain Computers| A global group that includes all computers that have joined the domain, excluding domain controllers.| -| S-1-5-*domain*-516| Domain Controllers| A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically.| -| S-1-5-*domain*-517 | Cert Publishers| A global group that includes all computers that host an enterprise certification authority.
Cert Publishers are authorized to publish certificates for User objects in Active Directory.| -| S-1-5-*root domain*-518| Schema Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.| +| S-1-5-12 | Restricted Code| An identity that is used by a process that is running in a restricted security context. In Windows and Windows Server operating systems, a software restriction policy can assign one of three security levels to code: unrestricted, restricted, or disallowed. When code runs at the restricted security level, the Restricted SID is added to the user's access token.| +| S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.| +| S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.| +| S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.| +| S-1-5-17 | IIS_USRS| An account that is used by the default Internet Information Services (IIS) user.| +| S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.
System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.| +| S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.| +| S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.| +| S-1-5-*domain*-500 | Administrator| A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account.
The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed.
By default, the Administrator account is a member of the Administrators group, and it cannot be removed from that group.| +| S-1-5-*domain*-501 | Guest| A user account for people who do not have individual accounts. Every computer has a local Guest account, and every domain has a domain Guest account.
By default, Guest is a member of the Everyone and the Guests groups. The domain Guest account is also a member of the Domain Guests and Domain Users groups.
Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. The Guest account does not require a password, but it can have one.| +| S-1-5-*domain*-502| krbtgt| A user account that is used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.| +| S-1-5-*domain*-512| Domain Admins| A global group with members that are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers.
Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.| +| S-1-5-*domain*-513| Domain Users| A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group.| +| S-1-5-*domain*-514| Domain Guests| A global group, which by default, has only one member: the domain's built-in Guest account.| +| S-1-5-*domain*-515 | Domain Computers| A global group that includes all computers that have joined the domain, excluding domain controllers.| +| S-1-5-*domain*-516| Domain Controllers| A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically.| +| S-1-5-*domain*-517 | Cert Publishers| A global group that includes all computers that host an enterprise certification authority.
Cert Publishers are authorized to publish certificates for User objects in Active Directory.| +| S-1-5-*root domain*-518| Schema Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.| | S-1-5-*root domain*-519| Enterprise Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode.
The Enterprise Admins group is authorized to make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterprise certification authorities.
By default, the only member of Enterprise Admins is the Administrator account for the forest root domain. The group is a default member of every Domain Admins group in the forest. | -| S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.
Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.| -| S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.
Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.| -| S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.| -| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.| -| S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.| +| S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.
Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.| +| S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.
Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.| +| S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.| +| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.| +| S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.| | S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. | -| S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.| -| S-1-5-32-549| Server Operators| Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.| -| S-1-5-32-550 | Print Operators| A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.| -| S-1-5-32-551 | Backup Operators| A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down. +| S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.| +| S-1-5-32-549| Server Operators| Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.| +| S-1-5-32-550 | Print Operators| A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.| +| S-1-5-32-551 | Backup Operators| A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.| | S-1-5-32-552 | Replicators | A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.| -| S-1-5-64-10| NTLM Authentication| A SID that is used when the NTLM authentication package authenticated the client| -| S-1-5-64-14 | SChannel Authentication| A SID that is used when the SChannel authentication package authenticated the client.| -| S-1-5-64-21 | Digest Authentication| A SID that is used when the Digest authentication package authenticated the client.| -| S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.| -| S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.| -| S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). | -| S-1-16-0| Untrusted Mandatory Level| A SID that represents an untrusted integrity level.| -| S-1-16-4096 | Low Mandatory Level| A SID that represents a low integrity level.| -| S-1-16-8192 | Medium Mandatory Level| This SID represents a medium integrity level.| -| S-1-16-8448 | Medium Plus Mandatory Level| A SID that represents a medium plus integrity level.| -| S-1-16-12288 | High Mandatory Level| A SID that represents a high integrity level.| -| S-1-16-16384 | System Mandatory Level| A SID that represents a system integrity level.| -| S-1-16-20480 | Protected Process Mandatory Level| A SID that represents a protected-process integrity level.| -| S-1-16-28672 | Secure Process Mandatory Level| A SID that represents a secure process integrity level.| +|S-1-5-32-554|Builtin\Pre-Windows 2000 Compatible Access|An alias added by Windows 2000. A backward compatibility group that allows read access on all users and groups in the domain.| +|S-1-5-32-555|Builtin\Remote Desktop Users|An alias. Members in this group are granted the right to log on remotely.| +|S-1-5-32-556|Builtin\Network Configuration Operators|An alias. Members in this group can have some administrative privileges to manage configuration of networking features.| +|S-1-5-32-557|Builtin\Incoming Forest Trust Builders|An alias. Members of this group can create incoming, one-way trusts to this forest.| +|S-1-5-32-558|Builtin\Performance Monitor Users|An alias. Members of this group have remote access to monitor this computer.| +|S-1-5-32-559|Builtin\Performance Log Users|An alias. Members of this group have remote access to schedule logging of performance counters on this computer.| +|S-1-5-32-560|Builtin\Windows Authorization Access Group|An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.| +|S-1-5-32-561|Builtin\Terminal Server License Servers|An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.| +|S-1-5-32-562|Builtin\Distributed COM Users|An alias. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer.| +|S-1-5-32-569|Builtin\Cryptographic Operators|A built-in local group. Members are authorized to perform cryptographic operations.| +|S-1-5-32-573|Builtin\Event Log Readers|A built-in local group. Members of this group can read event logs from local computer.| +|S-1-5-32-574|Builtin\Certificate Service DCOM Access|A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.| +|S-1-5-32-575|Builtin\RDS Remote Access Servers|A built-in local group. Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.| +|S-1-5-32-576|Builtin\RDS Endpoint Servers|A built-in local group. Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.| +|S-1-5-32-577|Builtin\RDS Management Servers|A builtin local group. Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.| +|S-1-5-32-578|Builtin\Hyper-V Administrators|A built-in local group. Members of this group have complete and unrestricted access to all features of Hyper-V.| +|S-1-5-32-579|Builtin\Access Control Assistance Operators|A built-in local group. Members of this group can remotely query authorization attributes and permissions for resources on this computer.| +|S-1-5-32-580|Builtin\Remote Management Users|A built-in local group. Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.| +| S-1-5-64-10| NTLM Authentication| A SID that is used when the NTLM authentication package authenticated the client| +| S-1-5-64-14 | SChannel Authentication| A SID that is used when the SChannel authentication package authenticated the client.| +| S-1-5-64-21 | Digest Authentication| A SID that is used when the Digest authentication package authenticated the client.| +| S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.| +| S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.| +| S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). | +| S-1-16-0| Untrusted Mandatory Level| A SID that represents an untrusted integrity level.| +| S-1-16-4096 | Low Mandatory Level| A SID that represents a low integrity level.| +| S-1-16-8192 | Medium Mandatory Level| This SID represents a medium integrity level.| +| S-1-16-8448 | Medium Plus Mandatory Level| A SID that represents a medium plus integrity level.| +| S-1-16-12288 | High Mandatory Level| A SID that represents a high integrity level.| +| S-1-16-16384 | System Mandatory Level| A SID that represents a system integrity level.| +| S-1-16-20480 | Protected Process Mandatory Level| A SID that represents a protected-process integrity level.| +| S-1-16-28672 | Secure Process Mandatory Level| A SID that represents a secure process integrity level.| The following RIDs are relative to each domain. -| RID | Identifies | -| - | - | -| DOMAIN_USER_RID_ADMIN | The administrative user account in a domain. | -| DOMAIN_USER_RID_GUEST| The guest-user account in a domain. Users who do not have an account can automatically sign in to this account.| -| DOMAIN_GROUP_RID_USERS | A group that contains all user accounts in a domain. All users are automatically added to this group.| -| DOMAIN_GROUP_RID_GUESTS | The group Guest account in a domain.| -| DOMAIN_GROUP_RID_COMPUTERS | The Domain Computer group. All computers in the domain are members of this group.| -| DOMAIN_GROUP_RID_CONTROLLERS | The Domain Controller group. All domain controllers in the domain are members of this group.| -| DOMAIN_GROUP_RID_CERT_ADMINS | The certificate publishers' group. Computers running Active Directory Certificate Services are members of this group.| -| DOMAIN_GROUP_RID_SCHEMA_ADMINS | The schema administrators' group. Members of this group can modify the Active Directory schema.| -| DOMAIN_GROUP_RID_ENTERPRISE_ADMINS | The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains.| -| DOMAIN_GROUP_RID_POLICY_ADMINS| The policy administrators' group.| +| RID |Decimal value| Identifies | +| - | - | - | +| DOMAIN_USER_RID_ADMIN | 500 | The administrative user account in a domain. | +| DOMAIN_USER_RID_GUEST| 501 | The guest-user account in a domain. Users who do not have an account can automatically sign in to this account.| +| DOMAIN_GROUP_RID_USERS | 513 | A group that contains all user accounts in a domain. All users are automatically added to this group.| +| DOMAIN_GROUP_RID_GUESTS | 514 | The group Guest account in a domain.| +| DOMAIN_GROUP_RID_COMPUTERS | 515 | The Domain Computer group. All computers in the domain are members of this group.| +| DOMAIN_GROUP_RID_CONTROLLERS | 516 | The Domain Controller group. All domain controllers in the domain are members of this group.| +| DOMAIN_GROUP_RID_CERT_ADMINS | 517 | The certificate publishers' group. Computers running Active Directory Certificate Services are members of this group.| +| DOMAIN_GROUP_RID_SCHEMA_ADMINS | 518 | The schema administrators' group. Members of this group can modify the Active Directory schema.| +| DOMAIN_GROUP_RID_ENTERPRISE_ADMINS | 519 | The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains.| +| DOMAIN_GROUP_RID_POLICY_ADMINS| 520 | The policy administrators' group.| The following table provides examples of domain-relative RIDs that are used to form well-known SIDs for local groups. - -| RID | Identifies | -| - | - | -| DOMAIN_ALIAS_RID_ADMINS | Administrators of the domain.| -| DOMAIN_ALIAS_RID_USERS | All users in the domain.| -| DOMAIN_ALIAS_RID_GUESTS | Guests of the domain.| -| DOMAIN_ALIAS_RID_POWER_USERS | A user or a set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users.| -| DOMAIN_ALIAS_RID_BACKUP_OPS | A local group that is used to control the assignment of file backup-and-restore user rights.| -| DOMAIN_ALIAS_RID_REPLICATOR | A local group that is responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system.| -| DOMAIN_ALIAS_RID_RAS_SERVERS | A local group that represents remote access and servers running Internet Authentication Service (IAS). This group permits access to various attributes of User objects.| +| RID | Decimal value | Identifies | +| - | - | - | +| DOMAIN_ALIAS_RID_ADMINS | 544 | Administrators of the domain.| +| DOMAIN_ALIAS_RID_USERS | 545 | All users in the domain.| +| DOMAIN_ALIAS_RID_GUESTS | 546 | Guests of the domain.| +| DOMAIN_ALIAS_RID_POWER_USERS | 547 | A user or a set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users.| +| DOMAIN_ALIAS_RID_BACKUP_OPS | 551 | A local group that is used to control the assignment of file backup-and-restore user rights.| +| DOMAIN_ALIAS_RID_REPLICATOR | 552 | A local group that is responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system.| +| DOMAIN_ALIAS_RID_RAS_SERVERS | 553 | A local group that represents remote access and servers running Internet Authentication Service (IAS). This group permits access to various attributes of User objects.| ## Changes in security identifier's functionality @@ -290,6 +307,7 @@ Capability Security Identifiers (SIDs) are used to uniquely and immutably identi All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location. ## Examples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition + You may see the following registry keys under AllCachedCapabilities: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock diff --git a/windows/security/identity-protection/change-history-for-access-protection.md b/windows/security/identity-protection/change-history-for-access-protection.md index 935d64a947..9cd9f0847d 100644 --- a/windows/security/identity-protection/change-history-for-access-protection.md +++ b/windows/security/identity-protection/change-history-for-access-protection.md @@ -1,6 +1,6 @@ --- title: Change history for access protection (Windows 10) -description: This topic lists new and updated topics in the Windows 10 access protection documentation for Windows 10 and Windows 10 Mobile. +description: This topic lists new and updated topics in the Windows 10 access protection documentation for Windows 10. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index 5e92d8bddd..a313981ce1 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -1,5 +1,5 @@ --- -title: Configure S/MIME for Windows 10 and Windows 10 Mobile (Windows 10) +title: Configure S/MIME for Windows 10 description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, aka a certificate, can read them. ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05 ms.reviewer: @@ -19,11 +19,10 @@ ms.date: 07/27/2017 --- -# Configure S/MIME for Windows 10 and Windows 10 Mobile +# Configure S/MIME for Windows 10 **Applies to** - Windows 10 -- Windows 10 Mobile S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. @@ -44,7 +43,6 @@ A digitally signed message reassures the recipient that the message hasn't been - [How to Create PFX Certificate Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/mt131410(v=technet.10)) - [Enable access to company resources using certificate profiles with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=718216) - - [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) ## Choose S/MIME settings diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 64ccdffe62..bafde6afc2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -105,7 +105,7 @@ Three approaches are documented here: 1. Update the certificate template by executing the following command: - certutil - dsaddtemplate \
Otherwise:- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) | ## NDES server configuration @@ -89,9 +88,9 @@ For more information, see [Configure certificate infrastructure for SCEP](/mem/i You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well. -The domain controllers will need to have appropriate KDC certificates for the client to trust them as domain controllers, and since phones are not domain-joined, the root CA of the KDC’s certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store. +Domain controllers must have appropriate KDC certificates for the client to trust them as domain controllers. Because phones are not domain-joined, the root CA of the KDC’s certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store. -The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication. -This is because Windows 10 Mobile requires strict KDC validation to be enabled. +Domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication. This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server. + For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382). \ No newline at end of file diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md index 091a4c8d21..51eda0028d 100644 --- a/windows/security/identity-protection/vpn/vpn-guide.md +++ b/windows/security/identity-protection/vpn/vpn-guide.md @@ -18,7 +18,6 @@ ms.author: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10. diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md index 0bda745eff..1fc11d00d4 100644 --- a/windows/security/information-protection/encrypted-hard-drive.md +++ b/windows/security/information-protection/encrypted-hard-drive.md @@ -17,6 +17,7 @@ ms.date: 04/02/2019 **Applies to** - Windows 10 +- Windows Server 2022 - Windows Server 2019 - Windows Server 2016 @@ -81,7 +82,7 @@ Configuration of Encrypted Hard Drives as startup drives is done using the same ## Configuring hardware-based encryption with Group Policy -There are three related Group Policy settings that help you manage how BitLocker uses hardware-based envryption and which encryption algorithms to use. If these settings are not configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: +There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings are not configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: - [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#bkmk-hdefxd) - [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-removable-data-drives) @@ -107,4 +108,4 @@ Many Encrypted Hard Drive devices come pre-configured for use. If reconfiguratio 1. Open Disk Management (diskmgmt.msc) 2. Initialize the disk and select the appropriate partition style (MBR or GPT) 3. Create one or more volumes on the disk. -4. Use the BitLocker setup wizard to enable BitLocker on the volume. \ No newline at end of file +4. Use the BitLocker setup wizard to enable BitLocker on the volume. diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 4f59ad1d3a..3261c5f549 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: high author: dansimp ms.author: dansimp manager: dansimp @@ -96,4 +96,4 @@ Some things that you can check on the device are: - [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/) - [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/) - [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx) -- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx) \ No newline at end of file +- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx) diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 0ace25d81e..8032ebd2b8 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -156,9 +156,6 @@ Here are a few examples of responses from the Reporting CSP. ## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only) Use Windows Event Forwarding to collect and aggregate your WIP audit events. You can view your audit events in the Event Viewer. ->[!NOTE] ->Windows 10 Mobile requires you to use the [Reporting CSP process](#collect-wip-audit-logs-by-using-the-reporting-configuration-service-provider-csp) instead. - **To view the WIP events in the Event Viewer** 1. Open Event Viewer. diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 02d631b6db..593dc1c1fb 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -25,8 +25,6 @@ ms.reviewer: If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. -The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. - >[!IMPORTANT] >If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](/previous-versions/technet-magazine/cc162507(v=msdn.10)) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](/previous-versions/tn-archive/cc875821(v=technet.10)).
If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index 2d7684c08c..f057011638 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -22,7 +22,6 @@ ms.date: 01/09/2020 **Applies to:** - Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later - Microsoft Endpoint Configuration Manager Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. @@ -96,7 +95,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap 5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. -If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. +If you don't know the publisher or product name, you can find them for both desktop devices by following these steps. **To find the Publisher and Product Name values for Store apps without installing them** @@ -129,35 +128,6 @@ If you don't know the publisher or product name, you can find them for both desk > } > ``` -**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** -1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - - >[!NOTE] - >Your PC and phone must be on the same wireless network. - -2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. - -3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**. - -4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate. - -5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step. - -6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names. - -7. Start the app for which you're looking for the publisher and product name values. - -8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - - > [!IMPORTANT] - > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`. - > For example:
- > ```json
- > {
- > "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- > }
- > ```
-
### Add a desktop app rule to your policy
For this example, we're going to add Internet Explorer, a desktop app, to the **App Rules** list.
@@ -247,19 +217,19 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
4. On the **Before You Begin** page, click **Next**.
- 
+ 
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
- 
+ 
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
- 
+ 
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos.
- 
+ 
8. On the updated **Publisher** page, click **Create**.
@@ -466,12 +436,6 @@ After you've decided where your protected apps can access enterprise data on you
**To set your optional settings**
1. Choose to set any or all of the optional settings:
- - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
-
- - **Yes (recommended).** Turns on the feature and provides the additional protection.
-
- - **No, or not configured.** Doesn't enable this feature.
-
- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
- **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 62291e7f81..8e6cb233a3 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -124,10 +124,6 @@ If you don't know the Store app publisher or product name, you can find them by
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
For example:
{
-
-
-If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
> [!NOTE]
> Your PC and phone must be on the same wireless network.
@@ -570,12 +566,6 @@ After you've decided where your protected apps can access enterprise data on you
-**Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
-
-- **On.** Turns on the feature and provides the additional protection.
-
-- **Off, or not configured.** Doesn't enable this feature.
-
**Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 1b1d1ef266..cf13c4c18b 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -21,7 +21,6 @@ ms.localizationpriority: medium
**Applies to:**
- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later
This table provides info about the most common problems you might encounter while running WIP in your organization.
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 2eefdaf76e..c2b7cb2188 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -22,7 +22,6 @@ ms.date: 03/05/2019
**Applies to:**
- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later
We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
@@ -164,14 +163,7 @@ You can try any of the processes included in these scenarios, but you should foc
-
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
-
-
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. | | 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. | +| 16 | PA-PK-AS-REQ | Request sent to KDC in Smart Card authentication scenarios. | | 17 | PA-PK-AS-REP | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen. | | 19 | PA-ETYPE-INFO2 | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. | | 20 | PA-SVR-REFERRAL-INFO | Used in KDC Referrals tickets. | @@ -343,4 +344,4 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested. | **Result Code** | **0x29** (Message stream modified and checksum didn't match). The authentication data was encrypted with the wrong key for the intended server. The authentication data was modified in transit by a hardware or software error, or by an attacker. Monitor for these events because this should not happen in a standard Active Directory environment. | | **Result Code** | **0x3C** (Generic error). This error can help you more quickly identify problems with Kerberos authentication. | | **Result Code** | **0x3E** (The client trust failed or is not implemented). This error helps you identify logon attempts with revoked certificates and the situations when the root Certification Authority that issued the smart card certificate (through a chain) is not trusted by a domain controller. | -| **Result Code** | **0x3F**, **0x40**, **0x41** errors. These errors can help you more quickly identify smart-card related problems with Kerberos authentication. | \ No newline at end of file +| **Result Code** | **0x3F**, **0x40**, **0x41** errors. These errors can help you more quickly identify smart-card related problems with Kerberos authentication. | diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 98fc46090b..7a2cd61939 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -9,7 +9,7 @@ metadata: ms.localizationpriority: medium author: denisebmsft ms.author: deniseb - ms.date: 06/16/2021 + ms.date: 07/23/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -47,33 +47,6 @@ sections: - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. - It must be a FQDN. A simple IP address will not work. - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. - - - question: | - Can employees download documents from the Application Guard Edge session onto host devices? - answer: | - In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. - - In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. - - - question: | - Can employees copy and paste between the host device and the Application Guard Edge session? - answer: | - Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. - - - question: | - Why don't employees see their favorites in the Application Guard Edge session? - answer: | - Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard). - - - question: | - Why aren’t employees able to see their extensions in the Application Guard Edge session? - answer: | - Make sure to enable the extensions policy on your Application Guard configuration. - - - question: | - I’m trying to watch playback video with HDR, why is the HDR option missing? - answer: | - In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. - question: | How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index 508358b284..f06ae93261 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -18,7 +18,6 @@ ms.technology: mde **Applies to:** - Windows 10 -- Windows 10 Mobile Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. @@ -77,7 +76,7 @@ SmartScreen uses registry-based Administrative Template policy settings. ## MDM settings -If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.
+If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support desktop computers running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune.
For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser](/windows/client-management/mdm/policy-csp-browser).
Windows 10 Mobile |
-
|
-
Windows 10 for desktop editions |
[Plan for Windows 11](windows-11-plan.md) -[Prepare for Windows 11](windows-11-prepare.md) \ No newline at end of file +[Prepare for Windows 11](windows-11-prepare.md) + +## Also see + +[What's new in Windows 11](/windows-hardware/get-started/what-s-new-in-windows) \ No newline at end of file |