Merge branch 'master' into App-v-revision

2025-06-19 04:13:41 +00:00 · 2018-06-06 09:08:06 -07:00
parent cbc89d4187 38988f718d
commit 57fec3716f
74 changed files with 130 additions and 215 deletions
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@ -1,7 +1,7 @@
 ---
 title: Windows 10 Pro in S mode
-description: Overview of Windows 10 Pro in S mode, switching options, and system requirements
-keywords: S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
+description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
+keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
 ms.mktglfcycl: deploy
 ms.localizationpriority: high
 ms.prod: w10
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields.md
@ -1509,15 +1509,20 @@ This event sends data about the processor (architecture, speed, number of cores,

 The following fields are available:

- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system.
+- **KvaShadow**  Microcode info of the processor.
+- **MMSettingOverride**  Microcode setting of the processor.
+- **MMSettingOverrideMask**  Microcode setting override of the processor.
+- **ProcessorArchitecture**  Processor architecture of the installed operating system. 
 - **ProcessorClockSpeed**  Clock speed of the processor in MHz.
 - **ProcessorCores**  Number of logical cores in the processor.
 - **ProcessorIdentifier**  Processor Identifier of a manufacturer.
 - **ProcessorManufacturer**  Name of the processor manufacturer.
 - **ProcessorModel**  Name of the processor model.
 - **ProcessorPhysicalCores**  Number of physical cores in the processor.
- **ProcessorUpdateRevision**  Microcode revision
+- **ProcessorUpdateRevision**  Microcode revision.
+- **ProcessorUpdateStatus**  The status of the microcode update.
 - **SocketCount**  Count of CPU sockets.
+- **SpeculationControl**  If the system has enabled protections needed to validate the speculation control vulnerability.


 ### Census.Security
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@ -7,16 +7,16 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.localizationpriority: high
-author: brianlic-msft
-ms.author: brianlic-msft
-ms.date: 04/09/2018
+author: danihalfin
+ms.author: daniha
+ms.date: 06/05/2018
 ---

 # Manage connections from Windows operating system components to Microsoft services
 
 **Applies to**

-   Windows 10 Enterprise edition
+-   Windows 10 Enterprise, version 1607 and newer
 -   Windows Server 2016

 If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
@ -32,7 +32,10 @@ This baseline was created in the same way as the [Windows security baselines](/w
 Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. 
 However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. 
 Make sure should you've chosen the right settings configuration for your environment before applying. 
-You should not extract this package to the windows\\system32 folder because it will not apply correctly. 
+You should not extract this package to the windows\\system32 folder because it will not apply correctly.
+
+>[!IMPORTANT]
+> As part of the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887), MDM functionallity is disabled. If you manage devices through MDM, make sure [cloud notifications are enabled](#bkmk-priv-notifications).

 Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article. 
 It is recommended that you restart a device after making configuration changes to it. 
@ -87,12 +90,12 @@ Here's a list of changes that were made to this article for Windows 10, version

 The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.

->[!NOTE]
->For some settings, MDM policies only partly cover capabilities available through Group Policy. See each setting’s section for more details.
-
 ### Settings for Windows 10 Enterprise edition 

-The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1703.
+The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607.
+
+>[!NOTE]
+>For some settings, MDM policies only partly cover capabilities available through Group Policy. See each setting’s section for more details.

 | Setting | UI | Group Policy | MDM policy | Registry | Command line |
 | - | :-: | :-: | :-: | :-: | :-: |
@ -1075,6 +1078,9 @@ To turn off **Choose apps that can use your microphone**:

 ### <a href="" id="bkmk-priv-notifications"></a>17.5 Notifications

+>[!IMPORTANT]
+>Disabling notifications will also disable the ability to manage the device through MDM. If you are using an MDM solution, make sure cloud notifications are enabled through one of the options below.
+
 To turn off notifications network usage:

 -   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn off Notifications network usage**
--- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
@ -76,6 +76,16 @@ This section describes how an attacker might exploit a feature or its configurat

 ### Vulnerability

+The **Create global objects** user right is required for a user account to create global objects in Remote Desktop sessions. Users can still create session-specfic objects without being assigned this user right. Assigning this right can be a security risk.
+
+By default, members of the **Administrators** group, the System account, and services that are started by the Service Control Manager are assigned the **Create global objects** user right. Users who are added to the **Remote Desktop Users** group also have this user right. 
+
+### Countermeasure
+
+When non-administrators need to access a server using Remote Desktop, add the users to the **Remote Desktop Users** group rather than assining them this user right.
+
+### Vulnerability
+
 >**Caution:**  A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.
  
 Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any currently logged on account. They could escalate their privileges or create a denial-of-service (DoS) condition.
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@ -630,7 +630,7 @@ Here are the minimum steps for WEF to operate:
  </Query>
  <Query Id="12" Path="Microsoft-Windows-PowerShell/Operational">
    <!-- PowerShell execute block activity (4103), Remote Command(4104), Start Command(4105), Stop Command(4106) -->
-    <Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(EventID=4103 or EventId=4104 or EventId=4105 or EventId=4106)]]</Select>
+    <Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(EventID=4103 or EventID=4104 or EventID=4105 or EventID=4106)]]</Select>
  </Query>
  <Query Id="13" Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">
    <!-- Detect User-Mode drivers loaded - for potential BadUSB detection. -->
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@ -78,7 +78,7 @@ For October 2017, we are announcing an update to system.management.automation.dl
 Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet:

 ```
-  <?xml version="1.0" encoding="utf-8" ?> 
+<?xml version="1.0" encoding="utf-8" ?> 
  <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.0.0</VersionEx> 
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID> 
@ -132,6 +132,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
  <Deny ID="ID_DENY_INFINSTALL" FriendlyName="infdefaultinstall.exe" FileName="infdefaultinstall.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
  <Deny ID="ID_DENY_LXRUN" FriendlyName="lxrun.exe" FileName="lxrun.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
  <Deny ID="ID_DENY_PWRSHLCUSTOMHOST" FriendlyName="powershellcustomhost.exe" FileName="powershellcustomhost.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
+  <Deny ID="ID_DENY_TEXTTRANSFORM" FriendlyName="texttransform.exe" FileName="texttransform.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
  <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/> 
  <Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6"/> 
  <Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF"/> 
@ -508,6 +509,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
  <FileRuleRef RuleID="ID_DENY_INFINSTALL"/> 
  <FileRuleRef RuleID="ID_DENY_LXRUN"/> 
  <FileRuleRef RuleID="ID_DENY_PWRSHLCUSTOMHOST"/> 
+  <FileRuleRef RuleID="ID_DENY_TEXTTRANSFORM"/> 
  <FileRuleRef RuleID="ID_DENY_WMIC"/> 
  <FileRuleRef RuleID="ID_DENY_D_1"/> 
  <FileRuleRef RuleID="ID_DENY_D_2"/>