deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into nimishasatapathy-4852875-windowsphoneremove

Browse Source
This commit is contained in:
Daniel Simpson 2021-05-10 12:16:03 -07:00 committed by GitHub
commit 5ac711b6a7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
72 changed files with 1506 additions and 1270 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.openpublishing.publish.config.json
View File

@ -129,6 +129,20 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "SV",
"build_source_folder": "windows/sv",
"build_output_subfolder": "SV",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-access-protection",
"build_source_folder": "windows/access-protection",

2
browsers/edge/docfx.json
View File

@ -53,7 +53,7 @@
"garycentric"
]
},
"externalReference": [],
"fileMetadata": {},
"template": "op.html",
"dest": "browsers/edge",
"markdownEngineName": "markdig"

6
browsers/internet-explorer/TOC.yml
View File

@ -207,7 +207,7 @@
- name: Internet Explorer 11 delivery through automatic updates
href: ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
- name: Internet Explorer 11 Blocker Toolkit FAQ
href: ie11-faq/faq-ie11-blocker-toolkit.md
href: ie11-faq/faq-ie11-blocker-toolkit.yml
- name: Missing Internet Explorer Maintenance settings for Internet Explorer 11
href: ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
- name: Missing the Compatibility View Button
@ -215,7 +215,7 @@
- name: Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013
href: ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
- name: IE11 Frequently Asked Questions (FAQ) Guide for IT Pros
href: ie11-faq/faq-for-it-pros-ie11.md
href: ie11-faq/faq-for-it-pros-ie11.yml
- name: Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros
href: ie11-ieak/index.md
items:
@ -259,7 +259,7 @@
- name: Use the RSoP snap-in to review policy settings
href: ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
- name: IEAK 11 - Frequently Asked Questions
href: ie11-faq/faq-ieak11.md
href: ie11-faq/faq-ieak11.yml
- name: Troubleshoot custom package and IEAK 11 problems
href: ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
- name: Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options

4
browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
View File

@ -54,7 +54,7 @@ If you use Automatic Updates in your company, but want to stop your users from a
- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
> [!NOTE]
> The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md).
> The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.yml).
- **Use an update management solution to control update deployment.**
If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
@ -137,7 +137,7 @@ If you need to reset your Update Rollups packages to auto-approve, do this:
- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
- [Internet Explorer 11 FAQ for IT pros](../ie11-faq/faq-for-it-pros-ie11.md)
- [Internet Explorer 11 FAQ for IT pros](../ie11-faq/faq-for-it-pros-ie11.yml)
- [Internet Explorer 11 delivery through automatic updates]()

2
browsers/internet-explorer/ie11-deploy-guide/index.md
View File

@ -60,6 +60,6 @@ IE11 offers differing experiences in Windows 8.1:
|Internet Explorer 11 or IE11 |The whole browser, which includes both IE and Internet Explorer for the desktop. |
## Related topics
- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml)
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)

2
browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
View File

@ -40,7 +40,7 @@ Internet Explorer 11 includes several new features and tools. This topic includ
- **Out-of-date ActiveX control blocking**. Helps to keep your ActiveX controls up-to-date, because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. For more info, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md).
- **Do Not Track (DNT) exceptions.** IE11 lets websites ask whether to track users as they browse a website. If the user approves the request, IE records an exception to the "Do Not Track" rule and sends headers to the website that allow tracking. By respecting these headers and requesting exceptions to the default privacy settings, website owners can develop a trusted relationship with their users about privacy. For more info, see [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md).
- **Do Not Track (DNT) exceptions.** IE11 lets websites ask whether to track users as they browse a website. If the user approves the request, IE records an exception to the "Do Not Track" rule and sends headers to the website that allow tracking. By respecting these headers and requesting exceptions to the default privacy settings, website owners can develop a trusted relationship with their users about privacy. For more info, see [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml).
- **IE Administration Kit (IEAK).** Lets you create custom, branded versions of IE11. For more info and to download the tool, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md).

8
browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
View File

@ -50,7 +50,7 @@ Wait for the message, **Blocking deployment of IE11 on the local machine. The op
6. Close the Command Prompt.
For answers to frequently asked questions, see [Internet Explorer 11 Blocker Toolkit: Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.md).
For answers to frequently asked questions, see [Internet Explorer 11 Blocker Toolkit: Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.yml).
## Automatic updates
Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates.
@ -73,7 +73,7 @@ If you use Automatic Updates in your company, but want to stop your users from a
- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
> [!NOTE]
>The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-for-it-pros-ie11.md).
>The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-for-it-pros-ie11.yml).
- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
@ -147,9 +147,9 @@ After the new Internet Explorer 11 package is available for download, you should
- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
- [Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.md)
- [Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions](../ie11-faq/faq-ie11-blocker-toolkit.yml)
- [Internet Explorer 11 FAQ for IT pros](../ie11-faq/faq-for-it-pros-ie11.md)
- [Internet Explorer 11 FAQ for IT pros](../ie11-faq/faq-for-it-pros-ie11.yml)
- [Internet Explorer 11 delivery through automatic updates](ie11-delivery-through-automatic-updates.md)

207
browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
View File

@ -1,207 +0,0 @@
---
ms.localizationpriority: medium
ms.mktglfcycl: explore
description: Frequently asked questions about Internet Explorer 11 for IT Pros
author: dansimp
ms.prod: ie11
ms.assetid: 140e7d33-584a-44da-8c68-6c1d568e1de3
ms.reviewer:
audience: itpro
manager: dansimp
ms.author: dansimp
title: Internet Explorer 11 - FAQ for IT Pros (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 10/16/2017
---
# Internet Explorer 11 - FAQ for IT Pros
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration.
## Frequently Asked Questions
**Q: What operating system does IE11 run on?**
- Windows 10
- Windows 8.1
- Windows Server 2012 R2
- Windows 7 with Service Pack 1 (SP1)
- Windows Server 2008 R2 with Service Pack 1 (SP1)
**Q: How do I install IE11 on Windows 10, Windows 8.1, or Windows Server 2012 R2?**<br>
IE11 is preinstalled with Windows 8.1 and Windows Server 2012 R2. No additional action is required.
**Q: How do I install IE11 on Windows 7 with SP1 or Windows Server 2008 R2 with SP1?**<br>
You can install IE11 on computers running either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. To download IE11, see the IE11 [home page](https://go.microsoft.com/fwlink/p/?LinkId=290956).
**Q: How does IE11 integrate with Windows 8.1?**<br>
IE11 is the default handler for the HTTP and HTTPS protocols and the default browser for Windows 8.1. There are two experiences in Windows 8.1: Internet Explorer and Internet Explorer for the desktop. IE is the default browser for touch-first, immersive experiences. Internet Explorer for the desktop provides a more traditional window and tab management experience. The underlying platform of IE11 is fully interoperable across both IE and the familiar Internet Explorer for the desktop, letting developers write the same markup for both experiences.
**Q: What are the new or improved security features?**<br>
IE11 offers improvements to Enhanced Protected Mode, password manager, and other security features. IE11 also turns on Transport Layer Security (TLS) 1.2 by default.
**Q: How is Microsoft supporting modern web standards, such as WebGL?**<br>
Microsoft is committed to providing an interoperable web by supporting modern web standards. Doing this lets developers use the same markup across web browsers, helping to reduce development and support costs.<p>
Supported web standards include:
- Web Graphics Library (WebGL)
- Canvas 2D L2 extensions, including image smoothing using the nearest neighbor, dashed lines, and fill rules
- Fullscreen API
- Encrypted media extensions
- Media source extensions
- CSS flexible box layout module
- And mutation observers like DOM4 and 5.3
For more information about specific changes and additions, see the [IE11 guide for developers](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182636(v=vs.85)).
**Q: What test tools exist to test for potential application compatibility issues?**<br>
The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://go.microsoft.com/fwlink/p/?LinkId=313189). In addition, you can use the new [F12 Developer Tools](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182632(v=vs.85)) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge.
**Q: Why am I having problems launching my legacy apps with Internet Explorer 11**?<br>
Its most likely because IE no longer starts apps that use managed browser hosting controls, like in the .NET Framework 1.1 and 2.0. You can get IE11 to use managed browser hosting controls again, by:
- **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
- **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
For more information, see the [Web Applications](/dotnet/framework/migration-guide/application-compatibility) section of the Application Compatibility in the .NET Framework 4.5 page.
**Q: Is there a compatibility list for IE?**<br>
Yes. You can review the XML-based [compatibility version list](https://go.microsoft.com/fwlink/p/?LinkId=403864).
**Q: What is Enterprise Mode?**<br>
Enterprise Mode is a compatibility mode designed for Enterprises. This mode lets websites render using a modified browser configuration thats designed to avoid the common compatibility problems associated with web apps written and tested on older versions of IE, like Windows Internet Explorer 7 or Windows Internet Explorer 8.<p>
For more information, see [Turn on Enterprise Mode and use a site list](../ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md).
**Q: What is the Enterprise Mode Site List Manager tool?**<br>
Enterprise Mode Site List Manager tool gives you a way to add websites to your Enterprise Mode site list, without having to manually code XML.<p>
For more information, see all of the topics in [Use the Enterprise Mode Site List Manager](../ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md).
**Q: Are browser plug-ins supported in IE11?**<br>
The immersive version of IE11 provides an add-onfree experience, so browser plugins won't load and dependent content won't be displayed. This doesn't apply to Internet Explorer for the desktop. For more information, see [Browsing Without Plug-ins](https://go.microsoft.com/fwlink/p/?LinkId=242587). However, Internet Explorer for the desktop and IE11 on Windows 7 with SP1 do support browser plugins, including ActiveX controls such as Adobe Flash and Microsoft Silverlight.
**Q: Is Adobe Flash supported on IE11?**<br>
Adobe Flash is included as a platform feature and is available out of the box for Windows 8.1, running on both IE and Internet Explorer for the desktop. Users can turn this feature on or off using the **Manage Add-ons** dialog box, while administrators can turn this feature on or off using the Group Policy setting, **Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects**.<p>
**Important**<br>
The preinstalled version of Adobe Flash isn't supported on IE11 running on either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. However, you can still download and install the separate Adobe Flash plug-in.
**Q: Can I replace IE11 on Windows 8.1 with an earlier version?**<br>
No. Windows 8.1 doesn't support any of the previous versions of IE.
**Q: Are there any new Group Policy settings in IE11?**<br>
IE11 includes all of the previous Group Policy settings you've used to manage and control web browser configuration since Internet Explorer 9. It also includes the following new Group Policy settings, supporting new features:
- Turn off Page Prediction
- Turn on the swiping motion for Internet Explorer for the desktop
- Allow Microsoft services to provide more relevant and personalized search results
- Turn off phone number detection
- Allow IE to use the SPDY/3 network protocol
- Let users turn on and use Enterprise Mode from the **Tools** menu
- Use the Enterprise Mode IE website list
For more information, see [New group policy settings for IE11](../ie11-deploy-guide/new-group-policy-settings-for-ie11.md).
**Q: Where can I get more information about IE11 for IT pros?**<br>
Visit the [Springboard Series for Microsoft Browsers](https://go.microsoft.com/fwlink/p/?LinkId=313191) webpage on TechNet.
**Q: Can I customize settings for IE on Windows 8.1?**<br>
Settings can be customized in the following ways:
- IE11 **Settings** charm.
- IE11-related Group Policy settings.
- IEAK 11 for settings shared by both IE and Internet Explorer for the desktop.
**Q: Can I make Internet Explorer for the desktop my default browsing experience?**<br>
Group Policy settings can be set to open either IE or Internet Explorer for the desktop as the default browser experience. Individual users can configure their own settings in the **Programs** tab of **Internet Options**. The following table shows the settings and results:<p>
|Setting |Result |
|--------|-------|
|Let IE decide |Links open in the same type of experience from where they're launched. For example, clicking a link from a Microsoft Store app, opens IE. However, clicking a link from a desktop app, opens Internet Explorer for the desktop. |
|Always in IE11 |Links always open in IE. |
|Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. |
**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?**
Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center:
| | | |
|---------|---------|---------|
|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) |
|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |
|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |
|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |
|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |
|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) |
|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) |
|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) |
**Q. What are the different modes available for the Internet Explorer Customization Wizard?**
The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [Determine the licensing version and features to use in IEAK 11](../ie11-ieak/licensing-version-and-features-ieak11.md).
The following table displays which pages are available in IEAK 11, based on the licensing mode:
| **Wizard Pages** | **External** | **Internal** |
|-------------------------------------------|--------------|--------------|
| Welcome to the IEAK | Yes | Yes |
| File Locations | Yes | Yes |
| Platform Selection | Yes | Yes |
| Language Selection | Yes | Yes |
| Package Type Selection | Yes | Yes |
| Feature Selection | Yes | Yes |
| Automatic Version Synchronization | Yes | Yes |
| Custom Components | Yes | Yes |
| Corporate Install | No | Yes |
| User Experience | No | Yes |
| Browser User Interface | Yes | Yes |
| Search Providers | Yes | Yes |
| Important URLs - Home page and Support | Yes | Yes |
| Accelerators | Yes | Yes |
| Favorites, Favorites Bar, and Feeds | Yes | Yes |
| Browsing Options | No | Yes |
| First Run Wizard and Welcome Page Options | Yes | Yes |
| Compatibility View | Yes | Yes |
| Connection Manager | Yes | Yes |
| Connection Settings | Yes | Yes |
| Automatic Configuration | No | Yes |
| Proxy Settings | Yes | Yes |
| Security and Privacy Settings | No | Yes |
| Add a Root Certificate | Yes | No |
| Programs | Yes | Yes |
| Additional Settings | No | Yes |
| Wizard Complete | Yes | Yes |
## Related topics
- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)

253
browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml Normal file
View File

@ -0,0 +1,253 @@
### YamlMime:FAQ
metadata:
ms.localizationpriority: medium
ms.mktglfcycl: explore
description: Frequently asked questions about Internet Explorer 11 for IT Pros
author: dansimp
ms.prod: ie11
ms.assetid: 140e7d33-584a-44da-8c68-6c1d568e1de3
ms.reviewer:
audience: itpro
manager: dansimp
ms.author: dansimp
title: Internet Explorer 11 - FAQ for IT Pros (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 10/16/2017
title: Internet Explorer 11 - FAQ for IT Pros
summary: |
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration.
sections:
- name: Ignored
questions:
- question: |
Frequently Asked Questions
answer: |
- question: |
What operating system does IE11 run on?
answer: |
- Windows 10
- Windows 8.1
- Windows Server 2012 R2
- Windows 7 with Service Pack 1 (SP1)
- Windows Server 2008 R2 with Service Pack 1 (SP1)
- question: |
How do I install IE11 on Windows 10, Windows 8.1, or Windows Server 2012 R2?
answer: |
IE11 is preinstalled with Windows 8.1 and Windows Server 2012 R2. No additional action is required.
- question: |
How do I install IE11 on Windows 7 with SP1 or Windows Server 2008 R2 with SP1?
answer: |
You can install IE11 on computers running either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. To download IE11, see the IE11 [home page](https://go.microsoft.com/fwlink/p/?LinkId=290956).
- question: |
How does IE11 integrate with Windows 8.1?
answer: |
IE11 is the default handler for the HTTP and HTTPS protocols and the default browser for Windows 8.1. There are two experiences in Windows 8.1: Internet Explorer and Internet Explorer for the desktop. IE is the default browser for touch-first, immersive experiences. Internet Explorer for the desktop provides a more traditional window and tab management experience. The underlying platform of IE11 is fully interoperable across both IE and the familiar Internet Explorer for the desktop, letting developers write the same markup for both experiences.
- question: |
What are the new or improved security features?
answer: |
IE11 offers improvements to Enhanced Protected Mode, password manager, and other security features. IE11 also turns on Transport Layer Security (TLS) 1.2 by default.
- question: |
How is Microsoft supporting modern web standards, such as WebGL?
answer: |
Microsoft is committed to providing an interoperable web by supporting modern web standards. Doing this lets developers use the same markup across web browsers, helping to reduce development and support costs.<p>
Supported web standards include:
- Web Graphics Library (WebGL)
- Canvas 2D L2 extensions, including image smoothing using the nearest neighbor, dashed lines, and fill rules
- Fullscreen API
- Encrypted media extensions
- Media source extensions
- CSS flexible box layout module
- And mutation observers like DOM4 and 5.3
For more information about specific changes and additions, see the [IE11 guide for developers](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182636(v=vs.85)).
- question: |
What test tools exist to test for potential application compatibility issues?
answer: |
The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://go.microsoft.com/fwlink/p/?LinkId=313189). In addition, you can use the new [F12 Developer Tools](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182632(v=vs.85)) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge.
- question: |
Why am I having problems launching my legacy apps with Internet Explorer 11?
answer: |
Its most likely because IE no longer starts apps that use managed browser hosting controls, like in the .NET Framework 1.1 and 2.0. You can get IE11 to use managed browser hosting controls again, by:
- **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
- **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
For more information, see the [Web Applications](/dotnet/framework/migration-guide/application-compatibility) section of the Application Compatibility in the .NET Framework 4.5 page.
- question: |
Is there a compatibility list for IE?
answer: |
Yes. You can review the XML-based [compatibility version list](https://go.microsoft.com/fwlink/p/?LinkId=403864).
- question: |
What is Enterprise Mode?
answer: |
Enterprise Mode is a compatibility mode designed for Enterprises. This mode lets websites render using a modified browser configuration thats designed to avoid the common compatibility problems associated with web apps written and tested on older versions of IE, like Windows Internet Explorer 7 or Windows Internet Explorer 8.<p>
For more information, see [Turn on Enterprise Mode and use a site list](../ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md).
- question: |
What is the Enterprise Mode Site List Manager tool?
answer: |
Enterprise Mode Site List Manager tool gives you a way to add websites to your Enterprise Mode site list, without having to manually code XML.<p>
For more information, see all of the topics in [Use the Enterprise Mode Site List Manager](../ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md).
- question: |
Are browser plug-ins supported in IE11?
answer: |
The immersive version of IE11 provides an add-onfree experience, so browser plugins won't load and dependent content won't be displayed. This doesn't apply to Internet Explorer for the desktop. For more information, see [Browsing Without Plug-ins](https://go.microsoft.com/fwlink/p/?LinkId=242587). However, Internet Explorer for the desktop and IE11 on Windows 7 with SP1 do support browser plugins, including ActiveX controls such as Adobe Flash and Microsoft Silverlight.
- question: |
Is Adobe Flash supported on IE11?
answer: |
Adobe Flash is included as a platform feature and is available out of the box for Windows 8.1, running on both IE and Internet Explorer for the desktop. Users can turn this feature on or off using the **Manage Add-ons** dialog box, while administrators can turn this feature on or off using the Group Policy setting, **Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects**.<p>
**Important**<br>
The preinstalled version of Adobe Flash isn't supported on IE11 running on either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. However, you can still download and install the separate Adobe Flash plug-in.
- question: |
Can I replace IE11 on Windows 8.1 with an earlier version?
answer: |
No. Windows 8.1 doesn't support any of the previous versions of IE.
- question: |
Are there any new Group Policy settings in IE11?
answer: |
IE11 includes all of the previous Group Policy settings you've used to manage and control web browser configuration since Internet Explorer 9. It also includes the following new Group Policy settings, supporting new features:
- Turn off Page Prediction
- Turn on the swiping motion for Internet Explorer for the desktop
- Allow Microsoft services to provide more relevant and personalized search results
- Turn off phone number detection
- Allow IE to use the SPDY/3 network protocol
- Let users turn on and use Enterprise Mode from the **Tools** menu
- Use the Enterprise Mode IE website list
For more information, see [New group policy settings for IE11](../ie11-deploy-guide/new-group-policy-settings-for-ie11.md).
- question: |
Where can I get more information about IE11 for IT pros?
answer: |
Visit the [Springboard Series for Microsoft Browsers](https://go.microsoft.com/fwlink/p/?LinkId=313191) webpage on TechNet.
- question: |
Can I customize settings for IE on Windows 8.1?
answer: |
Settings can be customized in the following ways:
- IE11 **Settings** charm.
- IE11-related Group Policy settings.
- IEAK 11 for settings shared by both IE and Internet Explorer for the desktop.
- question: |
Can I make Internet Explorer for the desktop my default browsing experience?
answer: |
Group Policy settings can be set to open either IE or Internet Explorer for the desktop as the default browser experience. Individual users can configure their own settings in the **Programs** tab of **Internet Options**. The following table shows the settings and results:<p>
|Setting |Result |
|--------|-------|
|Let IE decide |Links open in the same type of experience from where they're launched. For example, clicking a link from a Microsoft Store app, opens IE. However, clicking a link from a desktop app, opens Internet Explorer for the desktop. |
|Always in IE11 |Links always open in IE. |
|Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. |
- question: |
Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?
answer: |
Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center:
| | | |
|---------|---------|---------|
|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) |
|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |
|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |
|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |
|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |
|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) |
|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) |
|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) |
- question: |
What are the different modes available for the Internet Explorer Customization Wizard?
answer: |
The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [Determine the licensing version and features to use in IEAK 11](../ie11-ieak/licensing-version-and-features-ieak11.md).
The following table displays which pages are available in IEAK 11, based on the licensing mode:
| **Wizard Pages** | **External** | **Internal** |
|-------------------------------------------|--------------|--------------|
| Welcome to the IEAK | Yes | Yes |
| File Locations | Yes | Yes |
| Platform Selection | Yes | Yes |
| Language Selection | Yes | Yes |
| Package Type Selection | Yes | Yes |
| Feature Selection | Yes | Yes |
| Automatic Version Synchronization | Yes | Yes |
| Custom Components | Yes | Yes |
| Corporate Install | No | Yes |
| User Experience | No | Yes |
| Browser User Interface | Yes | Yes |
| Search Providers | Yes | Yes |
| Important URLs - Home page and Support | Yes | Yes |
| Accelerators | Yes | Yes |
| Favorites, Favorites Bar, and Feeds | Yes | Yes |
| Browsing Options | No | Yes |
| First Run Wizard and Welcome Page Options | Yes | Yes |
| Compatibility View | Yes | Yes |
| Connection Manager | Yes | Yes |
| Connection Settings | Yes | Yes |
| Automatic Configuration | No | Yes |
| Proxy Settings | Yes | Yes |
| Security and Privacy Settings | No | Yes |
| Add a Root Certificate | Yes | No |
| Programs | Yes | Yes |
| Additional Settings | No | Yes |
| Wizard Complete | Yes | Yes |
additionalContent: |
## Related topics
- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)

124
browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
View File

@ -1,124 +0,0 @@
---
ms.localizationpriority: medium
ms.mktglfcycl: explore
description: Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
author: dansimp
ms.author: dansimp
ms.prod: ie11
ms.assetid:
ms.reviewer:
audience: itpro
manager: dansimp
title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
ms.sitesec: library
ms.date: 05/10/2018
---
# Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
> [!Important]
> If you administer your companys environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you dont need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
- [Automatic updates delivery process](#automatic-updates-delivery-process)
- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works)
- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services)
## Automatic Updates delivery process
**Q. Which users will receive Internet Explorer 11 as an important update?**
A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if its turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md).
**Q. When is the Blocker Toolkit available?**
A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?**
A. We encourage anyone who wants full control over their companys deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682041(v=technet.10)).
**Q. How long does the blocker mechanism work?**
A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isnt removed or changed.
**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why cant I just disable all of Automatic Updates?**
A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your users computers.
The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that cant use WSUS, Configuration Manager, or
other update management solution.
**Q. Why dont we just block URL access to Windows Update or Microsoft Update?**
A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable.
## How the Internet Explorer 11 Blocker Toolkit works
**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?**
A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary.
**Q. Whats the registry key used to block delivery of Internet Explorer 11?**
A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0
**Q. Whats the registry key name and values?**
The registry key name is **DoNotAllowIE11**, where:
- A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option.
- Not providing a registry key, or using a value of anything other than **1**, lets the user install Internet Explorer 11 through Automatic Updates or a
manual update.
**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?**
A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media.
**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?**
A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11.
**Q. How does the provided script work?**
A. The script accepts one of two command line options:
- **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates.
- **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates.
**Q. Whats the ADM template file used for?**
A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company.
**Q. Is the tool localized?**
A. No. The tool isnt localized, its only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems.
## Internet Explorer 11 Blocker Toolkit and other update services
**Q: Is there a version of the Internet Explorer Blocker Toolkit that will prevent automatic installation of IE11?**<br>
Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft Download Center.
**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?**
A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that dont use upgrade management solutions.
**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?**
A. You only need to change your settings if:
- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation.
-and-
- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed.
-and-
- You dont want to upgrade your older versions of Internet Explorer to Internet Explorer 11 right now.
If these scenarios apply to your company, see [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) for more information on how to prevent automatic installation.
## Additional resources
- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
- [Internet Explorer 11 FAQ for IT pros](./faq-for-it-pros-ie11.md)
- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
- [Internet Explorer 11 deployment guide](../ie11-deploy-guide/index.md)

161
browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml Normal file
View File

@ -0,0 +1,161 @@
### YamlMime:FAQ
metadata:
ms.localizationpriority: medium
ms.mktglfcycl: explore
description: Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
author: dansimp
ms.author: dansimp
ms.prod: ie11
ms.assetid:
ms.reviewer:
audience: itpro
manager: dansimp
title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
ms.sitesec: library
ms.date: 05/10/2018
title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
summary: |
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
> [!Important]
> If you administer your companys environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you dont need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
- [Automatic updates delivery process](/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit#automatic-updates-delivery-process)
- [How the Internet Explorer 11 Blocker Toolkit works](/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit#how-the-internet-explorer-11-blocker-toolkit-works)
- [Internet Explorer 11 Blocker Toolkit and other update services](/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit#internet-explorer-11-blocker-toolkit-and-other-update-services)
sections:
- name: Automatic Updates delivery process
questions:
- question: |
Which users will receive Internet Explorer 11 important update?
answer: |
Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically downloand install the Internet Explorer 11 files if its turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md).
- question: |
When is the Blocker Toolkit available?
answer: |
The Blocker Toolkit is currently available from the [Microsoft DownloCenter](https://www.microsoft.com/download/details.aspx?id=40722).
- question: |
Whtools cI use to manage Windows Updates and Microsoft Updates in my company?
answer: |
We encourage anyone who wants full control over their companys deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You calso use the more advanced configuration management tool, [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682041(v=technet.10)).
- question: |
How long does the blocker mechanism work?
answer: |
The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts long the registry key value isnt removed or changed.
- question: |
Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why cant I just disable all of Automatic Updates?
answer: |
Automatic Updates provide you with ongoing criticsecurity and reliability updates. Turning this feature off cleave your computers more vulnerable. Instead, we suggest thyou use update management solution, such WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your users computers.
The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to downloand install in companies thcant use WSUS, Configuration Manager, or
other update management solution.
- question: |
Why dont we just block URL access to Windows Update or Microsoft Update?
answer: |
Blocking the Windows Update or Microsoft Update URLs also stops delivery of criticsecurity and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable.
- name: How the Internet Explorer 11 Blocker Toolkit works
questions:
- question: |
How should I test the Internet Explorer 11 Blocker Toolkit in my company?
answer: |
Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additionimpact or side effects to your environment. No additiontesting should be necessary.
- question: |
Whats the registry key used to block delivery of Internet Explorer 11?
answer: |
HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0
- question: |
Whats the registry key name and values?
answer: |
The registry key name is **DoNotAllowIE11**, where:
- A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option.
- Not providing a registry key, or using a value of anything other th**1**, lets the user install Internet Explorer 11 through Automatic Updates or a
manuupdate.
- question: |
Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?
answer: |
No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users cstill downloand install Internet Explorer 11 from the Microsoft DownloCenter or from externmedia.
- question: |
Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?
answer: |
Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11.
- question: |
How does the provided script work?
answer: |
The script accepts one of two command line options:
- **Block:** Creates the registry key thstops Internet Explorer 11 from installing through Automatic Updates.
- **Unblock:** Removes the registry key thstops Internet Explorer 11 from installing through Automatic Updates.
- question: |
Whats the ADM template file used for?
answer: |
The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company.
- question: |
Is the tool localized?
answer: |
No. The tool isnt localized, its only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems.
- name: Internet Explorer 11 Blocker Toolkit and other update services
questions:
- question: |
Is there a version of the Internet Explorer Blocker Toolkit thwill prevent automatic installation of IE11?
answer: |
Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft DownloCenter.
- question: |
Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?
answer: |
No. You cstill deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies thdont use upgrade management solutions.
- question: |
If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?
answer: |
You only need to change your settings if:
- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation.
-and-
- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed.
-and-
- You dont want to upgrade your older versions of Internet Explorer to Internet Explorer 11 right now.
If these scenarios apply to your company, see [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) for more information on how to prevent automatic installation.
additionalContent: |
## Additionresources
- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
- [Internet Explorer 11 Ffor IT pros](./faq-for-it-pros-ie11.yml)
- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
- [Internet Explorer 11 deployment guide](../ie11-deploy-guide/index.md)

124
browsers/internet-explorer/ie11-faq/faq-ieak11.md
View File

@ -1,124 +0,0 @@
---
ms.localizationpriority: medium
ms.mktglfcycl: support
ms.pagetype: security
description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
author: dansimp
ms.author: dansimp
ms.manager: elizapo
ms.prod: ie11
ms.assetid:
ms.reviewer:
audience: itpro
manager: dansimp
title: IEAK 11 - Frequently Asked Questions
ms.sitesec: library
ms.date: 05/10/2018
---
# IEAK 11 - Frequently Asked Questions
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
Get answers to commonly asked questions about the Internet Explorer Administration Kit 11 (IEAK 11), and find links to additional material you might find helpful.
**What is IEAK 11?**
IEAK 11 enables you to customize, brand, and distribute customized Internet Explorer 11 browser packages across an organization. Download the kit from the [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md).
**What are the supported operating systems?**
You can customize and install IEAK 11 on the following supported operating systems:
- Windows 8
- Windows Server 2012
- Windows 7 Service Pack 1 (SP1)
- Windows Server 2008 R2 Service Pack 1 (SP1)
> [!NOTE]
> IEAK 11 does not support building custom packages for Windows RT.
**What can I customize with IEAK 11?**
The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable.
> [!NOTE]
> Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package.
**Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?**
Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
> [!NOTE]
> IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md).
**Q: Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?**<br>
Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources:
- [Internet Explorer Administration Kit Information and Downloads](../ie11-ieak/ieak-information-and-downloads.md) on the Internet Explorer TechCenter.
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
**What are the different modes available for the Internet Explorer Customization Wizard?**
The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [What IEAK can do for you](../ie11-ieak/what-ieak-can-do-for-you.md).
The following table displays which pages are available in IEAK 11, based on the licensing mode:
| **Wizard Pages** | **External** | **Internal** |
|-------------------------------------------|--------------|--------------|
| Welcome to the IEAK | Yes | Yes |
| File Locations | Yes | Yes |
| Platform Selection | Yes | Yes |
| Language Selection | Yes | Yes |
| Package Type Selection | Yes | Yes |
| Feature Selection | Yes | Yes |
| Automatic Version Synchronization | Yes | Yes |
| Custom Components | Yes | Yes |
| Corporate Install | No | Yes |
| User Experience | No | Yes |
| Browser User Interface | Yes | Yes |
| Search Providers | Yes | Yes |
| Important URLs - Home page and Support | Yes | Yes |
| Accelerators | Yes | Yes |
| Favorites, Favorites Bar, and Feeds | Yes | Yes |
| Browsing Options | No | Yes |
| First Run Wizard and Welcome Page Options | Yes | Yes |
| Compatibility View | Yes | Yes |
| Connection Manager | Yes | Yes |
| Connection Settings | Yes | Yes |
| Automatic Configuration | No | Yes |
| Proxy Settings | Yes | Yes |
| Security and Privacy Settings | No | Yes |
| Add a Root Certificate | Yes | No |
| Programs | Yes | Yes |
| Additional Settings | No | Yes |
| Wizard Complete | Yes | Yes |
**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?**
Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center:
| | | |
|---------|---------|---------|
|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) |
|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |
|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |
|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |
|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |
|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) |
|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) |
|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) |
## Additional resources
[Download IEAK 11](../ie11-ieak/ieak-information-and-downloads.md)
[IEAK 11 overview](../ie11-ieak/index.md)
[IEAK 11 product documentation](../ie11-ieak/index.md)
[IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md)

140
browsers/internet-explorer/ie11-faq/faq-ieak11.yml Normal file
View File

@ -0,0 +1,140 @@
### YamlMime:FAQ
metadata:
ms.localizationpriority: medium
ms.mktglfcycl: support
ms.pagetype: security
description: Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions.
author: dansimp
ms.author: dansimp
ms.manager: elizapo
ms.prod: ie11
ms.assetid:
ms.reviewer:
audience: itpro
manager: dansimp
title: IEAK 11 - Frequently Asked Questions
ms.sitesec: library
ms.date: 05/10/2018
title: IEAK 11 - Frequently Asked Questions
summary: |
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
Get answers to commonly asked questions about the Internet Explorer Administration Kit 11 (IEAK 11), and find links to additional material you might find helpful.
sections:
- name: Ignored
questions:
- question: |
What is IEAK 11?
answer: |
IEAK 11 enables you to customize, brand, and distribute customized Internet Explorer 11 browser packages across an organization. Download the kit from the [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md).
- question: |
What are the supported operating systems?
answer: |
You can customize and install IEAK 11 on the following supported operating systems:
- Windows 8
- Windows Server 2012
- Windows 7 Service Pack 1 (SP1)
- Windows Server 2008 R2 Service Pack 1 (SP1)
> [!NOTE]
> IEAK 11 does not support building custom packages for Windows RT.
- question: |
What can I customize with IEAK 11?
answer: |
The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable.
> [!NOTE]
> Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package.
- question: |
Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?
answer: |
Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
> [!NOTE]
> IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md).
- question: |
Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?
answer: |
Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources:
- [Internet Explorer Administration Kit Information and Downloads](../ie11-ieak/ieak-information-and-downloads.md) on the Internet Explorer TechCenter.
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
- question: |
What are the different modes available for the Internet Explorer Customization Wizard?
answer: |
The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [What IEAK can do for you](../ie11-ieak/what-ieak-can-do-for-you.md).
The following table displays which pages are available in IEAK 11, based on the licensing mode:
| **Wizard Pages** | **External** | **Internal** |
|-------------------------------------------|--------------|--------------|
| Welcome to the IEAK | Yes | Yes |
| File Locations | Yes | Yes |
| Platform Selection | Yes | Yes |
| Language Selection | Yes | Yes |
| Package Type Selection | Yes | Yes |
| Feature Selection | Yes | Yes |
| Automatic Version Synchronization | Yes | Yes |
| Custom Components | Yes | Yes |
| Corporate Install | No | Yes |
| User Experience | No | Yes |
| Browser User Interface | Yes | Yes |
| Search Providers | Yes | Yes |
| Important URLs - Home page and Support | Yes | Yes |
| Accelerators | Yes | Yes |
| Favorites, Favorites Bar, and Feeds | Yes | Yes |
| Browsing Options | No | Yes |
| First Run Wizard and Welcome Page Options | Yes | Yes |
| Compatibility View | Yes | Yes |
| Connection Manager | Yes | Yes |
| Connection Settings | Yes | Yes |
| Automatic Configuration | No | Yes |
| Proxy Settings | Yes | Yes |
| Security and Privacy Settings | No | Yes |
| Add a Root Certificate | Yes | No |
| Programs | Yes | Yes |
| Additional Settings | No | Yes |
| Wizard Complete | Yes | Yes |
- question: |
Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?
answer: |
Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center:
| | | |
|---------|---------|---------|
|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) |
|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |
|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |
|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |
|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |
|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) |
|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) |
|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) |
additionalContent: |
## Additional resources
-[Download IEAK 11](../ie11-ieak/ieak-information-and-downloads.md)
-[IEAK 11 overview](../ie11-ieak/index.md)
-[IEAK 11 product documentation](../ie11-ieak/index.md)
-[IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md)

2
browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md
View File

@ -32,7 +32,7 @@ The Internet Explorer Administration Kit (IEAK) simplifies the creation, deploym
[IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
[IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
[IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.yml)
[Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](before-you-create-custom-pkgs-ieak11.md)

4
browsers/internet-explorer/ie11-ieak/index.md
View File

@ -43,10 +43,10 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1
|Internet Explorer Customization Wizard 11 |Step-by-step wizard screens that help you create custom IE11 installation packages. |
## Related topics
- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.yml)
- [Download IEAK 11](ieak-information-and-downloads.md)
- [IEAK 11 administrators guide]()
- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml)
- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)

4
browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
View File

@ -62,11 +62,11 @@ ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Int
## Additional resources
- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.yml)
- [Download IEAK 11](ieak-information-and-downloads.md)
- [IEAK 11 overview](index.md)
- [IEAK 11 administrators guide](./index.md)
- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.yml)
- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)

2
browsers/internet-explorer/index.md
View File

@ -15,7 +15,7 @@ ms.date: 07/27/2017
# Internet Explorer 11 (IE11)
Find info about Internet Explorer 11 that's important to IT Pros.
- [Internet Explorer 11 - FAQ for IT Pros](ie11-faq/faq-for-it-pros-ie11.md)
- [Internet Explorer 11 - FAQ for IT Pros](ie11-faq/faq-for-it-pros-ie11.yml)
- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](ie11-deploy-guide/index.md)

6
browsers/internet-explorer/internet-explorer.yml
View File

@ -25,7 +25,7 @@ landingContent:
- text: System requirements and language support
url: ./ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
- text: Frequently asked questions
url: ./ie11-faq/faq-for-it-pros-ie11.md
url: ./ie11-faq/faq-for-it-pros-ie11.yml
- text: Internet Explorer 11 deployment guide
url: ./ie11-deploy-guide/index.md
- text: Use Enterprise Mode to improve compatibility
@ -89,7 +89,7 @@ landingContent:
- text: Download IEAK 11
url: ./ie11-ieak/ieak-information-and-downloads.md
- text: Frequently asked questions about IEAK 11
url: ./ie11-faq/faq-ieak11.md
url: ./ie11-faq/faq-ieak11.yml
- text: Customization and distribution guidelines
url: ./ie11-ieak/licensing-version-and-features-ieak11.md#customization-guidelines
- linkListType: deploy
@ -147,7 +147,7 @@ landingContent:
- text: Disable VBScript execution in Internet Explorer for Internet Zone and Restricted Sites Zone
url: https://support.microsoft.com/help/4012494/option-to-disable-vbscript-execution-in-internet-explorer-for-internet
- text: Frequently asked questions about IEAK 11
url: ./ie11-faq/faq-ieak11.md
url: ./ie11-faq/faq-ieak11.yml
- text: Internet Explorer 8, 9, 10, 11 forum
url: https://social.technet.microsoft.com/forums/ie/home?forum=ieitprocurrentver
- text: Contact a Microsoft support professional

4
windows/client-management/mdm/defender-csp.md
View File

@ -518,8 +518,8 @@ When enabled or disabled exists on the client and admin moves the setting to not
More details:
- [Microsoft Defender AV diagnostic data](/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
- [Collect investigation package from devices](/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices)
- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
<a href="" id="scan"></a>**Scan**
Node that can be used to start a Windows Defender scan on a device.

3
windows/client-management/mdm/device-update-management.md
View File

@ -69,7 +69,8 @@ Some important highlights:
- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision Numbers is `<LocURI>./Vendor/MSFT/Update/InstallableUpdates?list=StructData</LocURI>`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
- For mobile devices, you can either sync metadata for a particular update by calling GetUpdateData, or for a local on-premises solution, you can use WSUS and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
> **Note**  On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, etc). Each time such a change is made that doesnt affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
> [!NOTE]
> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, etc). Each time such a change is made that doesnt affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
## <a href="" id="examplesofupdatestructure"></a>Examples of update metadata XML structure and element descriptions

8
windows/client-management/mdm/networkqospolicy-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 06/26/2017
ms.date: 04/22/2021
ms.reviewer:
manager: dansimp
---
@ -25,7 +25,11 @@ The following actions are supported:
- Layer 3 tagging using a differentiated services code point (DSCP) value
> [!NOTE]
> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on Azure AD Hybrid joined devices and for devices using GPO and CSP at the same time. The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Window 10, version 2004.
> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on the following devices:
> - Azure AD Hybrid joined devices.
> - Devices that use both GPO and CSP at the same time.
>
> The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Window 10, version 2004.
The following shows the NetworkQoSPolicy configuration service provider in tree format.
```

2
windows/client-management/mdm/policy-csp-defender.md
View File

@ -2314,7 +2314,7 @@ ADMX Info:
Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.
> [!NOTE]
> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
<!--/Description-->
<!--ADMXMapped-->

2
windows/client-management/mdm/policy-csp-exploitguard.md
View File

@ -74,7 +74,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](/microsoft-365/security/defender-endpoint/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
The system settings require a reboot; the application settings do not require a reboot.

14
windows/configuration/kiosk-xml.md
View File

@ -26,7 +26,7 @@ ms.topic: article
## Full XML sample
>[!NOTE]
>Updated for Windows 10, version 1903, and Windows 10 Insider Preview (19H2, 20H1 builds).
>Updated for Windows 10, version 1903, 1909, and 2004.
```xml
<?xml version="1.0" encoding="utf-8" ?>
@ -254,8 +254,8 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
```
## [Preview] Global Profile Sample XML
Global Profile is currently supported in Windows 10 Insider Preview (20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user.
## Global Profile Sample XML
Global Profile is currently supported in Windows 10, version 2004. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user.
This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in
```xml
@ -393,8 +393,8 @@ Below sample shows dedicated profile and global profile mixed usage, a user woul
```
## [Preview] Folder Access sample xml
In Windows 10, version 1809, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granulatity and easier use, and is available in Windows 10 Insider Preview (19H2, 20H1 builds).
## Folder Access sample xml
In Windows 10, version 1809, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granularity and easier use, and is available in Windows 10 version 2009 and later.
IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time.
@ -636,7 +636,7 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n
## XSD for AssignedAccess configuration XML
>[!NOTE]
>Updated for Windows 10, version 1903 and Windows 10 Insider Preview (19H2, 20H1 builds).
>Updated for Windows 10, version 1903 and later.
Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
```xml
@ -859,7 +859,7 @@ Here is the schema for new features introduced in Windows 10 1809 release
</xs:schema>
```
Schema for Windows 10 Insider Preview (19H2, 20H1 builds)
Schema for Windows 10, version 1909 and later
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema

1
windows/deployment/planning/windows-10-deprecated-features.md
View File

@ -26,6 +26,7 @@ The features described below are no longer being actively developed, and might b
|Feature | Details and mitigation | Announced in version |
| ----------- | --------------------- | ---- |
| Timeline | Starting in July 2021, if you have your activity history synced across your devices through your Microsoft account (MSA), you'll no longer have the option to upload new activity in Timeline. See [Get help with timeline](https://support.microsoft.com/windows/get-help-with-timeline-febc28db-034c-d2b0-3bbe-79aa0c501039).| 20H2 |
| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
| Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |
| Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |

9
windows/deployment/update/update-compliance-configuration-manual.md
View File

@ -17,6 +17,9 @@ ms.topic: article
# Manually Configuring Devices for Update Compliance
> [!NOTE]
> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
The requirements are separated into different categories:
@ -47,13 +50,14 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e
|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
| **System/AllowUpdateComplianceProcessing** | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
> [!NOTE]
> If you use Microsoft Intune, set the **ProviderID** to *MS DM Server*. If you use another MDM product, check with its vendor. See also [DMClient CSP](/windows/client-management/mdm/dmclient-csp).
### Group Policies
### Group policies
All Group Policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.
All Group policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.
| Policy | Value | Function |
|---------------------------|-|-----------------------------------------------------------|
@ -61,6 +65,7 @@ All Group Policies that need to be configured for Update Compliance are under **
|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. See the following policy for more information. |
|**Configure telemetry opt-in setting user interface** | 1 - Disable diagnostic data opt-in Settings |(in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. |
|**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
|**Allow Update Compliance processing** | 16 - Enabled | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
## Required endpoints

74
windows/deployment/update/update-compliance-configuration-script.md
View File

@ -17,55 +17,43 @@ ms.topic: article
# Configuring devices through the Update Compliance Configuration Script
The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more.
> [!NOTE]
> The Update Compliance configuration script does not offer options to configure Delivery Optimization. You have to do that separately.
> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. We don't recommend using this script if you configure devices using MDM. Instead, configure the policies listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) by using your MDM provider.
The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more.
You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
## How the script is organized
## Script FAQ
The script is organized into two folders **Pilot** and **Deployment**. Both folders have the same key files: `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the .bat itself, which will then execute `ConfigScript.ps1` with the parameters entered to RunConfig.bat.
- I manage my devices with MDM. Should I use this script?
No, you should not use this script. Instead configure the policies through your MDM provider.
- Does this script configure devices for Delivery Optimization?
No. You must do that separately.
- The **Pilot** folder and its contents are intended to be used on an initial set of single devices in specific environments (main office & satellite office, for example) for testing and troubleshooting prior to broader deployment. This script is configured to collect and output detailed logs for every device it runs on.
- The **Deployment** folder is intended to be deployed across an entire device population in a specific environment once devices in that environment have been validated with the Pilot script.
## How this script is organized
## How to use the script
This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the `.bat` itself, which will then run `ConfigScript.ps1` with the parameters entered to `RunConfig.bat`. There are two ways of using the script: in **Pilot** mode or **Deployment** mode.
### Piloting and Troubleshooting
> [!IMPORTANT]
> If you encounter an issue with Update Compliance, the first step should be to run the script in Pilot mode on a device you are encountering issues with, and save these Logs for reference with Support.
> [!IMPORTANT]
> The script must be run in the System context. To do this, use the PsExec tool included in the file. For more about PsExec, see [PsExec](/sysinternals/downloads/psexec).
- In **Pilot** mode (`runMode=Pilot`), the script will enter a verbose mode with enhanced diagnostics, and save the results in the path defined with `logpath` in `RunConfig.bat`. Pilot mode is best for a pilot run of the script or for troubleshooting configuration.
- In **Deployment** mode (`runMode=Deployment`), the script will run quietly.
When using the script in the context of troubleshooting, use `Pilot`. Enter `RunConfig.bat`, and configure it as follows:
## How to use this script
1. Configure `logPath` to a path where the script will have write access and a place you can easily access. This specifies the output of the log files generated when the script is in Verbose mode.
2. Configure `commercialIDValue` to your CommercialID. To get your CommercialID, see [Getting your CommercialID](update-compliance-get-started.md#get-your-commercialid).
3. Run the script. The script must be run in System context.
4. Examine the Logs output for any issues. If there were issues:
- Compare Logs output with the required settings covered in [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
- Examine the script errors and refer to the [script error reference](#script-error-reference) on how to interpret the codes.
- Make the necessary corrections and run the script again.
5. When you no longer have issues, proceed to using the script for more broad deployment with the `Deployment` folder.
Open `RunConfig.bat` and configure the following (assuming a first-run, with `runMode=Pilot`):
1. Define `logPath` to where you want the logs to be saved. Ensure that `runMode=Pilot`.
2. Set `commercialIDValue` to your Commercial ID.
3. Run the script.
4. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`.
5. If there are issues, gather the logs and provide them to Support.
### Broad deployment
After verifying on a set of devices in a specific environment that everything is configured correctly, you can proceed to broad deployment.
1. Configure `commercialIDValue` in `RunConfig.bat` to [your CommercialID](update-compliance-get-started.md#get-your-commercialid).
2. Use a management tool like Configuration Manager or Intune to broadly deploy the script to your entire target population.
## Script Error Reference
## Script errors
|Error |Description |
|-|-------------------|
|---------|---------|
| 27 | Not system account. |
| 37 | Unexpected exception when collecting logs|
| 1 | General unexpected error|
@ -75,15 +63,15 @@ After verifying on a set of devices in a specific environment that everything is
| 9 | Couldn't write CommercialID at registry key path|
| 53 | There are conflicting CommercialID values.|
| 11 | Unexpected result when setting up CommercialID.|
| 62 | AllowTelemetry registry key is not of the correct type `REG_DWORD`|
| 62 | AllowTelemetry registry key is not of the correct type REG_DWORD|
| 63 | AllowTelemetry is not set to the appropriate value and it could not be set by the script.|
| 64 | AllowTelemetry is not of the correct type `REG_DWORD`.|
| 64 | AllowTelemetry is not of the correct type REG_DWORD.|
| 99 | Device is not Windows 10.|
| 40 | Unexpected exception when checking and setting telemetry.|
| 12 | CheckVortexConnectivity failed, check Log output for more information.|
| 12 | Unexpected failure when running CheckVortexConnectivity.|
| 66 | Failed to verify UTC connectivity and recent uploads.|
| 67 | Unexpected failure when verifying UTC CSP connectivity of the WMI Bridge.|
| 67 | Unexpected failure when verifying UTC CSP.|
| 41 | Unable to impersonate logged-on user.|
| 42 | Unexpected exception when attempting to impersonate logged-on user.|
| 43 | Unexpected exception when attempting to impersonate logged-on user.|
@ -93,11 +81,11 @@ After verifying on a set of devices in a specific environment that everything is
| 45 | DiagTrack.dll not found.|
| 50 | DiagTrack service not running.|
| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.|
| 55 | Failed to create new registry path for `SetDeviceNameOptIn` of the PowerShell script.|
| 56 | Failed to create property for `SetDeviceNameOptIn` of the PowerShell script at registry path.|
| 57 | Failed to update value for `SetDeviceNameOptIn` of the PowerShell script.|
| 58 | Unexpected exception in `SetDeviceNameOptIn` of the PowerShell script.|
| 59 | Failed to delete `LastPersistedEventTimeOrFirstBoot` property at registry path when attempting to clean up OneSettings.|
| 55 | Failed to create new registry path for SetDeviceNameOptIn|
| 56 | Failed to create property for SetDeviceNameOptIn at registry path|
| 57 | Failed to update value for SetDeviceNameOptIn|
| 58 | Unexpected exception in SetrDeviceNameOptIn|
| 59 | Failed to delete LastPersistedEventTimeOrFirstBoot property at registry path when attempting to clean up OneSettings.|
| 60 | Failed to delete registry key when attempting to clean up OneSettings.|
| 61 | Unexpected exception when attempting to clean up OneSettings.|
| 52 | Could not find Census.exe|
@ -105,3 +93,7 @@ After verifying on a set of devices in a specific environment that everything is
| 34 | Unexpected exception when attempting to check Proxy settings.|
| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.|
| 35 | Unexpected exception when checking User Proxy.|
| 91 | Failed to create new registry path for EnableAllowUCProcessing|
| 92 | Failed to create property for EnableAllowUCProcessing at registry path|
| 93 | Failed to update value for EnableAllowUCProcessing|
| 94 | Unexpected exception in EnableAllowUCProcessing|

35
windows/deployment/update/update-compliance-get-started.md
View File

@ -17,29 +17,32 @@ ms.topic: article
# Get started with Update Compliance
> [!IMPORTANT]
> **A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing"**. If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must configure devices with this additional policy. You can do this by rerunning the [Update Compliance Configuration Script](update-compliance-configuration-script.md) if you configure your devices through Group Policy, or refer to [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) for details on manually configuring the new policy for both Group Policy and MDM.
This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow.
1. Ensure you can [meet the requirements](#update-compliance-prerequisites) to use Update Compliance.
2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription.
3. [Configure devices](#enroll-devices-in-update-compliance) to send data to Update Compliance.
After adding the solution to Azure and configuring devices, there will be a waiting period of up to 72 hours before you can begin to see devices in the solution. Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
After adding the solution to Azure and configuring devices, it could take up to 72 hours before you can begin to see devices in the solution. Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
## Update Compliance prerequisites
Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites:
1. **Compatible Operating Systems and Editions**: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc.
2. **Compatible Windows 10 Servicing Channels**: Update Compliance supports Windows 10 devices on the Semi-Annual Channel (SAC) and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview (WIP) devices, but does not currently provide detailed deployment insights for them.
3. **Diagnostic data requirements**: Update Compliance requires devices be configured to send diagnostic data at *Required* level (previously *Basic*). To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
4. **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
5. **Showing Device Names in Update Compliance**: For Windows 10 1803+, device names will not appear in Update Compliance unless you individually opt-in devices via policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
- **Compatible Operating Systems and Editions**: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc.
- **Compatible Windows 10 Servicing Channels**: Update Compliance supports Windows 10 devices on the Semi-Annual Channel and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview (WIP) devices, but does not currently provide detailed deployment insights for them.
- **Diagnostic data requirements**: Update Compliance requires devices be configured to send diagnostic data at *Required* level (previously *Basic*). To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
- **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
- **Showing Device Names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
## Add Update Compliance to your Azure subscription
Update Compliance is offered as an Azure Marketplace application which is linked to a new or existing [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps:
1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You may need to login to your Azure subscription to access this.
1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You might need to login to your Azure subscription to access this.
2. Select **Get it now**.
3. Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a **Compatible Log Analytics region** from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data.
- [Desktop Analytics](/sccm/desktop-analytics/overview) users should use the same workspace for Update Compliance.
@ -81,7 +84,7 @@ Update Compliance is offered as an Azure Marketplace application which is linked
### Get your CommercialID
A CommercialID is a globally-unique identifier assigned to a specific Log Analytics workspace. The CommercialID is copied to an MDM or Group Policy and is used to identify devices in your environment.
A CommercialID is a globally unique identifier assigned to a specific Log Analytics workspace. The CommercialID is copied to an MDM or Group Policy and is used to identify devices in your environment.
To find your CommercialID within Azure:
@ -94,20 +97,16 @@ To find your CommercialID within Azure:
## Enroll devices in Update Compliance
Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance. After you configure devices, it can take up to 72 hours before devices are visible in the solution. Until then, Update Compliance will indicate it is still assessing devices.
Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance:
> [!NOTE]
> If you use or plan to use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), follow the steps in [Enroll devices in Desktop Analytics](/mem/configmgr/desktop-analytics/enroll-devices) to also enroll devices in Update Compliance. You should be aware that the Commercial ID and Log Analytics workspace must be the same for both Desktop Analytics and Update Compliance.
- If you use Group Policy to manage device policies, use the [Update Compliance Configuration Script](update-compliance-configuration-script.md).
- If you manage devices through MDM providers like Intune, [manually configure device for Update Compliance](update-compliance-configuration-manual.md).
### Configure devices using the Update Compliance Configuration Script
After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
The recommended way to configure devices to send data to Update Compliance is using the [Update Compliance Configuration Script](update-compliance-configuration-script.md). The script configures required policies via Group Policy. The script comes with two versions:
### Update Compliance and Desktop Analytics
- Pilot is more verbose and is intended to be use on an initial set of devices and for troubleshooting.
- Deployment is intended to be deployed across the entire device population you want to monitor with Update Compliance.
If you use or plan to use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), you must use the same Log Analytics workspace for both solutions.
To download the script and learn what you need to configure and how to troubleshoot errors, see [Configuring Devices using the Update Compliance Configuration Script](update-compliance-configuration-script.md).
### Configure devices manually
It is possible to manually configure devices to send data to Update Compliance, but the recommended method of configuration is to use the [Update Compliance Configuration Script](update-compliance-configuration-script.md). To learn more about configuring devices manually, see [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).

1
windows/deployment/update/waas-manage-updates-wsus.md
View File

@ -172,6 +172,7 @@ You can now see these computers in the **Ring 3 Broad IT** computer group.
<span id="wsus-gp"/>
## Use Group Policy to populate deployment rings
The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment.

2
windows/privacy/manage-windows-1809-endpoints.md
View File

@ -399,7 +399,7 @@ The following endpoint is used to retrieve Skype configuration values. To turn o
## Windows Defender
The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service).
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service).
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|

2
windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
View File

@ -57,7 +57,7 @@ To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card C
## Debugging and tracing using WPP
WPP simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
WPP simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](/archive/blogs/ndis/diagnostics-with-wpp).
### Enable the trace

12
windows/security/information-protection/TOC.yml
View File

@ -7,26 +7,26 @@
- name: Overview of BitLocker Device Encryption in Windows 10
href: bitlocker\bitlocker-device-encryption-overview-windows-10.md
- name: BitLocker frequently asked questions (FAQ)
href: bitlocker\bitlocker-frequently-asked-questions.md
href: bitlocker\bitlocker-frequently-asked-questions.yml
items:
- name: Overview and requirements
href: bitlocker\bitlocker-overview-and-requirements-faq.yml
- name: Upgrading
href: bitlocker\bitlocker-upgrading-faq.md
href: bitlocker\bitlocker-upgrading-faq.yml
- name: Deployment and administration
href: bitlocker\bitlocker-deployment-and-administration-faq.yml
- name: Key management
href: bitlocker\bitlocker-key-management-faq.md
href: bitlocker\bitlocker-key-management-faq.yml
- name: BitLocker To Go
href: bitlocker\bitlocker-to-go-faq.yml
- name: Active Directory Domain Services
href: bitlocker\bitlocker-and-adds-faq.yml
- name: Security
href: bitlocker\bitlocker-security-faq.md
href: bitlocker\bitlocker-security-faq.yml
- name: BitLocker Network Unlock
href: bitlocker\bitlocker-network-unlock-faq.md
href: bitlocker\bitlocker-network-unlock-faq.yml
- name: General
href: bitlocker\bitlocker-using-with-other-programs-faq.md
href: bitlocker\bitlocker-using-with-other-programs-faq.yml
- name: "Prepare your organization for BitLocker: Planning and policies"
href: bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md
- name: BitLocker basic deployment

48
windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
View File

@ -1,48 +0,0 @@
---
title: BitLocker FAQ (Windows 10)
description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
---
# BitLocker frequently asked questions (FAQ) resources
**Applies to**
- Windows 10
This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
- [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
- [Upgrading](bitlocker-upgrading-faq.md)
- [Deployment and administration](bitlocker-deployment-and-administration-faq.yml)
- [Key management](bitlocker-key-management-faq.md)
- [BitLocker To Go](bitlocker-to-go-faq.yml)
- [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml)
- [Security](bitlocker-security-faq.md)
- [BitLocker Network Unlock](bitlocker-network-unlock-faq.md)
- [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.md)
## More information
- [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
- [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
- [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
- [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true)

53
windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml Normal file
View File

@ -0,0 +1,53 @@
### YamlMime:FAQ
metadata:
title: BitLocker FAQ (Windows 10)
description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ) resources
summary: |
**Applies to**
- Windows 10
This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
- [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
- [Upgrading](bitlocker-upgrading-faq.yml)
- [Deployment and administration](bitlocker-deployment-and-administration-faq.yml)
- [Key management](bitlocker-key-management-faq.yml)
- [BitLocker To Go](bitlocker-to-go-faq.yml)
- [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml)
- [Security](bitlocker-security-faq.yml)
- [BitLocker Network Unlock](bitlocker-network-unlock-faq.yml)
- [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.yml)
sections:
- name: Ignored
questions:
- question: |
More information
answer: |
- [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
- [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
- [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
- [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true)

4
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -211,7 +211,7 @@ This policy setting permits the use of enhanced PINs when you use an unlock meth
Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker.
> [!IMPORANT]
> [!IMPORTANT]
> Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
### <a href="" id="bkmk-unlockpol3"></a>Configure minimum PIN length for startup
@ -1341,6 +1341,6 @@ PCR 7 measurements are a mandatory logo requirement for systems that support Mod
- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
- [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [BitLocker overview](bitlocker-overview.md)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)

2
windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
View File

@ -106,6 +106,6 @@ Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilitie
## More information
- [BitLocker overview](bitlocker-overview.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)

2
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -387,5 +387,5 @@ Follow these steps to configure Network Unlock on these older systems.
## See also
- [BitLocker overview](bitlocker-overview.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)

124
windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
View File

@ -1,124 +0,0 @@
---
title: BitLocker Key Management FAQ (Windows 10)
description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
---
# BitLocker Key Management FAQ
**Applies to**
- Windows 10
## How can I authenticate or unlock my removable data drive?
You can unlock removable data drives by using a password, a smart card, or you can configure a SID protector to unlock a drive by using your domain credentials. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements. To unlock by using a SID protector, use Manage-bde:
<code>Manage-bde -protectors -add e: -sid <i>domain\username</i></code>
## What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods).
## How can the recovery password and recovery key be stored?
The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
## Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the numeric PIN you want to use:
<code>manage-bde protectors delete %systemdrive% -type tpm</code>
<code>manage-bde protectors add %systemdrive% -tpmandpin <i>4-20 digit numeric PIN</i></code>
## When should an additional method of authentication be considered?
New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack.
For older hardware, where a PIN may be needed, its recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers.
## If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
> [!IMPORTANT]
> Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
## Can the USB flash drive that is used as the startup key also be used to store the recovery key?
While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
## Can I save the startup key on multiple USB flash drives?
Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed.
## Can I save multiple (different) startup keys on the same USB flash drive?
Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.
## Can I generate multiple (different) startup keys for the same computer?
You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
## Can I generate multiple PIN combinations?
You cannot generate multiple PIN combinations.
## What encryption keys are used in BitLocker? How do they work together?
Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
## Where are the encryption keys stored?
The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
## Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.
When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
## How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.
The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.
After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
## How can I determine the manufacturer of my TPM?
You can determine your TPM manufacturer in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
## How can I evaluate a TPM's dictionary attack mitigation mechanism?
The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
- How many failed authorization attempts can occur before lockout?
- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
- What actions can cause the failure count and lockout duration to be decreased or reset?
## Can PIN length and complexity be managed with Group Policy?
Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).

121
windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml Normal file
View File

@ -0,0 +1,121 @@
### YamlMime:FAQ
metadata:
title: BitLocker Key Management FAQ (Windows 10)
description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
title: BitLocker Key Management FAQ
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: How can I authenticate or unlock my removable data drive?
answer: |
You can unlock removable data drives by using a password, a smart card, or you can configure a SID protector to unlock a drive by using your domain credentials. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements. To unlock by using a SID protector, use Manage-bde:
<code>Manage-bde -protectors -add e: -sid <i>domain\username</i></code>
- question: What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
answer: |
For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods).
- question: How can the recovery password and recovery key be stored?
answer: |
The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
- question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
answer: |
You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the numeric PIN you want to use:
<code>manage-bde protectors delete %systemdrive% -type tpm</code>
<code>manage-bde protectors add %systemdrive% -tpmandpin <i>4-20 digit numeric PIN</i></code>
- question: When should an additional method of authentication be considered?
answer: |
New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack.
For older hardware, where a PIN may be needed, its recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers.
- question: If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
answer: |
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
> [!IMPORTANT]
> Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
- question: Can the USB flash drive that is used as the startup key also be used to store the recovery key?
answer: While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
- question: Can I save the startup key on multiple USB flash drives?
answer: Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed.
- question: Can I save multiple (different) startup keys on the same USB flash drive?
answer: Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.
- question: Can I generate multiple (different) startup keys for the same computer?
answer: You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
- question: Can I generate multiple PIN combinations?
answer: You cannot generate multiple PIN combinations.
- question: What encryption keys are used in BitLocker? How do they work together?
answer: Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
- question: Where are the encryption keys stored?
answer: |
The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
- question: Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
answer: |
The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.
When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
- question: How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
answer: |
It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.
The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.
After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
- question: How can I determine the manufacturer of my TPM?
answer: You can determine your TPM manufacturer in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
- question: How can I evaluate a TPM's dictionary attack mitigation mechanism?
answer: |
The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
- How many failed authorization attempts can occur before lockout?
- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
- What actions can cause the failure count and lockout duration to be decreased or reset?
- question: Can PIN length and complexity be managed with Group Policy?
answer: |
Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).

2
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -101,7 +101,7 @@ Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pi
## Related Articles
[BitLocker: FAQs](bitlocker-frequently-asked-questions.md)
[BitLocker: FAQs](bitlocker-frequently-asked-questions.yml)
[Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/)

36
windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
View File

@ -1,36 +0,0 @@
---
title: BitLocker Network Unlock FAQ (Windows 10)
description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
ms.custom: bitlocker
---
# BitLocker Network Unlock FAQ
**Applies to**
- Windows 10
BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it.
BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it.
Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is
not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network.
For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).

40
windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml Normal file
View File

@ -0,0 +1,40 @@
### YamlMime:FAQ
metadata:
title: BitLocker Network Unlock FAQ (Windows 10)
description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
ms.custom: bitlocker
title: BitLocker Network Unlock FAQ
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: |
BitLocker Network Unlock FAQ
answer: |
BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it.
BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it.
Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is
not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network.
For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).

2
windows/security/information-protection/bitlocker/bitlocker-overview.md
View File

@ -85,7 +85,7 @@ When installing the BitLocker optional component on a server you will also need
| Topic | Description |
| - | - |
| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker Device Encryption can help protect data on devices running Windows 10. |
| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.|
| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.|
| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. |
| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. |
| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic for the IT professional explains how to deploy BitLocker on Windows Server.|

44
windows/security/information-protection/bitlocker/bitlocker-security-faq.md
View File

@ -1,44 +0,0 @@
---
title: BitLocker Security FAQ (Windows 10)
description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?"
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
---
# BitLocker Security FAQ
**Applies to**
- Windows 10
## What form of encryption does BitLocker use? Is it configurable?
BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 bits or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
## What is the best practice for using BitLocker on an operating system drive?
The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.
## What are the implications of using the sleep or hibernate power management options?
BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. For improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp).
## What are the advantages of a TPM?
Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
> [!NOTE]
> Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.

53
windows/security/information-protection/bitlocker/bitlocker-security-faq.yml Normal file
View File

@ -0,0 +1,53 @@
### YamlMime:FAQ
metadata:
title: BitLocker Security FAQ (Windows 10)
description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?"
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
title: BitLocker Security FAQ
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: |
What form of encryption does BitLocker use? Is it configurable?
answer: |
BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 bits or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
- question: |
What is the best practice for using BitLocker on an operating system drive?
answer: |
The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.
- question: |
What are the implications of using the sleep or hibernate power management options?
answer: |
BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. For improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp).
- question: |
What are the advantages of a TPM?
answer: |
Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
> [!NOTE]
> Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.

48
windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
View File

@ -1,48 +0,0 @@
---
title: BitLocker Upgrading FAQ (Windows 10)
description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
ms.custom: bitlocker
---
# BitLocker Upgrading FAQ
**Applies to**
- Windows 10
## Can I upgrade to Windows 10 with BitLocker enabled?
Yes.
## What is the difference between suspending and decrypting BitLocker?
**Decrypt** completely removes BitLocker protection and fully decrypts the drive.
**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
## Do I have to suspend BitLocker protection to download and install system updates and upgrades?
No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start).
Users need to suspend BitLocker for Non-Microsoft software updates, such as:
- Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users dont have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they dont want to suspend BitLocker protection.
- Non-Microsoft application updates that modify the UEFI\BIOS configuration.
- Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
- Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if you update and BitLocker does not use Secure Boot for integrity validation).
- You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported).
> [!NOTE]
> If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.

55
windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml Normal file
View File

@ -0,0 +1,55 @@
### YamlMime:FAQ
metadata:
title: BitLocker Upgrading FAQ (Windows 10)
description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.reviewer:
ms.custom: bitlocker
title: BitLocker Upgrading FAQ
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: |
Can I upgrade to Windows 10 with BitLocker enabled?
answer: |
Yes.
- question: |
What is the difference between suspending and decrypting BitLocker?
answer: |
**Decrypt** completely removes BitLocker protection and fully decrypts the drive.
**Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
- question: |
Do I have to suspend BitLocker protection to download and install system updates and upgrades?
answer: |
No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start).
Users need to suspend BitLocker for Non-Microsoft software updates, such as:
- Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users dont have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they dont want to suspend BitLocker protection.
- Non-Microsoft application updates that modify the UEFI\BIOS configuration.
- Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
- Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if you update and BitLocker does not use Secure Boot for integrity validation).
- You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported).
> [!NOTE]
> If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.

2
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
View File

@ -332,7 +332,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-
## More information
- [BitLocker overview](bitlocker-overview.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)

2
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
View File

@ -58,7 +58,7 @@ By completing the procedures in this scenario, you have viewed and copied the re
## More information
- [BitLocker Overview](bitlocker-overview.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)

105
windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
View File

@ -1,105 +0,0 @@
---
title: Using BitLocker with other programs FAQ (Windows 10)
description: Learn how to integrate BitLocker with other software on your device.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
---
# Using BitLocker with other programs FAQ
**Applies to**
- Windows 10
## Can I use EFS with BitLocker?
Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS in Windows to encrypt files on other drives that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker.
## Can I run a kernel debugger with BitLocker?
Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode.
## How does BitLocker handle memory dumps?
BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled.
## Can BitLocker support smart cards for pre-boot authentication?
BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult.
## Can I use a non-Microsoft TPM driver?
Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker.
## Can other tools that manage or modify the master boot record work with BitLocker?
We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
## Why is the system check failing when I am encrypting my operating system drive?
The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
- The computer's BIOS or UEFI firmware cannot read USB flash drives.
- The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.
- There are multiple USB flash drives inserted into the computer.
- The PIN was not entered correctly.
- The computer's BIOS or UEFI firmware only supports using the function keys (F1F10) to enter numerals in the pre-boot environment.
- The startup key was removed before the computer finished rebooting.
- The TPM has malfunctioned and fails to unseal the keys.
## What can I do if the recovery key on my USB flash drive cannot be read?
Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
## Why am I unable to save my recovery key to my USB flash drive?
The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
## Why am I unable to automatically unlock my drive?
Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
## Can I use BitLocker in Safe Mode?
Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode.
## How do I "lock" a data drive?
Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the lock command.
> [!NOTE]
> Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
The syntax of this command is:
<code>manage-bde <i>driveletter</i> -lock</code>
Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.
## Can I use BitLocker with the Volume Shadow Copy Service?
Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained.
## Does BitLocker support virtual hard disks (VHDs)?
BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
- With TPM: Yes, it is supported.
- Without TPM: Yes, it is supported (with password protector).
BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
## Can I use BitLocker with virtual machines (VMs)?
Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.

124
windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml Normal file
View File

@ -0,0 +1,124 @@
### YamlMime:FAQ
metadata:
title: Using BitLocker with other programs FAQ (Windows 10)
description: Learn how to integrate BitLocker with other software on your device.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
ms.custom: bitlocker
title: Using BitLocker with other programs FAQ
summary: |
**Applies to**
- Windows 10
sections:
- name: Ignored
questions:
- question: |
Can I use EFS with BitLocker?
answer: |
Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS in Windows to encrypt files on other drives that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker.
- question: |
Can I run a kernel debugger with BitLocker?
answer: |
Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode.
- question: |
How does BitLocker handle memory dumps?
answer: |
BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled.
- question: |
Can BitLocker support smart cards for pre-boot authentication?
answer: |
BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult.
- question: |
Can I use a non-Microsoft TPM driver?
answer: |
Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker.
- question: |
Can other tools that manage or modify the master boot record work with BitLocker?
answer: |
We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
- question: |
Why is the system check failing when I am encrypting my operating system drive?
answer: |
The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
- The computer's BIOS or UEFI firmware cannot read USB flash drives.
- The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.
- There are multiple USB flash drives inserted into the computer.
- The PIN was not entered correctly.
- The computer's BIOS or UEFI firmware only supports using the function keys (F1F10) to enter numerals in the pre-boot environment.
- The startup key was removed before the computer finished rebooting.
- The TPM has malfunctioned and fails to unseal the keys.
- question: |
What can I do if the recovery key on my USB flash drive cannot be read?
answer: |
Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
- question: |
Why am I unable to save my recovery key to my USB flash drive?
answer: |
The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
- question: |
Why am I unable to automatically unlock my drive?
answer: |
Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
- question: |
Can I use BitLocker in Safe Mode?
answer: |
Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode.
- question: |
How do I "lock" a data drive?
answer: |
Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the lock command.
> [!NOTE]
> Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
The syntax of this command is:
<code>manage-bde <i>driveletter</i> -lock</code>
Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.
- question: |
Can I use BitLocker with the Volume Shadow Copy Service?
answer: |
Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained.
- question: |
Does BitLocker support virtual hard disks (VHDs)?
answer: |
BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
- With TPM: Yes, it is supported.
- Without TPM: Yes, it is supported (with password protector).
BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
- question: |
Can I use BitLocker with virtual machines (VMs)?
answer: |
Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.

2
windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
View File

@ -196,7 +196,7 @@ However, you cannot use recovery passwords generated on a system in FIPS mode fo
- [Trusted Platform Module](../tpm/trusted-platform-module-top-node.md)
- [TPM Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
- [BitLocker](bitlocker-overview.md)
- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
- [BitLocker basic deployment](bitlocker-basic-deployment.md)

2
windows/security/threat-protection/TOC.yml
View File

@ -324,7 +324,7 @@
- name: Planning and deploying advanced security audit policies
href: auditing/planning-and-deploying-advanced-security-audit-policies.md
- name: Advanced security auditing FAQ
href: auditing/advanced-security-auditing-faq.md
href: auditing/advanced-security-auditing-faq.yml
items:
- name: Which editions of Windows support advanced audit policy configuration
href: auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md

195
windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
View File

@ -1,195 +0,0 @@
---
title: Advanced security auditing FAQ (Windows 10)
description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
ms.technology: mde
---
# Advanced security auditing FAQ
**Applies to**
- Windows 10
This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
- [What is Windows security auditing and why might I want to use it?](#bkmk-1)
- [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#bkmk-2)
- [What is the interaction between basic audit policy settings and advanced audit policy settings?](#bkmk-3)
- [How are audit settings merged by Group Policy?](#bkmk-4)
- [What is the difference between an object DACL and an object SACL?](#bkmk-14)
- [Why are audit policies applied on a per-computer basis rather than per user?](#bkmk-13)
- [What are the differences in auditing functionality between versions of Windows?](#bkmk-12)
- [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#bkmk-15)
- [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#bkmk-5)
- [How can I set an audit policy that affects all objects on a computer?](#bkmk-6)
- [How do I figure out why someone was able to access a resource?](#bkmk-7)
- [How do I know when changes are made to access control settings, by whom, and what the changes were?](#bkmk-8)
- [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#bkmk-19)
- [How can I monitor if changes are made to audit policy settings?](#bkmk-10)
- [How can I minimize the number of events that are generated?](#bkmk-16)
- [What are the best tools to model and manage audit policy?](#bkmk-17)
- [Where can I find information about all the possible events that I might receive?](#bkmk-11)
- [Where can I find more detailed information?](#bkmk-18)
## <a href="" id="bkmk-1"></a>What is Windows security auditing and why might I want to use it?
Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is more narrowly defined as the features and services that enable an administrator to log and review events for specified security-related activities.
Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.
## <a href="" id="bkmk-2"></a>What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?
The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
There are a number of additional differences between the security audit policy settings in these two locations.
There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy
Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking.
In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account logonrelated behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.
The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** were introduced in Windows 2000. Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Server 2008, and later.
## <a href="" id="bkmk-3"></a>What is the interaction between basic audit policy settings and advanced audit policy settings?
Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.
Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy Object (GPO), so changes made here may not be exactly reflected in Auditpol.exe if there are policies from other domain GPOs or logon scripts. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain Group Policy settings are reflected as soon as the new policy is applied.
> **Important**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
 
## <a href="" id="bkmk-4"></a>How are audit settings merged by Group Policy?
By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level.
For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing).
The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
| Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer |
| - | - | - | -|
| Detailed File Share Auditing | Success | Failure | Success |
| Process Creation Auditing | Disabled | Success | Disabled |
| Logon Auditing | Failure | Success | Failure |
## <a href="" id="bkmk-14"></a>What is the difference between an object DACL and an object SACL?
All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs:
- A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access
- A system access control list (SACL) that controls how access is audited
The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access.
If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not completely configured unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
## <a href="" id="bkmk-13"></a>Why are audit policies applied on a per-computer basis rather than per user?
In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer.
In addition, because audit policy capabilities can vary between computers running different versions of Windows, the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of the user.
However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
## <a href="" id="bkmk-12"></a>What are the differences in auditing functionality between versions of Windows?
Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by using local and domain Group Policy settings.
## <a href="" id="bkmk-15"></a>Can I use advanced audit policies from a domain controller running Windows Server 2003 or Windows 2000 Server?
To use advanced audit policy settings, your domain controller must be installed on a computer running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported.
## <a href="" id="bkmk-5"></a>What is the difference between success and failure events? Is something wrong if I get a failure audit?
A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully.
A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully.
The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may simply mean that a user mistyped his or her password.
## <a href="" id="bkmk-6"></a>How can I set an audit policy that affects all objects on a computer?
System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL.
Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
## <a href="" id="bkmk-7"></a>How do I figure out why someone was able to access a resource?
Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting.
## <a href="" id="bkmk-8"></a>How do I know when changes are made to access control settings, by whom, and what the changes were?
To track access control changes on computers running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs:
- **Audit File System** subcategory: Enable for success, failure, or success and failure
- **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure
- A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor
In Windows XP and Windows Server 2003, you need to use the **Audit policy change** subcategory.
## <a href="" id="bkmk-19"></a>How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you subsequently change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings:
1. Set all Advanced Audit Policy subcategories to **Not configured**.
2. Delete all audit.csv files from the %SYSVOL% folder on the domain controller.
3. Reconfigure and apply the basic audit policy settings.
Unless you complete all of these steps, the basic audit policy settings will not be restored.
## <a href="" id="bkmk-10"></a>How can I monitor if changes are made to audit policy settings?
Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place:
- Permissions and audit settings on the audit policy object are changed
- The system audit policy is changed
- Security event sources are registered or unregistered
- Per-user audit settings are changed
- The value of **CrashOnAuditFail** is modified
- Audit settings on a file or registry key are changed
- A Special Groups list is changed
## <a href="" id="bkmk-16"></a>How can I minimize the number of events that are generated?
Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md).
## <a href="" id="bkmk-17"></a>What are the best tools to model and manage audit policies?
The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be used to plan and deploy security audit policies.
On an individual computer, the Auditpol command-line tool can be used to complete a number of important audit policyrelated management tasks.
In addition, there are a number of computer management products, such as the Audit Collection Services in the Microsoft System Center Operations Manager products, which can be used to collect and filter event data.
## <a href="" id="bkmk-11"></a>Where can I find information about all the possible events that I might receive?
Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit events that are stored there (which can quickly number in the thousands) and by the structured information that is included for each audit event. Additional information about these events, and the settings used to generate them, can be obtained from the following resources:
- [Windows 8 and Windows Server 2012 Security Event Details](https://www.microsoft.com/download/details.aspx?id=35753)
- [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780)
- [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?linkid=121868)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
## <a href="" id="bkmk-18"></a>Where can I find more detailed information?
To learn more about security audit policies, see the following resources:
- [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
- [Security Monitoring and Attack Detection Planning Guide](https://social.technet.microsoft.com/wiki/contents/articles/325.advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx)
- [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780)
- [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?LinkId=121868)
 
 

215
windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml Normal file
View File

@ -0,0 +1,215 @@
### YamlMime:FAQ
metadata:
title: Advanced security auditing FAQ (Windows 10)
description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06
ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
ms.technology: mde
title: Advanced security auditing FAQ
summary: |
**Applies to**
- Windows 10
This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
- [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-)
- [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-)
- [What is the interaction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-)
- [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-)
- [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-)
- [Why are audit policies applied on a per-computer basis rather than per user?](#why-are-audit-policies-applied-on-a-per-computer-basis-rather-than-per-user-)
- [What are the differences in auditing functionality between versions of Windows?](#what-are-the-differences-in-auditing-functionality-between-versions-of-windows-)
- [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#can-i-use-advanced-audit-policies-from-a-domain-controller-running-windows-server-2003-or-windows-2000-server-)
- [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#what-is-the-difference-between-success-and-failure-events--is-something-wrong-if-i-get-a-failure-audit-)
- [How can I set an audit policy that affects all objects on a computer?](#how-can-i-set-an-audit-policy-that-affects-all-objects-on-a-computer-)
- [How do I figure out why someone was able to access a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-)
- [How do I know when changes are made to access control settings, by whom, and what the changes were?](#how-do-i-know-when-changes-are-made-to-access-control-settings--by-whom--and-what-the-changes-were-)
- [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#how-can-i-roll-back-security-audit-policies-from-the-advanced-audit-policy-to-the-basic-audit-policy-)
- [How can I monitor if changes are made to audit policy settings?](#how-can-i-monitor-if-changes-are-made-to-audit-policy-settings-)
- [How can I minimize the number of events that are generated?](#how-can-i-minimize-the-number-of-events-that-are-generated-)
- [What are the best tools to model and manage audit policy?](#what-are-the-best-tools-to-model-and-manage-audit-policies-)
- [Where can I find information about all the possible events that I might receive?](#where-can-i-find-information-about-all-the-possible-events-that-i-might-receive-)
- [Where can I find more detailed information?](#where-can-i-find-more-detailed-information-)
sections:
- name: Ignored
questions:
- question: |
What is Windows security auditing and why might I want to use it?
answer: |
Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is more narrowly defined as the features and services that enable an administrator to log and review events for specified security-related activities.
Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.
- question: |
What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?
answer: |
The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
There are a number of additional differences between the security audit policy settings in these two locations.
There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy
Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking.
In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account logonrelated behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.
The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** were introduced in Windows 2000. Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Server 2008, and later.
- question: |
What is the interaction between basic audit policy settings and advanced audit policy settings?
answer: |
Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.
Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy Object (GPO), so changes made here may not be exactly reflected in Auditpol.exe if there are policies from other domain GPOs or logon scripts. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain Group Policy settings are reflected as soon as the new policy is applied.
> **Important**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
 
- question: |
How are audit settings merged by Group Policy?
answer: |
By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level.
For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing).
The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
| Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer |
| - | - | - | -|
| Detailed File Share Auditing | Success | Failure | Success |
| Process Creation Auditing | Disabled | Success | Disabled |
| Logon Auditing | Failure | Success | Failure |
- question: |
What is the difference between an object DACL and an object SACL?
answer: |
All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs:
- A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access
- A system access control list (SACL) that controls how access is audited
The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access.
If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not completely configured unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
- question: |
Why are audit policies applied on a per-computer basis rather than per user?
answer: |
In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer.
In addition, because audit policy capabilities can vary between computers running different versions of Windows, the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of the user.
However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
- question: |
What are the differences in auditing functionality between versions of Windows?
answer: |
Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by using local and domain Group Policy settings.
- question: |
Can I use advanced audit policies from a domain controller running Windows Server 2003 or Windows 2000 Server?
answer: |
To use advanced audit policy settings, your domain controller must be installed on a computer running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported.
- question: |
What is the difference between success and failure events? Is something wrong if I get a failure audit?
answer: |
A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully.
A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully.
The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may simply mean that a user mistyped his or her password.
- question: |
How can I set an audit policy that affects all objects on a computer?
answer: |
System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL.
Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
- question: |
How do I figure out why someone was able to access a resource?
answer: |
Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting.
- question: |
How do I know when changes are made to access control settings, by whom, and what the changes were?
answer: |
To track access control changes on computers running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs:
- **Audit File System** subcategory: Enable for success, failure, or success and failure
- **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure
- A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor
In Windows XP and Windows Server 2003, you need to use the **Audit policy change** subcategory.
- question: |
How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
answer: |
Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you subsequently change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings:
1. Set all Advanced Audit Policy subcategories to **Not configured**.
2. Delete all audit.csv files from the %SYSVOL% folder on the domain controller.
3. Reconfigure and apply the basic audit policy settings.
Unless you complete all of these steps, the basic audit policy settings will not be restored.
- question: |
How can I monitor if changes are made to audit policy settings?
answer: |
Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place:
- Permissions and audit settings on the audit policy object are changed
- The system audit policy is changed
- Security event sources are registered or unregistered
- Per-user audit settings are changed
- The value of **CrashOnAuditFail** is modified
- Audit settings on a file or registry key are changed
- A Special Groups list is changed
- question: |
How can I minimize the number of events that are generated?
answer: |
Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md).
- question: |
What are the best tools to model and manage audit policies?
answer: |
The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be used to plan and deploy security audit policies.
On an individual computer, the Auditpol command-line tool can be used to complete a number of important audit policyrelated management tasks.
In addition, there are a number of computer management products, such as the Audit Collection Services in the Microsoft System Center Operations Manager products, which can be used to collect and filter event data.
- question: |
Where can I find information about all the possible events that I might receive?
answer: |
Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit events that are stored there (which can quickly number in the thousands) and by the structured information that is included for each audit event. Additional information about these events, and the settings used to generate them, can be obtained from the following resources:
- [Windows 8 and Windows Server 2012 Security Event Details](https://www.microsoft.com/download/details.aspx?id=35753)
- [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780)
- [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?linkid=121868)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- question: |
Where can I find more detailed information?
answer: |
To learn more about security audit policies, see the following resources:
- [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
- [Security Monitoring and Attack Detection Planning Guide](https://social.technet.microsoft.com/wiki/contents/articles/325.advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx)
- [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780)
- [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?LinkId=121868)

4
windows/security/threat-protection/auditing/advanced-security-auditing.md
View File

@ -21,7 +21,7 @@ ms.technology: mde
# Advanced security audit policies
**Applies to**
- Windows 10
- Windows 10
Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently.
When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
@ -31,6 +31,6 @@ When you apply basic audit policy settings to the local computer by using the Lo
| Topic | Description |
| - | - |
| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies |
| [Advanced security auditing FAQ](advanced-security-auditing-faq.md) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
| [Advanced security auditing FAQ](./advanced-security-auditing-faq.yml) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.

2
windows/security/threat-protection/auditing/security-auditing-overview.md
View File

@ -34,7 +34,7 @@ Security auditing is one of the most powerful tools that you can use to maintain
| Topic | Description |
| - | - |
|[Basic security audit policies](basic-security-audit-policies.md) |Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. |
|[Advanced security audit policies](advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. |
|[Advanced security audit policies](./advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. |

2
windows/security/threat-protection/intelligence/macro-malware.md
View File

@ -44,7 +44,7 @@ We've seen macro malware download threats from the following families:
* Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads.
* Enterprises can prevent macro malware from running executable content using [ASR rules](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
* Enterprises can prevent macro malware from running executable content using [ASR rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)
For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md).

2
windows/security/threat-protection/intelligence/safety-scanner-download.md
View File

@ -58,4 +58,4 @@ For more information about the Safety Scanner, see the support article on [how t
- [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download)
- [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware)
- [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission)
- [Microsoft antimalware and threat protection solutions](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
- [Microsoft antimalware and threat protection solutions](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)

33
windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 10/17/2017
ms.date: 05/06/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -18,26 +18,25 @@ ms.technology: mde
# Configure Microsoft Defender Application Guard policy settings
**Applies to:**
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain.
Application Guard uses both network isolation and application-specific settings.
## Network isolation settings
These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
> [!NOTE]
> You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the "Domains categorized as both work and personal" policy.
|Policy name|Supported versions|Description|
|-----------|------------------|-----------|
|Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT| A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
|Enterprise resource domains hosted in the cloud| At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. <p>**NOTE**: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
|Domains categorized as both work and personal| At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. <p>**NOTE**: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
## Network isolation settings wildcards
@ -53,13 +52,15 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|Name|Supported versions|Description|Options|
|-----------|------------------|-----------|-------|
|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<br/>-Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<br/><br/>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. **Note:** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.<br><br>**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.|
|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system.<br><br>**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<br/>-Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<p>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. <p>**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.<p>**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.|
|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<br><br>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<br><br>**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.|
|Allow users to trust files that open in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.<br><br>**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Microsoft Defender Application Guard.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.|
|Allow users to trust files that open in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.<p>**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Microsoft Defender Application Guard.|
|Allow extensions in the container|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use extensions.|**Enabled.** Favorites are able to sync from the host browser to the container. Note that this doesnt work the other way around. The favorites sync to the users work profile by default.<p>**Disabled.** Users are not able to access their favorites from within the Application Guard container.|
|Allow favorites sync|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher|Determines whether favorites can be accessible from Application Guard container.|**Enabled.** Favorites are able to sync from the host browser to the container, but it doesnt work the other way around. The favorites sync to the users work profile by default.<p>**Disabled.** Users are not able to access their favorites from within the Application Guard container.

4
windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
View File

@ -106,7 +106,7 @@ Microsoft Defender Antivirus in Windows 10 uses a multi-pronged approach to impr
For more information, see [Windows Defender in Windows 10](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) and [Windows Defender Overview for Windows Server](/windows-server/security/windows-defender/windows-defender-overview-windows-server).
For information about Microsoft Defender for Endpoint, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (resources) and [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation).
For information about Microsoft Defender for Endpoint, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (resources) and [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) (documentation).
### Data Execution Prevention
@ -451,7 +451,7 @@ Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineer
- [Security and Assurance in Windows Server 2016](/windows-server/security/security-and-assurance)
- [Microsoft Defender for Endpoint - resources](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
- [Microsoft Microsoft Defender for Endpoint - documentation](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
- [Microsoft Microsoft Defender for Endpoint - documentation](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)
- [Exchange Online Advanced Threat Protection Service Description](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description)
- [Microsoft Defender for Office 365](https://products.office.com/en-us/exchange/online-email-threat-protection)
- [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/mmpc/default.aspx)

3
windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
View File

@ -68,6 +68,9 @@ The steps to use Intune's custom OMA-URI functionality are:
> [!div class="mx-imgBorder"]
> ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png)
> [!NOTE]
> For the _Policy GUID_ value, do not include the curly brackets.
### Remove WDAC policies on Windows 10 1903+
Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable WDAC enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This will prevent anything from being blocked and fully remove the WDAC policy on the next reboot.

2
windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
View File

@ -67,7 +67,7 @@ Each time that a process is blocked by WDAC, events will be written to either th
Collecting these events in a central location can help you maintain your WDAC policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)).
Additionally, WDAC events are collected by [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and can be queried using the [advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) feature.
Additionally, WDAC events are collected by [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) and can be queried using the [advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) feature.
## Application and user support policy

2
windows/sv/TOC.yml Normal file
View File

@ -0,0 +1,2 @@
- name: Index
href: index.md

3
windows/sv/breadcrumb/toc.yml Normal file
View File

@ -0,0 +1,3 @@
- name: Docs
tocHref: /
topicHref: /

51
windows/sv/docfx.json Normal file
View File

@ -0,0 +1,51 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**",
"**/docfx.json",
"_repo.en-us/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices.md"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**",
"**/docfx.json",
"_repo.en-us/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"breadcrumb_path": "/windows/sv/breadcrumb/toc.json",
"extendBreadcrumb": true,
"feedback_system": "None"
},
"fileMetadata": {},
"template": [],
"dest": "SV",
"markdownEngineName": "markdig"
}
}

1
windows/sv/index.md Normal file
View File

@ -0,0 +1 @@
# Welcome to SV!

2
windows/whats-new/ltsc/whats-new-windows-10-2019.md
View File

@ -74,7 +74,7 @@ But these protections can also be configured separately. And, unlike HVCI, code
Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal.
Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). The new library includes information on:
- [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus)

2
windows/whats-new/whats-new-windows-10-version-1709.md
View File

@ -95,7 +95,7 @@ Windows Defender Application Guard hardens a favorite attacker entry-point by is
### Window Defender Exploit Guard
Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection), [Attack surface reduction protection](/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction), [Controlled folder access](/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access), and [Network protection](/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).
Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](/microsoft-365/security/defender-endpoint/enable-exploit-protection), [Attack surface reduction protection](/microsoft-365/security/defender-endpoint/evaluate-attack-surface-reduction), [Controlled folder access](/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access), and [Network protection](/microsoft-365/security/defender-endpoint/enable-network-protection).
### Windows Defender Device Guard

56
windows/whats-new/whats-new-windows-10-version-1803.md
View File

@ -78,14 +78,13 @@ For more information, see [Windows 10 Subscription Activation](/windows/deployme
The following new DISM commands have been added to manage feature updates:
DISM /Online /Initiate-OSUninstall
Initiates a OS uninstall to take the computer back to the previous installation of windows.
DISM /Online /Remove-OSUninstall
Removes the OS uninstall capability from the computer.
DISM /Online /Get-OSUninstallWindow
Displays the number of days after upgrade during which uninstall can be performed.
DISM /Online /Set-OSUninstallWindow
Sets the number of days after upgrade during which uninstall can be performed.
| Command | Description |
|---|---|
| `DISM /Online /Initiate-OSUninstall` | Initiates a OS uninstall to take the computer back to the previous installation of windows. |
| `DISM /Online /Remove-OSUninstall` | Removes the OS uninstall capability from the computer. |
| `DISM /Online /Get-OSUninstallWindow` | Displays the number of days after upgrade during which uninstall can be performed. |
| `DISM /Online /Set-OSUninstallWindow` | Sets the number of days after upgrade during which uninstall can be performed. |
For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
@ -99,20 +98,19 @@ Prerequisites:
For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option:
/PostRollback<location> [\setuprollback.cmd] [/postrollback {system / admin}]
`/PostRollback<location> [\setuprollback.cmd] [/postrollback {system / admin}]`
For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21)
New command-line switches are also available to control BitLocker:
Setup.exe /BitLocker AlwaysSuspend
Always suspend bitlocker during upgrade.
Setup.exe /BitLocker TryKeepActive
Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade.
Setup.exe /BitLocker ForceKeepActive
Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade.
| Command | Description |
|---|---|
| `Setup.exe /BitLocker AlwaysSuspend` | Always suspend BitLocker during upgrade. |
| `Setup.exe /BitLocker TryKeepActive` | Enable upgrade without suspending BitLocker, but if upgrade does not work, then suspend BitLocker and complete the upgrade. |
| `Setup.exe /BitLocker ForceKeepActive` | Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade. |
For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33)
@ -144,7 +142,7 @@ The OS uninstall period is a length of time that users are given when they can o
### Windows Hello for Business
[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#windows-10-kiosk-and-kiosk-browser) section.
[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-overview) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#windows-10-kiosk-and-kiosk-browser) section.
- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
@ -173,27 +171,27 @@ The new [security baseline for Windows 10 version 1803](/windows/security/threat
### Microsoft Defender Antivirus
Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
### Windows Defender Exploit Guard
Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center.
For more information, see [Reduce attack surfaces](/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction)
For more information, see [Reduce attack surfaces](/microsoft-365/security/defender-endpoint/attack-surface-reduction).
### Microsoft Defender for Endpoint
[Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics:
[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/advanced-hunting-query-language) has been enhanced with many new capabilities. For more information, see the following topics:
- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
- [Use Automated investigations to investigate and remediate threats](/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
- [Enable conditional access to better protect users, devices, and data](/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-query-language)
- [Use Automated investigations to investigate and remediate threats](/microsoft-365/security/defender-endpoint/automated-investigations)
- [Enable conditional access to better protect users, devices, and data](/microsoft-365/security/defender-endpoint/conditional-access)
Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97).
### Windows Defender Application Guard
Windows Defender Application Guard has added support for Edge. For more information, see [System requirements for Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard#software-requirements)
Windows Defender Application Guard has added support for Edge. For more information, see [System requirements for Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard#software-requirements).
### Windows Defender Device Guard
@ -205,21 +203,21 @@ This release enables support for WIP with Files on Demand, allows file encryptio
### Office 365 Ransomware Detection
For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US).
## Windows Analytics
### Upgrade Readiness
Upgrade Readiness has added the ability to assess Spectre and Meltdown protections on your devices. This addition allows you to see if your devices have Windows OS and firmware updates with Spectre and Meltdown mitigations installed, as well as whether your antivirus client is compatible with these updates. For more information, see [Upgrade Readiness now helps assess Spectre and Meltdown protections](/archive/blogs/upgradeanalytics/upgrade-readiness-now-helps-assess-spectre-and-meltdown-protections)
Upgrade Readiness has added the ability to assess Spectre and Meltdown protections on your devices. This addition allows you to see if your devices have Windows OS and firmware updates with Spectre and Meltdown mitigations installed, as well as whether your antivirus client is compatible with these updates. For more information, see [Upgrade Readiness now helps assess Spectre and Meltdown protections](/archive/blogs/upgradeanalytics/upgrade-readiness-now-helps-assess-spectre-and-meltdown-protections).
### Update Compliance
Update Compliance has added Delivery Optimization to assess the bandwidth consumption of Windows Updates. For more information, see [Delivery Optimization in Update Compliance](/windows/deployment/update/update-compliance-delivery-optimization)
Update Compliance has added Delivery Optimization to assess the bandwidth consumption of Windows Updates. For more information, see [Delivery Optimization in Update Compliance](/windows/deployment/update/update-compliance-delivery-optimization).
### Device Health
Device Healths new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes. The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords— for a smooth migration to the password-less future. For more information, see [Using Device Health](/windows/deployment/update/device-health-using)
Device Healths new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes. The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords— for a smooth migration to the password-less future. For more information, see [Using Device Health](/windows/deployment/update/device-health-using).
## Microsoft Edge

4
windows/whats-new/whats-new-windows-10-version-1903.md
View File

@ -83,7 +83,7 @@ The draft release of the [security configuration baseline settings](/archive/blo
### Microsoft Defender for Endpoint
- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URLs and IP addresses.
- [Next generation protection](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- Integrity enforcement capabilities Enable remote runtime attestation of Windows 10 platform.
- Tamper-proofing capabilities Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) In addition to Windows 10, Microsoft Defender for Endpoints functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
@ -138,7 +138,7 @@ This new feature is displayed under the Device Security page with the string “
- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes.
- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations.
- [Tamper Protection](/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
- [Tamper Protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
## Microsoft Edge