deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-tea-CI-101829

Browse Source
This commit is contained in:
Teresa-Motiv
2019-10-02 08:53:37 -07:00
parent 094a94881b a4a6277343
commit 5d99d2df29
9 changed files with 293 additions and 312 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
devices/surface/TOC.md
View File

@ -21,6 +21,8 @@
## Deploy
### [Deploy Surface devices](deploy.md)
### [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
### [Windows 10 ARM-based PC app compatibility](surface-pro-arm-app-performance.md)
### [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)

9
devices/surface/change-history-for-surface.md
View File

@ -15,12 +15,17 @@ ms.topic: article
This topic lists new and updated topics in the Surface documentation library.
## October 2019
| **New or changed topic** | **Description** |
| ------------------------ | --------------- |
| [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)| New document highlighting key considerations for deploying, managing, and servicing Surface Pro X.|
## September 2019
| **New or changed topic** | **Description** |
| ------------------------ | --------------- |
| [Surface Dock Firmware Update](surface-dock-firmware-update.md)| New document for Microsoft Surface Dock Firmware Update, newly redesigned to automatically update Surface Dock firmware while running in the background on your Surface device.|
| [Surface Dock Firmware Update](surface-dock-firmware-update.md)| New document for Microsoft Surface Dock Firmware Update, newly redesigned to update Surface Dock firmware while running in the background on your Surface device.|
## August 2019

16
devices/surface/deploy.md
View File

@ -15,9 +15,18 @@ ms.topic: article
# Deploy Surface devices
Get deployment guidance for your Surface devices including information about Microsoft Deployment Toolkit (MDT), out-of-box-experience (OOBE) customization, Ethernet adaptors, Surface Deployment Accelerator, and the Battery Limit setting.
Learn about about deploying ARM- and Intel-based Surface devices.
## In this section
## Deploying ARM-based devices
| Topic | Description |
| --- | --- |
| [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md) | Get an overview of key considerations for deploying, managing, and servicing Surface Pro X running the Microsoft SQ1 ARM processor. |
| [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md) | Learn about Autopilot, the recommended method for deploying Surface Pro X. |
| [Windows 10 ARM-based PC app compatibility](surface-pro-arm-app-performance.md) | Review app compatibility guidance for Surface Pro X. |
## Deploying Intel-based devices
| Topic | Description |
| --- | --- |
@ -36,9 +45,6 @@ Get deployment guidance for your Surface devices including information about Mic
## Related topics
[Surface TechCenter](https://technet.microsoft.com/windows/surface)
[Surface for IT pros blog](http://blogs.technet.com/b/surface/)
 

167
devices/surface/surface-pro-arm-app-management.md Normal file
View File

@ -0,0 +1,167 @@
---
title: Deploying, managing, and servicing Surface Pro X
description: This article provides an overview of key considerations for deploying, managing, and servicing Surface Pro X.
ms.prod: w10
ms.mktglfcycl: manage
ms.localizationpriority: normal
ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
ms.date: 10/03/2019
ms.reviewer: jessko
manager: dansimp
ms.audience: itpro
---
# Deploying, managing, and servicing Surface Pro X
## Introduction
Built to handle high performance commercial requirements, Surface Pro X breaks new ground by incorporating the most powerful processor ever released on an ARM device, the Microsoft SQ1 ARM chipset.
Powered by a 3GHz CPU and a 2.1 teraflop GPU, Surface Pro X provides a full Windows experience. Its 13-hour battery life and built-in 4G LTE make it ideally suited for mobile first-line workers and professionals across the financial, legal, and medical fields or any role demanding extended battery life and continuous connectivity capabilities.
Surface Pro X is designed almost exclusively for a modern, cloud-based environment centered around Microsoft 365, Intune and Windows Autopilot. This article highlights what that looks like and outlines key considerations for deploying, managing, and servicing Surface Pro X.
## Deploying Surface Pro X
For the best experience, deploy Surface Pro X using Windows Autopilot either with the assistance of a Microsoft Cloud Solution Provider or self-provisioned using Autopilot deployment profiles and related features. For more information, refer to:
- [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md)
Autopilot deployment has several advantages: It allows you to use the factory provisioned operating system, streamlined for zero-touch deployment, to include pre-installation of Office Pro Plus.
Organizations already using modern management, security, and productivity solutions are well positioned to take advantage of the unique performance features in Surface Pro X. Customers using modernized line of business apps, Microsoft store (UWP) apps, or remote desktop solutions also stand to benefit.
## Image-based deployment considerations
Surface Pro X will be released without a standard Windows .ISO deployment image, which means its not supported on the Microsoft Deployment Toolkit (MDT) or operating system deployment methods using System Center Configuration Manager (SCCM) aka ConfiMgr. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud.
## Managing Surface Pro X devices
### Intune
A component of Microsoft Enterprise Mobility + Security, Intune integrates with Azure Active Directory for identity and access control and provides granular management of enrolled Surface Pro X devices. Intune mobile device management (MDM) policies have a number of advantages over older on-premises tools such as Windows Group Policy. This includes faster device login times and a more streamlined catalog of policies enabling full device management from the cloud. For example, you can manage LTE using eSIM profiles to configure data plans and deploy activation codes to multiple devices.<br>
For more information about setting up Intune, refer to the [Intune documentation](https://docs.microsoft.com/intune/).
### Co-management
Once deployed in Autopilot, you can join Surface Pro X devices to Azure AD or Active Directory (Hybrid Azure AD Join) where you will be able to manage the devices with Intune or co-manage them with SCCM, which will install the 32-bit x86 ConfigMgr client.
### Third party MDM solutions
You may be able to use third-party MDM tools to manage Surface Pro X devices. For details, contact your MDM provider.
### Antivirus software
Windows Defender will help protect Windows 10 on ARM-based PCs for the supported lifetime of the Windows 10 device.
Some third-party antivirus software cannot be installed on a Windows 10 PC running on an ARM-based processor. Collaboration with third-party antivirus software providers is continuing for AV app readiness on ARM-based PCs. Contact your antivirus software provider to understand when their apps will be available.
## Servicing Surface Pro X
Outside of personal devices that rely on Windows Update, servicing devices in most corporate environments requires downloading and managing the deployment of .MSI files to update target devices. Refer to the following documentation, which will be updated later to include guidance for servicing Surface Pro X:
- [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md).
> [!NOTE]
> Surface Pro X supports Windows 10, version 1903 and later.
## Running apps on Surface Pro X
Most apps run on ARM-based Windows 10 PCs with limited exclusions.
### Supported apps
- Most x86 Win32 apps run on Surface Pro X.
- Native ARM64 and Microsoft Store UWP apps provide an excellent user experience utilizing the full native speed of the ARM-based processor while optimizing battery life.
- Apps that use drivers designed for a Windows 10 PC running on an ARM-based processor.
### Not supported
- x64 apps won't run on a Windows 10 PC on an ARM-based processor.
For more information about running apps on Surface Pro X, refer to:
- [Windows 10 ARM-based PCs Support FAQ](https://support.microsoft.com/help/4521606)
- [Windows 10 on ARM documentation](https://docs.microsoft.com/windows/arm)
## Virtual Desktops (VDI)
Windows Virtual Desktop enables access to Windows desktops,applications, and data on any computing device or platform, from any location. To learn more, refer to the [Windows Virtual Desktop site](https://aka.ms/wvd).
## Browsing with Surface Pro X
Popular browsers run on Surface Pro X:
- In-box Edge, Firefox, Chrome, and Internet Explorer all run on Surface Pro X.
- In-box Edge and Firefox run natively and therefore have enhanced performance on a Windows 10 PC on an ARM-based processor.
## Installing and using Microsoft Office
- Use Office 365 for the best experience on a Windows 10 PC on an ARM-based processor.
- Office 365 “click-to-run” installs Outlook, Word, Excel, and PowerPoint, optimized to run on a Windows 10 PC on an ARM-based processor.
- Microsoft Teams runs great on Surface Pro X.
- For “perpetual versions” of Office such as Office 2019, install the 32-bit version.
## VPN
To confirm if a specific third-party VPN supports a Windows 10 PC on an ARM-based processor, contact the VPN provider.
## Comparing key features
The following tables show the availability of selected key features on Surface Pro X with Windows 10 on ARM compared to Intel-based Surface Pro 7.
| Deployment | Surface Pro 7 | Surface Pro X | Notes |
| --------------------------------------- | ------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------- |
| Windows Autopilot | Yes | Yes | |
| Support for Network Boot (PXE) | Yes | Yes | |
| Windows Configuration Designer | Yes | No | Not recommended for Surface Pro X. |
| WinPE | Yes | Yes | Not recommended for Surface Pro X. Microsoft does not provide the necessary .ISO and drivers to support WinPE with Surface Pro X. |
| SCCM: Operating System Deployment (OSD) | Yes | No | Not supported on Surface Pro X. |
| MDT | Yes | No | Not supported on Surface Pro X. |
| Management | Surface Pro 7 | Surface Pro X | Notes |
| --------------------------------------------- | ------------------- | ------------- | ------------------------------------------------------------------------------------- |
| Intune | Yes | Yes | Manage LTE with eSIM profiles. |
| Windows Autopilot | Yes | Yes | |
| Azure AD (co-management) | Yes | Yes | Ability to join Surface Pro X to Azure AD or Active Directory (Hybrid Azure AD Join). |
| SCCM | Yes | Yes | |
| Power on When AC Restore | Yes | Yes | |
| Surface Diagnostic Toolkit (SDT) for Business | Yes | Yes | |
| Surface Dock Firmware Update | Yes | Yes | |
| Asset Tag Utility | Yes | Yes | |
| Surface Enterprise management Mode (SEMM) | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. |
| Surface UEFI Configurator | Yes | | No option to disable hardware. on Surface Pro X at the firmware level. |
| Surface UEFI Manager | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. |
| Security | Surface Pro 7 | Surface Pro X | Notes |
| --------------------------------- | ------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| BitLocker | Yes | Yes | |
| Windows Defender | Yes | Yes | |
| Support for third-party antivirus | Yes | See note |Some third-party antivirus software cannot be installed on a Windows 10 PC running on an ARM-based processor. Collaboration with third-party antivirus software providers is continuing for AV app readiness on ARM-based PCs. Contact your antivirus software provider to understand when their apps will be available. |
| Conditional Access | Yes | Yes | |
| Secure Boot | Yes | Yes | |
| Windows Information Protection | Yes | Yes | |
| Surface Data Eraser (SDE) | Yes | Yes | |
## FAQ
### Will an OS image be available at launch?
No. Surface Pro X will be released without a standard Windows .ISO deployment image, which means its not supported on the Microsoft Deployment Toolkit (MDT) or operating system deployment methods using System Center Configuration Manager (SCCM) aka ConfiMgr. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud.
### How can I deploy Surface Pro X?
Deploy Surface Pro X using Windows Autopilot.
### Will a BMR be available?
Yes.
### Is Intune required to manage Surface Pro X?
Intune is recommended but not required. Once deployed in Autopilot, you can join Surface Pro X devices to Azure AD or Active Directory (Hybrid Azure AD Join) where you will be able to manage the devices with Intune or co-manage them with SCCM, which will install the 32-bit x86 ConfigMgr client.

27
devices/surface/surface-pro-arm-app-performance.md Normal file
View File

@ -0,0 +1,27 @@
---
title: Windows 10 ARM-based PC app compatibility
description: This article provides introductory app compatibility information for Surface Pro X ARM-based PCs.
ms.prod: w10
ms.localizationpriority: normal
ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
ms.date: 10/03/2019
ms.reviewer: jessko
manager: dansimp
ms.audience: itpro
---
# Windows 10 ARM-based PC app compatibility
Applications run differently on ARM-based Windows 10 PCs such as Surface Pro X. Limitations include the following:
- **Drivers for hardware, games and apps will only work if they're designed for a Windows 10 ARM-based PC**. For more info, check with the hardware manufacturer or the organization that developed the driver. Drivers are software programs that communicate with hardware devices—they're commonly used for antivirus and antimalware software, printing or PDF software, assistive technologies, CD and DVD utilities, and virtualization software. If a driver doesnt work, the app or hardware that relies on it wont work either (at least not fully). Peripherals and devices only work if the drivers they depend on are built into Windows 10, or if the hardware developer has released ARM64 drivers for the device.
- **64-bit (x64) apps wont work**. You'll need 64-bit (ARM64) apps, 32-bit (ARM32) apps, or 32-bit (x86) apps. You can usually find 32-bit (x86) versions of apps, but some app developers only offer 64-bit (x64) apps.
- **Certain games wont work**. Games and apps won't work if they use a version of OpenGL greater than 1.1, or if they rely on "anti-cheat" drivers that haven't been made for Windows 10 ARM-based PCs. Check with your game publisher to see if a game will work.
- **Apps that customize the Windows experience might have problems**. This includes some input method editors (IMEs), assistive technologies, and cloud storage apps. The organization that develops the app determines whether their app will work on a Windows 10 ARM-based PC.
- **Some third-party antivirus software cant be installed**. You won't be able to install some third-party antivirus software on a Windows 10 ARM-based PC. However, Windows Security will help keep you safe for the supported lifetime of your Windows 10 device.
- **Windows Fax and Scan isnt available**. This feature isnt available on a Windows 10 ARM-based PC.
For more information about app compatibility, refer to [Windows 10 ARM-based PCs FAQ](https://support.microsoft.com/en-us/help/4521606)

16
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -2402,18 +2402,12 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior" id="localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior">LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers" id="localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession" id="localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways" id="localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</a>
</dd>
@ -2432,9 +2426,6 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam" id="localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam">LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm" id="localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm">LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
</dd>
@ -2444,9 +2435,6 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel" id="localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel">LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
</dd>
@ -5007,21 +4995,17 @@ The following diagram shows the Policy configuration service provider in tree fo
- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon)
- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon)
- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees)
- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts)
- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares)
- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares)
- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam)
- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm)
- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests)
- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange)
- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel)
- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients)
- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers)
- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication)
- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic)

6
windows/client-management/mdm/policy-csp-browser.md
View File

@ -3019,8 +3019,6 @@ Most restricted value: 0
> [!IMPORTANT]
> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy).
Most restricted value: 0
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -3033,8 +3031,8 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 Lock down Start pages configured in either the ConfigureOpenEdgeWith policy and HomePages policy.
- 1 (default) Unlocked. Users can make changes to all configured start pages.<p><p>When you enable this policy and define a set of URLs in the HomePages policy, Microsoft Edge uses the URLs defined in the ConfigureOpenEdgeWith policy.
- 0 (default) Lock down Start pages configured in either the ConfigureOpenEdgeWith policy and HomePages policy.
- 1 Unlocked. Users can make changes to all configured start pages.<p><p>When you enable this policy and define a set of URLs in the HomePages policy, Microsoft Edge uses the URLs defined in the ConfigureOpenEdgeWith policy.
Most restricted value: 0
<!--/SupportedValues-->

344
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -13,9 +13,6 @@ manager: dansimp
# Policy CSP - LocalPoliciesSecurityOptions
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -80,18 +77,12 @@ manager: dansimp
<dd>
<a href="#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior">LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</a>
</dd>
@ -110,9 +101,6 @@ manager: dansimp
<dd>
<a href="#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam">LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm">LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
</dd>
@ -122,9 +110,6 @@ manager: dansimp
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel">LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
</dd>
@ -865,6 +850,15 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -948,6 +942,15 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -1026,6 +1029,15 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -1655,99 +1667,6 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Mobile</td>
<td></td>
</tr>
<tr>
<td>Mobile Enterprise</td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Microsoft network client: Digitally sign communications (always)
This security setting determines whether packet signing is required by the SMB client component.
The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
Default: Disabled.
Notes
All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Microsoft network client: Digitally sign communications (always)*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees**
@ -2467,94 +2386,6 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Mobile</td>
<td></td>
</tr>
<tr>
<td>Mobile Enterprise</td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Network security: Allow Local System to use computer identity for NTLM
This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.
If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.
If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.
By default, this policy is enabled on Windows 7 and above.
By default, this policy is disabled on Windows Vista.
This policy is supported on at least Windows Vista or Windows Server 2008.
Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Network security: Allow Local System to use computer identity for NTLM*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
@ -2798,91 +2629,6 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Mobile</td>
<td></td>
</tr>
<tr>
<td>Mobile Enterprise</td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
Default:
Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers**
@ -3028,6 +2774,15 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -3105,6 +2860,15 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -3182,6 +2946,15 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -3259,6 +3032,15 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>

10
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -36,6 +36,16 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an
> [!NOTE]
> To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that dont use the `project` operator to customize results usually return these common columns.
The sample query below counts the number of unique machines (`MachineId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `EventTime` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
```
MiscEvents
| where EventTime > ago(7d)
| where ActionType == "AntivirusDetection"
| summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId
| where count_ > 5
```
### 2. Create new rule and provide alert details.
With the query in the query editor, select **Create detection rule** and specify the following alert details: