diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index e8418cc2cf..3cc5b78036 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -20539,6 +20539,71 @@ "source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md", "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard", "redirect_document_id": true + }, + { + "source_path": "windows/security/information-protection/tpm/change-the-tpm-owner-password.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/get-support-for-security-baselines.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/mbsa-removal-and-guidance.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-scripts.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/tpm/manage-tpm-commands.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/tpm/manage-tpm-lockout.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md", + "redirect_url": "/windows/security", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md", + "redirect_url": "/windows/security", + "redirect_document_id": false } ] } diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 27db0f26ae..6d99441988 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -23,7 +23,7 @@ Windows 11 includes the cloud services that are listed in the following table:
Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [Mobile device management](/windows/client-management/mdm/). | -| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| +| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

To learn more, see [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts).| | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

If there's a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md index 0f1ca8d5c4..4ddce5cb4e 100644 --- a/windows/security/identity-protection/access-control/access-control.md +++ b/windows/security/identity-protection/access-control/access-control.md @@ -29,14 +29,14 @@ Object owners generally grant permissions to security groups rather than to indi This content set contains: -- [Dynamic Access Control Overview](dynamic-access-control.md) -- [Security identifiers](security-identifiers.md) -- [Security Principals](security-principals.md) +- [Dynamic Access Control Overview](/windows-server/identity/solution-guides/dynamic-access-control-overview) +- [Security identifiers](/windows-server/identity/ad-ds/manage/understand-security-identifiers) +- [Security Principals](/windows-server/identity/ad-ds/manage/understand-security-principals) - [Local Accounts](local-accounts.md) - - [Active Directory Accounts](active-directory-accounts.md) - - [Microsoft Accounts](microsoft-accounts.md) - - [Service Accounts](service-accounts.md) - - [Active Directory Security Groups](active-directory-security-groups.md) + - [Active Directory Accounts](/windows-server/identity/ad-ds/manage/understand-default-user-accounts) + - [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts) + - [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts) + - [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups) ## Practical applications diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif deleted file mode 100644 index fb60cd5599..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png deleted file mode 100644 index 93e5e8e098..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png deleted file mode 100644 index 7aad6b6a7b..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png deleted file mode 100644 index 2b6c1394b9..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png deleted file mode 100644 index 65508e5cf4..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png deleted file mode 100644 index 4653a66f29..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png deleted file mode 100644 index b4e379a357..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png deleted file mode 100644 index c725fd4f55..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png deleted file mode 100644 index 999303a2d6..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png deleted file mode 100644 index b80fc69397..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png deleted file mode 100644 index 412f425ccf..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png deleted file mode 100644 index b80fc69397..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png deleted file mode 100644 index b2f6d3e1e2..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png deleted file mode 100644 index 8dda5403cf..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png deleted file mode 100644 index e96b26abe1..0000000000 Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif b/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif deleted file mode 100644 index d8a4d99dd2..0000000000 Binary files a/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/corpnet.gif b/windows/security/identity-protection/access-control/images/corpnet.gif deleted file mode 100644 index f76182ee25..0000000000 Binary files a/windows/security/identity-protection/access-control/images/corpnet.gif and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png deleted file mode 100644 index e70fa02c92..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png deleted file mode 100644 index 085993f92c..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png deleted file mode 100644 index 282cdb729d..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png deleted file mode 100644 index 89fc916400..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png deleted file mode 100644 index d8d5af1336..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png deleted file mode 100644 index ba3f15f597..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png deleted file mode 100644 index 2d44e29e1b..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png deleted file mode 100644 index 89136d1ba0..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png deleted file mode 100644 index f2d3a7596b..0000000000 Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png and /dev/null differ diff --git a/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg b/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg deleted file mode 100644 index cd7d341065..0000000000 Binary files a/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg and /dev/null differ diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md deleted file mode 100644 index 5051ce94cd..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md +++ /dev/null @@ -1,494 +0,0 @@ ---- -title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows) -description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows. -ms.date: 11/22/2022 -ms.topic: reference -appliesto: -- ✅ Windows 10 and later -- ✅ Windows Server 2016 and later ---- - -# Windows Defender Credential Guard: scripts for certificate authority issuance policies - -Expand each section to see the PowerShell scripts: - -
-
-Get the available issuance policies on the certificate authority - -Save this script file as get-IssuancePolicy.ps1. - -```powershell -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$Identity, -$LinkedToGroup -) -####################################### -## Strings definitions ## -####################################### -Data getIP_strings { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted. -help2 = Usage: -help3 = The following parameter is mandatory: -help4 = -LinkedToGroup: -help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. -help6 = "no" will return only Issuance Policies that are not currently linked to any group. -help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. -help8 = The following parameter is optional: -help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. -help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. -help11 = Examples: -errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" -ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". -ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". -ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: -LinkedIPs = The following Issuance Policies are linked to groups: -displayName = displayName : {0} -Name = Name : {0} -dn = distinguishedName : {0} - InfoName = Linked Group Name: {0} - InfoDN = Linked Group DN: {0} -NonLinkedIPs = The following Issuance Policies are NOT linked to groups: -'@ -} -##Import-LocalizedData getIP_strings -import-module ActiveDirectory -####################################### -## Help ## -####################################### -function Display-Help { - "" - $getIP_strings.help1 - "" -$getIP_strings.help2 -"" -$getIP_strings.help3 -" " + $getIP_strings.help4 -" " + $getIP_strings.help5 - " " + $getIP_strings.help6 - " " + $getIP_strings.help7 -"" -$getIP_strings.help8 - " " + $getIP_strings.help9 - "" - $getIP_strings.help10 -"" -"" -$getIP_strings.help11 - " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" - " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" - " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" -"" -} -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -$configNCDN = [String]$root.configurationNamingContext -if ( !($Identity) -and !($LinkedToGroup) ) { -display-Help -break -} -if ($Identity) { - $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * - if ($OIDs -eq $null) { -$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity -write-host $errormsg -ForegroundColor Red - } - foreach ($OID in $OIDs) { - if ($OID."msDS-OIDToGroupLink") { -# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $groupName = $group.Name -# Analyze the group - if ($group.groupCategory -ne "Security") { -$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - } - } - return $OIDs - break -} -if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" - $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*****************************************************" - write-host $getIP_strings.LinkedIPs - write-host "*****************************************************" - write-host "" - if ($LinkedOIDs -ne $null){ - foreach ($OID in $LinkedOIDs) { -# Display basic information about the Issuance Policies - "" - $getIP_strings.displayName -f $OID.displayName - $getIP_strings.Name -f $OID.Name - $getIP_strings.dn -f $OID.distinguishedName -# Get the linked group. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $getIP_strings.InfoName -f $group.Name - $getIP_strings.InfoDN -f $groupDN -# Analyze the group - $OIDName = $OID.displayName - $groupName = $group.Name - if ($group.groupCategory -ne "Security") { - $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - write-host "" - } - }else{ -write-host "There are no issuance policies that are mapped to a group" - } - if ($LinkedToGroup -eq "yes") { - return $LinkedOIDs - break - } -} -if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" - $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*********************************************************" - write-host $getIP_strings.NonLinkedIPs - write-host "*********************************************************" - write-host "" - if ($NonLinkedOIDs -ne $null) { - foreach ($OID in $NonLinkedOIDs) { -# Display basic information about the Issuance Policies -write-host "" -$getIP_strings.displayName -f $OID.displayName -$getIP_strings.Name -f $OID.Name -$getIP_strings.dn -f $OID.distinguishedName -write-host "" - } - }else{ -write-host "There are no issuance policies which are not mapped to groups" - } - if ($LinkedToGroup -eq "no") { - return $NonLinkedOIDs - break - } -} -``` -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. - -
- -
-
-Link an issuance policy to a group - -Save the script file as set-IssuancePolicyToGroupLink.ps1. - -```powershell -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$IssuancePolicyName, -$groupOU, -$groupName -) -####################################### -## Strings definitions ## -####################################### -Data ErrorMsg { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. -help2 = Usage: -help3 = The following parameters are required: -help4 = -IssuancePolicyName: -help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy. -help6 = The following parameter is optional: -help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container. -help8 = Examples: -help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. -help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. -MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" -NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". -IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} -MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". -confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? -OUCreationSuccess = Organizational Unit "{0}" successfully created. -OUcreationError = Error: Organizational Unit "{0}" could not be created. -OUFoundSuccess = Organizational Unit "{0}" was successfully found. -multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". -confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? -groupCreationSuccess = Univeral Security group "{0}" successfully created. -groupCreationError = Error: Univeral Security group "{0}" could not be created. -GroupFound = Group "{0}" was successfully found. -confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? -UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. -UnlinkError = Removing the link failed. -UnlinkExit = Exiting without removing the link from the issuance policy to the group. -IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. -ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". -ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". -ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: -ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? -LinkSuccess = The certificate issuance policy was successfully linked to the specified group. -LinkError = The certificate issuance policy could not be linked to the specified group. -ExitNoLinkReplacement = Exiting without setting the new link. -'@ -} -# import-localizeddata ErrorMsg -function Display-Help { -"" -write-host $ErrorMsg.help1 -"" -write-host $ErrorMsg.help2 -"" -write-host $ErrorMsg.help3 -write-host "`t" $ErrorMsg.help4 -write-host "`t" $ErrorMsg.help5 -"" -write-host $ErrorMsg.help6 -write-host "`t" $ErrorMsg.help7 -"" -"" -write-host $ErrorMsg.help8 -"" -write-host $ErrorMsg.help9 -".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " -"" -write-host $ErrorMsg.help10 -'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' -"" -} -# Assumption: The group to which the Issuance Policy is going -# to be linked is (or is going to be created) in -# the domain the user running this script is a member of. -import-module ActiveDirectory -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -if ( !($IssuancePolicyName) ) { -display-Help -break -} -####################################### -## Find the OID object ## -## (aka Issuance Policy) ## -####################################### -$searchBase = [String]$root.configurationnamingcontext -$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * -if ($OID -eq $null) { -$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($OID.GetType().IsArray) { -$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -else { -$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName -write-host $tmp -ForeGroundColor Green -} -####################################### -## Find the container of the group ## -####################################### -if ($groupOU -eq $null) { -# default to the Users container -$groupContainer = $domain.UsersContainer -} -else { -$searchBase = [string]$domain.DistinguishedName -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -if ($groupContainer.count -gt 1) { -$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase -write-host $tmp -ForegroundColor Red -break; -} -elseif ($groupContainer -eq $null) { -$tmp = $ErrorMsg.confirmOUcreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName -if ($?){ -$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU -write-host $tmp -ForegroundColor Green -} -else{ -$tmp = $ErrorMsg.OUCreationError -f $groupOU -write-host $tmp -ForeGroundColor Red -break; -} -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name -write-host $tmp -ForegroundColor Green -} -} -####################################### -## Find the group ## -####################################### -if (($groupName -ne $null) -and ($groupName -ne "")){ -##$searchBase = [String]$groupContainer.DistinguishedName -$searchBase = $groupContainer -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -if ($group -ne $null -and $group.gettype().isarray) { -$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($group -eq $null) { -$tmp = $ErrorMsg.confirmGroupCreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" -if ($?){ -$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName -write-host $tmp -ForegroundColor Green -}else{ -$tmp = $ErrorMsg.groupCreationError -f $groupName -write-host $tmp -ForeGroundColor Red -break -} -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.GroupFound -f $group.Name -write-host $tmp -ForegroundColor Green -} -} -else { -##### -## If the group is not specified, we should remove the link if any exists -##### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" -if ($?) { -$tmp = $ErrorMsg.UnlinkSuccess -write-host $tmp -ForeGroundColor Green -}else{ -$tmp = $ErrorMsg.UnlinkError -write-host $tmp -ForeGroundColor Red -} -} -else { -$tmp = $ErrorMsg.UnlinkExit -write-host $tmp -break -} -} -else { -$tmp = $ErrorMsg.IPNotLinked -write-host $tmp -ForeGroundColor Yellow -} -break; -} -####################################### -## Verify that the group is ## -## Universal, Security, and ## -## has no members ## -####################################### -if ($group.GroupScope -ne "Universal") { -$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -if ($group.GroupCategory -ne "Security") { -$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -$members = Get-ADGroupMember -Identity $group -if ($members -ne $null) { -$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} -break; -} -####################################### -## We have verified everything. We ## -## can create the link from the ## -## Issuance Policy to the group. ## -####################################### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName -write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Replace $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} else { -$tmp = $Errormsg.ExitNoLinkReplacement -write-host $tmp -break -} -} -else { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Add $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} -``` - -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. - -
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md index b7b06e3193..299c09d7f0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md @@ -37,5 +37,5 @@ Suppose instead that you sign in on **Device B** and change your password for yo - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index c9bc5a12f3..e6a01bb2b8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -89,4 +89,4 @@ To use Iris authentication, you’ll need a [HoloLens 2 device](/hololens/). All - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 64b6af4819..22f170e86e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -55,7 +55,7 @@ Following are the various deployment guides and models included in this topic: - [On Premises Key Trust Deployment](hello-deployment-key-trust.md) - [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) -For Windows Hello for Business hybrid [certificate trust prerequisites](hello-hybrid-cert-trust-prereqs.md#directory-synchronization) and [key trust prerequisites](hello-hybrid-key-trust-prereqs.md#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments. +For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments. ## Provisioning diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index adfbe58657..d6d35b189a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -76,5 +76,5 @@ The computer is ready for dual enrollment. Sign in as the privileged user first * [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) * [Windows Hello and password changes](hello-and-password-changes.md) * [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -* [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +* [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) * [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 6bae92fc12..9f461f9697 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -55,5 +55,5 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw * [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) * [Windows Hello and password changes](hello-and-password-changes.md) * [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -* [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +* [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) * [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 7eb9352755..519b34bd34 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -266,5 +266,5 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index c7aad5a502..2f1c460668 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -58,5 +58,5 @@ Users appreciate convenience of biometrics and administrators value the security - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 7bec9c2543..b3765851fa 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -101,7 +101,7 @@ In Windows 10 and Windows 11, cloud experience host is an application used while ### More information on cloud experience host -[Windows Hello for Business and device registration](./hello-how-it-works-device-registration.md) +[Windows Hello for Business and device registration](/azure/active-directory/devices/device-registration-how-it-works) ## Cloud Kerberos trust diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 9f3670151c..40e094e6c7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -52,5 +52,5 @@ For more information read [how authentication works](hello-how-it-works-authenti - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 2cc6e81fff..677bc65d0e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -14,7 +14,7 @@ ms.topic: how-to If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices. > [!IMPORTANT] -> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. +> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso) before you continue. Steps you'll perform include: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 80f86ef481..9d45b8bed7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -77,4 +77,4 @@ Before moving to the next section, ensure the following steps are complete: > - Update group memberships for the AD FS service account > [!div class="nextstepaction"] -> [Next: configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md) \ No newline at end of file +> [Next: configure policy settings >](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 7d6a702deb..d6e6de308d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -111,5 +111,5 @@ Windows Hello for Business with a key, including cloud Kerberos trust, doesn't s - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index c3c5912b26..f3e0b27534 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -87,7 +87,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. -The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](./hello-hybrid-cert-trust-prereqs.md#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. +The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. > [!NOTE] > RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 69e4a380e5..0efcd603a1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -52,6 +52,6 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index d79cb84809..6b65c109d3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -82,5 +82,5 @@ If you only had a biometric sign-in configured and, for any reason, were unable - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/images/SetupAPin.png b/windows/security/identity-protection/hello-for-business/images/SetupAPin.png deleted file mode 100644 index 50029cc00e..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/SetupAPin.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png b/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png deleted file mode 100644 index 93085b03a8..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png deleted file mode 100644 index 88aaf424f0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png deleted file mode 100644 index 3d547d05fc..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png b/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png deleted file mode 100644 index d98d871f21..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png deleted file mode 100644 index caacf8a566..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png deleted file mode 100644 index 226f85eeb0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png deleted file mode 100644 index 067c109808..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png deleted file mode 100644 index f2c38239f3..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png deleted file mode 100644 index 74cea5f0b5..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png deleted file mode 100644 index e95fd1b9ba..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png deleted file mode 100644 index c973e43aec..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png deleted file mode 100644 index 70aaa2db9d..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png deleted file mode 100644 index eadf1eb285..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png deleted file mode 100644 index 56cced034f..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png deleted file mode 100644 index e4e4555942..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png deleted file mode 100644 index 390bfecafd..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png deleted file mode 100644 index a136973f04..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png deleted file mode 100644 index c78baecd49..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png deleted file mode 100644 index 96fe45bbcf..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png deleted file mode 100644 index 004d3a3f25..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png deleted file mode 100644 index 9d66d330fd..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png deleted file mode 100644 index dea61f116e..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png deleted file mode 100644 index 831e12fe59..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png deleted file mode 100644 index 21f4159d80..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png deleted file mode 100644 index 49c4dee983..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png deleted file mode 100644 index c2a4f36704..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png deleted file mode 100644 index 0ec08ecbc0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png deleted file mode 100644 index 46db47b6f0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/createPin.png b/windows/security/identity-protection/hello-for-business/images/createPin.png deleted file mode 100644 index 91e079feca..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/createPin.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/dsregcmd.png b/windows/security/identity-protection/hello-for-business/images/dsregcmd.png deleted file mode 100644 index 85bc6491cf..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/dsregcmd.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png b/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png deleted file mode 100644 index 7f0be5249d..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png deleted file mode 100644 index 72c94fb321..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png deleted file mode 100644 index 64f85b1f54..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png deleted file mode 100644 index 6894047f98..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png deleted file mode 100644 index 3167588d7b..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello_filter.png b/windows/security/identity-protection/hello-for-business/images/hello_filter.png deleted file mode 100644 index 611bbfad70..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello_filter.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello_gear.png b/windows/security/identity-protection/hello-for-business/images/hello_gear.png deleted file mode 100644 index b74cf682ac..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello_gear.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello_lock.png b/windows/security/identity-protection/hello-for-business/images/hello_lock.png deleted file mode 100644 index 5643cecec0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello_lock.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hello_users.png b/windows/security/identity-protection/hello-for-business/images/hello_users.png deleted file mode 100644 index c6750396dd..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hello_users.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png deleted file mode 100644 index 8b003013f0..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png deleted file mode 100644 index 44bbc4a572..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png deleted file mode 100644 index df7973e2ca..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png deleted file mode 100644 index eb3458bf76..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png deleted file mode 100644 index 6011b3c66e..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png deleted file mode 100644 index ac1752b75b..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png deleted file mode 100644 index 2835e56049..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png deleted file mode 100644 index 4874ca4516..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png deleted file mode 100644 index c6572cbd5a..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png deleted file mode 100644 index 3a72066a31..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png deleted file mode 100644 index c3754b5389..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png deleted file mode 100644 index 97db24c262..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png deleted file mode 100644 index 80f9d53d2c..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png deleted file mode 100644 index 97ad2a1bfb..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/mfa.png b/windows/security/identity-protection/hello-for-business/images/mfa.png deleted file mode 100644 index b7086b9b79..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/mfa.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png deleted file mode 100644 index 174cf0a790..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png deleted file mode 100644 index 028f06544c..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png deleted file mode 100644 index 322a4fcbdc..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png b/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png deleted file mode 100644 index f86101b1e8..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg deleted file mode 100644 index d9acfd8170..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg deleted file mode 100644 index 21d37405a7..0000000000 Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md deleted file mode 100644 index a5b340a3f8..0000000000 --- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -ms.date: 12/08/2022 -ms.topic: include ---- - -[!INCLUDE [hello-intro](hello-intro.md)] -- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)] -- **Trust type:** [!INCLUDE [hello-trust-cloud-kerberos](hello-trust-cloud-kerberos.md)] -- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)] ---- \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md deleted file mode 100644 index b637be9beb..0000000000 --- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -ms.date: 12/08/2022 -ms.topic: include ---- - -[!INCLUDE [hello-intro](hello-intro.md)] -- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)] -- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)] -- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)] ---- \ No newline at end of file diff --git a/windows/security/identity-protection/images/application-guard-and-system-guard.png b/windows/security/identity-protection/images/application-guard-and-system-guard.png deleted file mode 100644 index b4b883db90..0000000000 Binary files a/windows/security/identity-protection/images/application-guard-and-system-guard.png and /dev/null differ diff --git a/windows/security/identity-protection/images/remote-credential-guard.png b/windows/security/identity-protection/images/remote-credential-guard.png deleted file mode 100644 index d8e3598dc9..0000000000 Binary files a/windows/security/identity-protection/images/remote-credential-guard.png and /dev/null differ diff --git a/windows/security/identity-protection/images/traditional-windows-software-stack.png b/windows/security/identity-protection/images/traditional-windows-software-stack.png deleted file mode 100644 index 0da610c368..0000000000 Binary files a/windows/security/identity-protection/images/traditional-windows-software-stack.png and /dev/null differ diff --git a/windows/security/identity-protection/vpn/images/custom-vpn-profile.png b/windows/security/identity-protection/vpn/images/custom-vpn-profile.png deleted file mode 100644 index b229c96b68..0000000000 Binary files a/windows/security/identity-protection/vpn/images/custom-vpn-profile.png and /dev/null differ diff --git a/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png b/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png deleted file mode 100644 index 9f4efabc3f..0000000000 Binary files a/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png and /dev/null differ diff --git a/windows/security/identity-protection/vpn/images/vpn-intune-policy.png b/windows/security/identity-protection/vpn/images/vpn-intune-policy.png deleted file mode 100644 index 4224979bbd..0000000000 Binary files a/windows/security/identity-protection/vpn/images/vpn-intune-policy.png and /dev/null differ diff --git a/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png b/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png deleted file mode 100644 index 7277b7a598..0000000000 Binary files a/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png and /dev/null differ diff --git a/windows/security/images/fall-creators-update-next-gen-security.png b/windows/security/images/fall-creators-update-next-gen-security.png deleted file mode 100644 index 62aaa46f8d..0000000000 Binary files a/windows/security/images/fall-creators-update-next-gen-security.png and /dev/null differ diff --git a/windows/security/images/icons/accessibility.svg b/windows/security/images/icons/accessibility.svg deleted file mode 100644 index 21a6b4f235..0000000000 --- a/windows/security/images/icons/accessibility.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/windows/security/images/icons/powershell.svg b/windows/security/images/icons/powershell.svg deleted file mode 100644 index ab2d5152ca..0000000000 --- a/windows/security/images/icons/powershell.svg +++ /dev/null @@ -1,20 +0,0 @@ - - - - - - - - - - MsPortalFx.base.images-10 - - - - - - - - - - \ No newline at end of file diff --git a/windows/security/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg deleted file mode 100644 index dbbad7d780..0000000000 --- a/windows/security/images/icons/provisioning-package.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/windows/security/images/icons/registry.svg b/windows/security/images/icons/registry.svg deleted file mode 100644 index 06ab4c09d7..0000000000 --- a/windows/security/images/icons/registry.svg +++ /dev/null @@ -1,22 +0,0 @@ - - - - - - - - - - - - - - - - - - - Icon-general-18 - - - \ No newline at end of file diff --git a/windows/security/images/next-generation-windows-security-vision.png b/windows/security/images/next-generation-windows-security-vision.png deleted file mode 100644 index a598365cb7..0000000000 Binary files a/windows/security/images/next-generation-windows-security-vision.png and /dev/null differ diff --git a/windows/security/images/windows-security-app-w11.png b/windows/security/images/windows-security-app-w11.png deleted file mode 100644 index e062b0d292..0000000000 Binary files a/windows/security/images/windows-security-app-w11.png and /dev/null differ diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md deleted file mode 100644 index f928705138..0000000000 --- a/windows/security/includes/improve-request-performance.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - ->[!TIP] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.microsoft.com -> - api-eu.securitycenter.microsoft.com -> - api-uk.securitycenter.microsoft.com diff --git a/windows/security/includes/intune-custom-settings-info.md b/windows/security/includes/intune-custom-settings-info.md deleted file mode 100644 index 9509d5b13d..0000000000 --- a/windows/security/includes/intune-custom-settings-info.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 01/03/2022 -ms.topic: include ---- - -For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10). \ No newline at end of file diff --git a/windows/security/includes/intune-settings-catalog-1.md b/windows/security/includes/intune-settings-catalog-1.md deleted file mode 100644 index 2ddfc8d6b6..0000000000 --- a/windows/security/includes/intune-settings-catalog-1.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 01/03/2022 -ms.topic: include ---- - -To configure devices with Microsoft Intune, use the settings catalog: - - > [!TIP] - > If you're browsing with an account that can create Intune policies, you can skip to step 5 by using this direct link to create a Settings catalog policy (opens in a new tab). - -1. Go to the Microsoft Endpoint Manager admin center -2. Select **Devices > Configuration profiles > Create profile** -3. Select **Platform > Windows 10 and later** and **Profile type > Settings catalog** -4. Select **Create** -5. Specify a **Name** and, optionally, a **Description** > **Next** -6. In the settings picker, add the following settings: \ No newline at end of file diff --git a/windows/security/includes/intune-settings-catalog-2.md b/windows/security/includes/intune-settings-catalog-2.md deleted file mode 100644 index 9558ed41a7..0000000000 --- a/windows/security/includes/intune-settings-catalog-2.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 01/03/2022 -ms.topic: include ---- - -7. Select **Next** -8. Optionally, add *scope tags* > **Next** -9. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** -10. Review the policy configuration and select **Create** \ No newline at end of file diff --git a/windows/security/includes/intune-settings-catalog-info.md b/windows/security/includes/intune-settings-catalog-info.md deleted file mode 100644 index 8387d702ff..0000000000 --- a/windows/security/includes/intune-settings-catalog-info.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 01/03/2022 -ms.topic: include ---- - -For more information about how to create policies with the Intune settings catalog, see [Use the settings catalog to configure settings](/mem/intune/configuration/settings-catalog). \ No newline at end of file diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md deleted file mode 100644 index d4b4560d8f..0000000000 --- a/windows/security/includes/machineactionsnote.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - ->[!Note] -> This page focuses on performing a machine action via API. See [take response actions on a machine](/microsoft-365/security/defender-endpoint/respond-machine-alerts) for more information about response actions functionality via Microsoft Defender for Endpoint. \ No newline at end of file diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md deleted file mode 100644 index 0b0b2be701..0000000000 --- a/windows/security/includes/microsoft-defender-api-usgov.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - ->[!NOTE] ->If you are a US Government customer, please use the URIs listed in [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov#api). \ No newline at end of file diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md deleted file mode 100644 index bd9a8d2c0d..0000000000 --- a/windows/security/includes/microsoft-defender.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -> [!IMPORTANT] -> The improved [Microsoft 365 Defender portal](https://security.microsoft.com) is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. [Learn what's new](/microsoft-365/security/mtp/overview-security-center). diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md deleted file mode 100644 index c0212561bd..0000000000 --- a/windows/security/includes/prerelease.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -author: paolomatarazzo -ms.author: paoloma -ms.date: 12/08/2022 -ms.topic: include ---- - -> [!IMPORTANT] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md deleted file mode 100644 index b332940d0a..0000000000 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Breaking out of a BitLocker recovery loop -description: This article for IT professionals describes how to break out of a BitLocker recovery loop. -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz -ms.collection: - - tier1 - - highpri -ms.topic: conceptual -ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security ---- - -# Breaking out of a BitLocker recovery loop - -Sometimes, following a crash, the operating system might not be able to successful boot due to the recovery screen repeatedly prompting to enter a recovery key. This experience can be frustrating. - -If the correct BitLocker recovery key has been entered multiple times but are unable to continue past the initial recovery screen, follow these steps to break out of the loop: - -> [!NOTE] -> Try these steps only after the device has been restarted at least once. - -1. On the initial recovery screen, don't enter The recovery key. Instead, select **Skip this drive**. - -2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**. - -3. From the WinRE command prompt, manually unlock the drive with the following command: - -```cmd -manage-bde.exe -unlock C: -rp -``` - -4. Suspend the protection on the operating system with the following command: - -```cmd -manage-bde.exe -protectors -disable C: -``` - -5. Once the command is run, exit the command prompt and continue to boot into the operating system. diff --git a/windows/security/information-protection/bitlocker/images/4509186-en-1.png b/windows/security/information-protection/bitlocker/images/4509186-en-1.png deleted file mode 100644 index 11f986fb68..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509186-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509188-en-1.png b/windows/security/information-protection/bitlocker/images/4509188-en-1.png deleted file mode 100644 index 5b5b7b1b4a..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509188-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509189-en-1.png b/windows/security/information-protection/bitlocker/images/4509189-en-1.png deleted file mode 100644 index 8d243a1899..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509189-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509190-en-1.png b/windows/security/information-protection/bitlocker/images/4509190-en-1.png deleted file mode 100644 index bd37969b5d..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509190-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509191-en-1.png b/windows/security/information-protection/bitlocker/images/4509191-en-1.png deleted file mode 100644 index 00ef607ab3..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509191-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509193-en-1.png b/windows/security/information-protection/bitlocker/images/4509193-en-1.png deleted file mode 100644 index 2085613b3d..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509193-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509194-en-1.png b/windows/security/information-protection/bitlocker/images/4509194-en-1.png deleted file mode 100644 index f4506c399b..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509194-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509195-en-1.png b/windows/security/information-protection/bitlocker/images/4509195-en-1.png deleted file mode 100644 index cbecb03c4e..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509195-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509196-en-1.png b/windows/security/information-protection/bitlocker/images/4509196-en-1.png deleted file mode 100644 index 01e94b1243..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509196-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509198-en-1.png b/windows/security/information-protection/bitlocker/images/4509198-en-1.png deleted file mode 100644 index 9056658662..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509198-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509199-en-1.png b/windows/security/information-protection/bitlocker/images/4509199-en-1.png deleted file mode 100644 index d68a22eef7..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509199-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509200-en-1.png b/windows/security/information-protection/bitlocker/images/4509200-en-1.png deleted file mode 100644 index 689bb19299..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509200-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509201-en-1.png b/windows/security/information-protection/bitlocker/images/4509201-en-1.png deleted file mode 100644 index d521e86eed..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509201-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509202-en-1.png b/windows/security/information-protection/bitlocker/images/4509202-en-1.png deleted file mode 100644 index bfcd2326b6..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509202-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509203-en-1.png b/windows/security/information-protection/bitlocker/images/4509203-en-1.png deleted file mode 100644 index 05acc571fe..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509203-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509204-en-1.png b/windows/security/information-protection/bitlocker/images/4509204-en-1.png deleted file mode 100644 index fa13f38ba9..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509204-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509205-en-1.png b/windows/security/information-protection/bitlocker/images/4509205-en-1.png deleted file mode 100644 index a4f5cc15d2..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509205-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/4509206-en-1.png b/windows/security/information-protection/bitlocker/images/4509206-en-1.png deleted file mode 100644 index 7b7e449443..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/4509206-en-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg deleted file mode 100644 index 95afbf2ccc..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg deleted file mode 100644 index d2caa05b03..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg deleted file mode 100644 index 14a30db7c4..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg deleted file mode 100644 index e691dcbc53..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg b/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg deleted file mode 100644 index 40ddf183f6..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/feedback-app-icon.png b/windows/security/information-protection/bitlocker/images/feedback-app-icon.png deleted file mode 100644 index c600883c0e..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/feedback-app-icon.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/pcptool-output.jpg b/windows/security/information-protection/bitlocker/images/pcptool-output.jpg deleted file mode 100644 index 91d10e6c66..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/pcptool-output.jpg and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/psget-winevent-1.png b/windows/security/information-protection/bitlocker/images/psget-winevent-1.png deleted file mode 100644 index 21adc928de..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/psget-winevent-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/psget-winevent-2.png b/windows/security/information-protection/bitlocker/images/psget-winevent-2.png deleted file mode 100644 index 2941452109..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/psget-winevent-2.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png deleted file mode 100644 index 53b374d26e..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png deleted file mode 100644 index bc299cc0e9..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-1.png b/windows/security/information-protection/bitlocker/images/ts-tpm-1.png deleted file mode 100644 index 1bef01d587..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-1.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-2.png b/windows/security/information-protection/bitlocker/images/ts-tpm-2.png deleted file mode 100644 index d4d825029c..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-2.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-3.png b/windows/security/information-protection/bitlocker/images/ts-tpm-3.png deleted file mode 100644 index 2acac0f3ea..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-3.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-4.png b/windows/security/information-protection/bitlocker/images/ts-tpm-4.png deleted file mode 100644 index cb5b84d6b9..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-4.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-5.png b/windows/security/information-protection/bitlocker/images/ts-tpm-5.png deleted file mode 100644 index 3b3cd2b961..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-5.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-6.png b/windows/security/information-protection/bitlocker/images/ts-tpm-6.png deleted file mode 100644 index 4e82b9b76e..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-6.png and /dev/null differ diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-7.png b/windows/security/information-protection/bitlocker/images/ts-tpm-7.png deleted file mode 100644 index 8fb9446d93..0000000000 Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-7.png and /dev/null differ diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg b/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg deleted file mode 100644 index f1c25c116c..0000000000 Binary files a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg and /dev/null differ diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.png b/windows/security/information-protection/images/kernel-dma-protection-security-center.png deleted file mode 100644 index dfd30ba2a2..0000000000 Binary files a/windows/security/information-protection/images/kernel-dma-protection-security-center.png and /dev/null differ diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 9f1d4ad802..80d41fa3fb 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -133,6 +133,8 @@ Depending on the implementation and configuration, the server can now determine Figure 2 illustrates the Measured Boot and remote attestation process. + + ![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png) *Figure 2. Measured Boot proves the PC's health to a remote server* diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md deleted file mode 100644 index 5fabd8a69f..0000000000 --- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Change the TPM owner password (Windows) -description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. -ms.reviewer: -ms.prod: windows-client -author: dansimp -ms.author: dansimp -manager: aaroncz -ms.topic: conceptual -ms.date: 01/18/2022 -ms.technology: itpro-security ---- - -# Change the TPM owner password - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - -This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. - -## About the TPM owner password - -Starting with Windows 10, version 1607, or Windows 11, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded. - -> [!IMPORTANT] -> Although the TPM owner password is not retained starting with Windows 10, version 1607, or Windows 11, you can change a default registry key to retain it. However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key 'HKLM\\Software\\Policies\\Microsoft\\TPM' \[REG\_DWORD\] 'OSManagedAuthLevel' to 4. For Windows 10 versions newer than 1703 the default value for this key is 5. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. Unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved. - -Only one owner password exists for each TPM. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it. - -Without the owner password you can still perform all the preceding actions by means of a physical presence confirmation from UEFI. - -### Other TPM management options - -Instead of changing your owner password, you can also use the following options to manage your TPM: - -- **Clear the TPM**   If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). - -- **Turn off the TPM**   With TPM 1.2 and Windows 10, versions 1507 and 1511, or Windows 11, you can turn off the TPM. Do this if you want to keep all existing keys and data intact and disable the services that are provided by the TPM. For more info, see [Turn off the TPM](initialize-and-configure-ownership-of-the-tpm.md#turn-off-the-tpm). - -## Change the TPM owner password - -With Windows 10, version 1507 or 1511, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password. - -To change to a new TPM owner password, in TPM.msc, click **Change Owner Password**, and follow the instructions. You will be prompted to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout. - -## Use the TPM cmdlets - -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule). - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md deleted file mode 100644 index 251796e480..0000000000 --- a/windows/security/information-protection/tpm/manage-tpm-commands.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: Manage TPM commands (Windows) -description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. -ms.author: dansimp -ms.prod: windows-client -author: dulcemontemayor -manager: aaroncz -ms.topic: conceptual -ms.date: 09/06/2021 -ms.technology: itpro-security ---- - -# Manage TPM commands - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - -This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. - -After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands. - -The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group. - -**To block TPM commands by using the Local Group Policy Editor** - -1. Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. - - > [!NOTE] - > Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS). - -2. In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**. - -3. Under **System**, click **Trusted Platform Module Services**. - -4. In the details pane, double-click **Configure the list of blocked TPM commands**. - -5. Click **Enabled**, and then click **Show**. - -6. For each command that you want to block, click **Add**, enter the command number, and then click **OK**. - - > [!NOTE] - > For a list of commands, see links in the [TPM Specification](https://www.trustedcomputinggroup.org/tpm-main-specification/). - -7. After you have added numbers for each command that you want to block, click **OK** twice. - -8. Close the Local Group Policy Editor. - -**To block or allow TPM commands by using the TPM MMC** - -1. Open the TPM MMC (tpm.msc) - -2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. - -3. In the console tree, click **Command Management**. A list of TPM commands is displayed. - -4. In the list, select a command that you want to block or allow. - -5. Under **Actions**, click **Block Selected Command** or **Allow Selected Command** as needed. If **Allow Selected Command** is unavailable, that command is currently blocked by Group Policy. - -**To block new commands** - -1. Open the TPM MMC (tpm.msc). - - If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. - -2. In the console tree, click **Command Management**. A list of TPM commands is displayed. - -3. In the **Action** pane, click **Block New Command**. The **Block New Command** dialog box is displayed. - -4. In the **Command Number** text box, type the number of the new command that you want to block, and then click **OK**. The command number you entered is added to the blocked list. - -## Use the TPM cmdlets - -You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true). - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) \ No newline at end of file diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md deleted file mode 100644 index 4e0c9fa6af..0000000000 --- a/windows/security/information-protection/tpm/manage-tpm-lockout.md +++ /dev/null @@ -1,88 +0,0 @@ ---- -title: Manage TPM lockout (Windows) -description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. -ms.reviewer: -ms.author: dansimp -ms.prod: windows-client -author: dulcemontemayor -manager: aaroncz -ms.topic: conceptual -ms.date: 09/06/2021 -ms.technology: itpro-security ---- -# Manage TPM lockout - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - -This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. - -## About TPM lockout - -The TPM will lock itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode. - -TPM ownership is taken upon first boot by Windows. By default, Windows does not retain the TPM owner password. - -In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values. - -**TPM 1.2** - -The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. This can prevent them from using the TPM for a period of time. - -**TPM 2.0** - -TPM 2.0 devices have standardized lockout behavior, which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event, which increases the counter will cause the counter to decrease by 1. - -If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner's authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher. - -## Reset the TPM lockout by using the TPM MMC - -> [!NOTE] -> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password is not available in Windows 10 starting with version 1607 and higher. - -The following procedure explains the steps to reset the TPM lockout by using the TPM MMC. - -**To reset the TPM lockout** - -1. Open the TPM MMC (tpm.msc). - -2. In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard. - -3. Choose one of the following methods to enter the TPM owner password: - - - If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location. - - - If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided. - - > [!NOTE] - > If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it. - -## Use Group Policy to manage TPM lockout settings - -The TPM Group Policy settings in the following list are located at: - -**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** - -- [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#standard-user-lockout-duration) - - This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization. - -- [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-individual-lockout-threshold) - - This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user is not allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization. - -- [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-total-lockout-threshold) - - This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization. - -For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#anti-hammering). - -## Use the TPM cmdlets - -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/). - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png deleted file mode 100644 index 5ce10dd81f..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png deleted file mode 100644 index 6bc8237f7f..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png deleted file mode 100644 index 7d67692ff3..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png b/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png deleted file mode 100644 index 3ffbcce88c..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png b/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png deleted file mode 100644 index 0148a800b2..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png b/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png deleted file mode 100644 index 3ceabfd15a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png deleted file mode 100644 index 09bbda3a06..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png deleted file mode 100644 index 17a97b8d3a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png b/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png deleted file mode 100644 index 7b226b7edd..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-addapps.png b/windows/security/information-protection/windows-information-protection/images/intune-addapps.png deleted file mode 100644 index 52e3983adf..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-addapps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png b/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png deleted file mode 100644 index 808de2db0e..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png b/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png deleted file mode 100644 index 3f7b7af6b6..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png b/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png deleted file mode 100644 index f889dbca48..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png b/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png deleted file mode 100644 index de066d3a8b..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png b/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png deleted file mode 100644 index 7987e91454..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png b/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png deleted file mode 100644 index 70e726d379..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png b/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png deleted file mode 100644 index e48b59aa4b..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png b/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png deleted file mode 100644 index 6aa8f89355..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png b/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png deleted file mode 100644 index 6786a93416..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png b/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png deleted file mode 100644 index bc801a8521..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png b/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png deleted file mode 100644 index 64d9ebda26..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png b/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png deleted file mode 100644 index 3ec8bec32d..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png b/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png deleted file mode 100644 index b3340d6e4f..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png deleted file mode 100644 index 49c41b313d..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png deleted file mode 100644 index 51abff3771..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png deleted file mode 100644 index cf9f85181a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png deleted file mode 100644 index 66415d57fd..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png deleted file mode 100644 index a1d9bc70d9..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png deleted file mode 100644 index b09cb58508..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png deleted file mode 100644 index 19892b3a7c..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png b/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png deleted file mode 100644 index cfeee8a45f..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png b/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png deleted file mode 100644 index 57c40a85d0..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png b/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png deleted file mode 100644 index 58f675399a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png deleted file mode 100644 index dd6450af37..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png deleted file mode 100644 index 3dbbb4e09b..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png deleted file mode 100644 index 89a133bcbe..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png deleted file mode 100644 index f069f140dd..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png deleted file mode 100644 index e02310282d..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png deleted file mode 100644 index ae14d18238..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png deleted file mode 100644 index 91109c29c9..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png deleted file mode 100644 index 0aeb04bf0a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png deleted file mode 100644 index 7090e29ff1..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png deleted file mode 100644 index 313b0e4b73..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png deleted file mode 100644 index e759e45f28..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png deleted file mode 100644 index 8b81622c1a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png deleted file mode 100644 index 8bc8a4d845..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png deleted file mode 100644 index b31efa417c..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png deleted file mode 100644 index d12500349a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png deleted file mode 100644 index e2b9b2ccae..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png deleted file mode 100644 index b549db5548..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png deleted file mode 100644 index 5c0dd50bb0..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png deleted file mode 100644 index eef6b1efd0..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png deleted file mode 100644 index 5ed595983a..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png deleted file mode 100644 index 59291bf62e..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png deleted file mode 100644 index 3142b31f51..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png deleted file mode 100644 index aa0184a2c6..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png deleted file mode 100644 index f282ff5e6b..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png deleted file mode 100644 index 2ecd78f1ca..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png deleted file mode 100644 index f397cd6797..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png deleted file mode 100644 index 30dde125e1..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png deleted file mode 100644 index 0fff54b6d2..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png deleted file mode 100644 index fdbc950c9e..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png and /dev/null differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png b/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png deleted file mode 100644 index af36a7cc4e..0000000000 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png and /dev/null differ diff --git a/windows/security/threat-protection/auditing/images/netsh-command.png b/windows/security/threat-protection/auditing/images/netsh-command.png deleted file mode 100644 index 56d7caa0c4..0000000000 Binary files a/windows/security/threat-protection/auditing/images/netsh-command.png and /dev/null differ diff --git a/windows/security/threat-protection/auditing/images/synaptics.png b/windows/security/threat-protection/auditing/images/synaptics.png deleted file mode 100644 index 2ffc025437..0000000000 Binary files a/windows/security/threat-protection/auditing/images/synaptics.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png b/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png deleted file mode 100644 index 043da38016..0000000000 Binary files a/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png b/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png deleted file mode 100644 index 1943ec1fab..0000000000 Binary files a/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png b/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png deleted file mode 100644 index 6913ecfcc6..0000000000 Binary files a/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/Devicesecuritypage.png b/windows/security/threat-protection/device-control/images/Devicesecuritypage.png deleted file mode 100644 index d35b3507f8..0000000000 Binary files a/windows/security/threat-protection/device-control/images/Devicesecuritypage.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png b/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png deleted file mode 100644 index c2cec3aca1..0000000000 Binary files a/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/admintemplates.png b/windows/security/threat-protection/device-control/images/admintemplates.png deleted file mode 100644 index 4bf90b2b8a..0000000000 Binary files a/windows/security/threat-protection/device-control/images/admintemplates.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/baselines.png b/windows/security/threat-protection/device-control/images/baselines.png deleted file mode 100644 index d08380470f..0000000000 Binary files a/windows/security/threat-protection/device-control/images/baselines.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png deleted file mode 100644 index 3080e0d1f0..0000000000 Binary files a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/bluetooth.png b/windows/security/threat-protection/device-control/images/bluetooth.png deleted file mode 100644 index f4f5e4804b..0000000000 Binary files a/windows/security/threat-protection/device-control/images/bluetooth.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/class-guids.png b/windows/security/threat-protection/device-control/images/class-guids.png deleted file mode 100644 index 6951e4ed5a..0000000000 Binary files a/windows/security/threat-protection/device-control/images/class-guids.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png deleted file mode 100644 index 9d295dfa6b..0000000000 Binary files a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png deleted file mode 100644 index 4b8c80fdd7..0000000000 Binary files a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png deleted file mode 100644 index eaba30b27f..0000000000 Binary files a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/create-profile.png b/windows/security/threat-protection/device-control/images/create-profile.png deleted file mode 100644 index b0b7eb7237..0000000000 Binary files a/windows/security/threat-protection/device-control/images/create-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png b/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png deleted file mode 100644 index 95ac48ec54..0000000000 Binary files a/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png b/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png deleted file mode 100644 index 44be977537..0000000000 Binary files a/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicecontrolcard.png b/windows/security/threat-protection/device-control/images/devicecontrolcard.png deleted file mode 100644 index 829014859f..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicecontrolcard.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png b/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png deleted file mode 100644 index a7cd33c892..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg b/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg deleted file mode 100644 index cd814377be..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicesbyconnection.png b/windows/security/threat-protection/device-control/images/devicesbyconnection.png deleted file mode 100644 index 4743358c57..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicesbyconnection.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/devicevendorid.jpg b/windows/security/threat-protection/device-control/images/devicevendorid.jpg deleted file mode 100644 index 10b636fc0d..0000000000 Binary files a/windows/security/threat-protection/device-control/images/devicevendorid.jpg and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png b/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png deleted file mode 100644 index cf8399acf4..0000000000 Binary files a/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/general-settings.png b/windows/security/threat-protection/device-control/images/general-settings.png deleted file mode 100644 index 152822dc29..0000000000 Binary files a/windows/security/threat-protection/device-control/images/general-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/hardware-ids.png b/windows/security/threat-protection/device-control/images/hardware-ids.png deleted file mode 100644 index 9017f289f6..0000000000 Binary files a/windows/security/threat-protection/device-control/images/hardware-ids.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png b/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png deleted file mode 100644 index 55be4d714a..0000000000 Binary files a/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png and /dev/null differ diff --git a/windows/security/threat-protection/device-control/images/sortbyconnection.jpg b/windows/security/threat-protection/device-control/images/sortbyconnection.jpg deleted file mode 100644 index c86eab1470..0000000000 Binary files a/windows/security/threat-protection/device-control/images/sortbyconnection.jpg and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/device-guard-gp.png b/windows/security/threat-protection/device-guard/images/device-guard-gp.png deleted file mode 100644 index 6d265509ea..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/device-guard-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png b/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png deleted file mode 100644 index cefb124344..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png b/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png deleted file mode 100644 index 938e397751..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png b/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png deleted file mode 100644 index fa2c162cc0..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png b/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png b/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png deleted file mode 100644 index 4439bd2764..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png b/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png deleted file mode 100644 index db0ddb80db..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png deleted file mode 100644 index 55344d70d1..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png deleted file mode 100644 index d79ca2c2af..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png b/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png deleted file mode 100644 index 08492ef73b..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png b/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png deleted file mode 100644 index 2c5c7236eb..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png b/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png b/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png deleted file mode 100644 index 2c838be648..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png b/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png deleted file mode 100644 index 9499946283..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png b/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png deleted file mode 100644 index 4f6746eddf..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png b/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png deleted file mode 100644 index c6b33e6139..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png b/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png b/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png deleted file mode 100644 index e3729e8214..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png b/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png deleted file mode 100644 index 4f6746eddf..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png b/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png deleted file mode 100644 index 9f0ed93274..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png b/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png deleted file mode 100644 index bad5fe7cdd..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png deleted file mode 100644 index 782c2017ae..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png b/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png deleted file mode 100644 index 11687d092c..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png deleted file mode 100644 index 7661cb4eb9..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png b/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png deleted file mode 100644 index b9a4b1881f..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png b/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png deleted file mode 100644 index 25f73eb190..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png b/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png deleted file mode 100644 index 3a33c13350..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png b/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png deleted file mode 100644 index 9b423ea8ab..0000000000 Binary files a/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md deleted file mode 100644 index 1bee48b996..0000000000 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Deployment guidelines for Windows Defender Device Guard (Windows 10) -description: Plan your deployment of Hypervisor-Protected Code Integrity (also known as Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. -keywords: virtualization, security, malware -ms.prod: windows-client -ms.mktglfcycl: deploy -ms.localizationpriority: medium -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: conceptual -ms.date: 10/20/2017 -ms.reviewer: -ms.author: vinpa -ms.technology: itpro-security ---- - -# Baseline protections and other qualifications for virtualization-based protection of code integrity - -**Applies to** -- Windows 10 - -Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers won't be as hardened against certain threats. - -For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. - -> [!WARNING] -> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). - -The following tables provide more information about the hardware, firmware, and software required for deployment of WDAC and HVCI. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. - -> [!NOTE] -> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. - -## Baseline protections - -|Baseline Protections | Description | Security benefits | -|--------------------------------|----------------------------------------------------|-------------------| -| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | | -| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system can't be exploited because of this isolation. | -| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This guarantee can prevent boot kits and root kits from installing and persisting across reboots. | -| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware can't run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

| Support for VBS and for management features. | - -> **Important**  The following tables list additional qualifications for improved security. You can use WDAC and HVCI with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that WDAC and HVCI can provide. - -## Other qualifications for improved security - -The following tables describe other hardware and firmware qualifications, and the improved security that is available when these qualifications are met. - - -### More security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4 - -| Protections for Improved Security | Description | Security benefits | -|---------------------------------------------|----------------------------------------------------|------| -| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This guarantee helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | - -
- -### More security qualifications starting with Windows 10, version 1607, and Windows Server 2016 - - -| Protections for Improved Security | Description | Security benefits | -|---------------------------------------------|----------------------------------------------------|-----| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies).
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides extra security assurance for correctly secured silicon and platform. | -| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should use ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | - -
- -### More security qualifications starting with Windows 10, version 1703 - - -| Protections for Improved Security | Description | Security benefits | -|---------------------------------------------|----------------------------------------------------|------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
    • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
    • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Also note the following guidelines:
• Don't use sections that are both writeable and executable
• Don't attempt to directly modify executable system memory
• Don't use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks other security attacks against SMM. | diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md deleted file mode 100644 index 6fb73d0cd6..0000000000 --- a/windows/security/threat-protection/get-support-for-security-baselines.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: Get support -description: Frequently asked questions about how to get support for Windows baselines and the Security Compliance Toolkit (SCT). -ms.prod: windows-client -ms.localizationpriority: medium -ms.author: dansimp -author: dulcemontemayor -manager: aaroncz -ms.topic: conceptual -ms.date: 06/25/2018 -ms.reviewer: -ms.technology: itpro-security ---- - -# Get Support for Windows baselines - -## Frequently asked questions - -### What is the Microsoft Security Compliance Manager (SCM)? - -The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we've moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. - -For more information, see [Security Compliance Manager (SCM) retired; new tools and procedures](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures). - -### Where can I get an older version of a Windows baseline? - -Any version of Windows baseline before Windows 10 version 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. To see if your version of Windows baseline is available on SCT, see the [Version matrix](#version-matrix). - -- [SCM 4.0 download](https://www.microsoft.com/download/details.aspx?id=53353) -- [SCM frequently asked questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx) -- [SCM release notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx) -- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx) - -### What file formats are supported by the new SCT? - -The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. A local group policy object (LGPO) also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. The `.cab` files from SCM are no longer supported. - -### Does SCT support the Desired State Configuration (DSC) file format? - -Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We're currently developing a tool to provide customers with these features. - -### Does SCT support the creation of Microsoft Configuration Manager DCM packs? - -No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). A tool that supports conversion of GPO backups to DSC format is the [BaselineManagement module](https://github.com/Microsoft/BaselineManagement). - -### Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies? - -No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new toolkit also doesn't include SCAP support. - -## Version matrix - -### Client versions - -| Name | Build | Baseline release date | Security tools | -|---|---|---|---| -| Windows 10 | [Version 1709](/archive/blogs/secguide/security-baseline-for-windows-10-fall-creators-update-v1709-draft)

[Version 1703](/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final)

[Version 1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)

[1511 (TH2)](/archive/blogs/secguide/security-baseline-for-windows-10-v1511-threshold-2-final)

[1507 (TH1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2017

August 2017

October 2016

January 2016

January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -| Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | - -### Server versions - -| Name | Build | Baseline release date | Security tools | -|---|---|---|---| -|Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -|Windows Server 2012 R2|[SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)| -|Windows Server 2012|[Technet](/previous-versions/tn-archive/jj898542(v=technet.10)) |2012| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | - -### Microsoft products - -| Name | Details | Security tools | -|--|--|--| -| Internet Explorer 11 | [SecGuide](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -| Exchange Server 2010 | [Technet](/previous-versions/tn-archive/hh913521(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | -| Exchange Server 2007 | [Technet](/previous-versions/tn-archive/hh913520(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | -| Microsoft Office 2010 | [Technet](/previous-versions/tn-archive/gg288965(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | -| Microsoft Office 2007 SP2 | [Technet](/previous-versions/tn-archive/cc500475(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) | - -> [!NOTE] -> Browser baselines are built-in to new OS versions starting with Windows 10. - -## See also - -[Windows security baselines](windows-security-baselines.md) diff --git a/windows/security/threat-protection/images/AH_icon.png b/windows/security/threat-protection/images/AH_icon.png deleted file mode 100644 index 3fae6eba9a..0000000000 Binary files a/windows/security/threat-protection/images/AH_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/SS_icon.png b/windows/security/threat-protection/images/SS_icon.png deleted file mode 100644 index e69ea2a796..0000000000 Binary files a/windows/security/threat-protection/images/SS_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/TVM_icon.png b/windows/security/threat-protection/images/TVM_icon.png deleted file mode 100644 index 63f8c75929..0000000000 Binary files a/windows/security/threat-protection/images/TVM_icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/Untitled-1.png b/windows/security/threat-protection/images/Untitled-1.png deleted file mode 100644 index 7e4e011d4f..0000000000 Binary files a/windows/security/threat-protection/images/Untitled-1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/air-icon.png b/windows/security/threat-protection/images/air-icon.png deleted file mode 100644 index 985e3e4429..0000000000 Binary files a/windows/security/threat-protection/images/air-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/asr-icon.png b/windows/security/threat-protection/images/asr-icon.png deleted file mode 100644 index bf649e87ec..0000000000 Binary files a/windows/security/threat-protection/images/asr-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/asr-notif.png b/windows/security/threat-protection/images/asr-notif.png deleted file mode 100644 index 2f8eb02556..0000000000 Binary files a/windows/security/threat-protection/images/asr-notif.png and /dev/null differ diff --git a/windows/security/threat-protection/images/asr-rules-gp.png b/windows/security/threat-protection/images/asr-rules-gp.png deleted file mode 100644 index fa6285cb56..0000000000 Binary files a/windows/security/threat-protection/images/asr-rules-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/images/asr-test-tool.png b/windows/security/threat-protection/images/asr-test-tool.png deleted file mode 100644 index 569ee7a256..0000000000 Binary files a/windows/security/threat-protection/images/asr-test-tool.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-allow-app-ps.png b/windows/security/threat-protection/images/cfa-allow-app-ps.png deleted file mode 100644 index f93dbe34e3..0000000000 Binary files a/windows/security/threat-protection/images/cfa-allow-app-ps.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-allow-app.png b/windows/security/threat-protection/images/cfa-allow-app.png deleted file mode 100644 index afb220f764..0000000000 Binary files a/windows/security/threat-protection/images/cfa-allow-app.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-allow-folder-ps.png b/windows/security/threat-protection/images/cfa-allow-folder-ps.png deleted file mode 100644 index 88cd35c6ce..0000000000 Binary files a/windows/security/threat-protection/images/cfa-allow-folder-ps.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-audit-gp.png b/windows/security/threat-protection/images/cfa-audit-gp.png deleted file mode 100644 index 89abf15424..0000000000 Binary files a/windows/security/threat-protection/images/cfa-audit-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-filecreator.png b/windows/security/threat-protection/images/cfa-filecreator.png deleted file mode 100644 index 96e6874361..0000000000 Binary files a/windows/security/threat-protection/images/cfa-filecreator.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-gp-enable.png b/windows/security/threat-protection/images/cfa-gp-enable.png deleted file mode 100644 index f8d3056d80..0000000000 Binary files a/windows/security/threat-protection/images/cfa-gp-enable.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-notif.png b/windows/security/threat-protection/images/cfa-notif.png deleted file mode 100644 index 62ca8c3021..0000000000 Binary files a/windows/security/threat-protection/images/cfa-notif.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-on.png b/windows/security/threat-protection/images/cfa-on.png deleted file mode 100644 index 7441a54834..0000000000 Binary files a/windows/security/threat-protection/images/cfa-on.png and /dev/null differ diff --git a/windows/security/threat-protection/images/cfa-prot-folders.png b/windows/security/threat-protection/images/cfa-prot-folders.png deleted file mode 100644 index a61b54a696..0000000000 Binary files a/windows/security/threat-protection/images/cfa-prot-folders.png and /dev/null differ diff --git a/windows/security/threat-protection/images/check-no.png b/windows/security/threat-protection/images/check-no.png deleted file mode 100644 index 040c7d2f63..0000000000 Binary files a/windows/security/threat-protection/images/check-no.png and /dev/null differ diff --git a/windows/security/threat-protection/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/images/create-endpoint-protection-profile.png deleted file mode 100644 index f9a64efbd7..0000000000 Binary files a/windows/security/threat-protection/images/create-endpoint-protection-profile.png and /dev/null differ diff --git a/windows/security/threat-protection/images/create-exploit-guard-policy.png b/windows/security/threat-protection/images/create-exploit-guard-policy.png deleted file mode 100644 index 1253d68613..0000000000 Binary files a/windows/security/threat-protection/images/create-exploit-guard-policy.png and /dev/null differ diff --git a/windows/security/threat-protection/images/edr-icon.png b/windows/security/threat-protection/images/edr-icon.png deleted file mode 100644 index 8c750dee42..0000000000 Binary files a/windows/security/threat-protection/images/edr-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-cfa-app-allow.png b/windows/security/threat-protection/images/enable-cfa-app-allow.png deleted file mode 100644 index ddf0ca23e9..0000000000 Binary files a/windows/security/threat-protection/images/enable-cfa-app-allow.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-cfa-app-folder.png b/windows/security/threat-protection/images/enable-cfa-app-folder.png deleted file mode 100644 index 7401e1e87f..0000000000 Binary files a/windows/security/threat-protection/images/enable-cfa-app-folder.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-cfa-app.png b/windows/security/threat-protection/images/enable-cfa-app.png deleted file mode 100644 index f8e4dc98d1..0000000000 Binary files a/windows/security/threat-protection/images/enable-cfa-app.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-cfa-intune.png b/windows/security/threat-protection/images/enable-cfa-intune.png deleted file mode 100644 index 620d786868..0000000000 Binary files a/windows/security/threat-protection/images/enable-cfa-intune.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-ep-intune.png b/windows/security/threat-protection/images/enable-ep-intune.png deleted file mode 100644 index e89118fd47..0000000000 Binary files a/windows/security/threat-protection/images/enable-ep-intune.png and /dev/null differ diff --git a/windows/security/threat-protection/images/enable-np-intune.png b/windows/security/threat-protection/images/enable-np-intune.png deleted file mode 100644 index 604dceff4c..0000000000 Binary files a/windows/security/threat-protection/images/enable-np-intune.png and /dev/null differ diff --git a/windows/security/threat-protection/images/ep-default.png b/windows/security/threat-protection/images/ep-default.png deleted file mode 100644 index eafac1db7a..0000000000 Binary files a/windows/security/threat-protection/images/ep-default.png and /dev/null differ diff --git a/windows/security/threat-protection/images/ep-prog.png b/windows/security/threat-protection/images/ep-prog.png deleted file mode 100644 index d36cdd8498..0000000000 Binary files a/windows/security/threat-protection/images/ep-prog.png and /dev/null differ diff --git a/windows/security/threat-protection/images/event-viewer-import.png b/windows/security/threat-protection/images/event-viewer-import.png deleted file mode 100644 index 96d12d3af1..0000000000 Binary files a/windows/security/threat-protection/images/event-viewer-import.png and /dev/null differ diff --git a/windows/security/threat-protection/images/event-viewer.gif b/windows/security/threat-protection/images/event-viewer.gif deleted file mode 100644 index 7909bfe728..0000000000 Binary files a/windows/security/threat-protection/images/event-viewer.gif and /dev/null differ diff --git a/windows/security/threat-protection/images/events-create.gif b/windows/security/threat-protection/images/events-create.gif deleted file mode 100644 index 68f057de3a..0000000000 Binary files a/windows/security/threat-protection/images/events-create.gif and /dev/null differ diff --git a/windows/security/threat-protection/images/events-import.gif b/windows/security/threat-protection/images/events-import.gif deleted file mode 100644 index 55e77c546f..0000000000 Binary files a/windows/security/threat-protection/images/events-import.gif and /dev/null differ diff --git a/windows/security/threat-protection/images/exp-prot-gp.png b/windows/security/threat-protection/images/exp-prot-gp.png deleted file mode 100644 index d7b921aa69..0000000000 Binary files a/windows/security/threat-protection/images/exp-prot-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/images/get-support.png b/windows/security/threat-protection/images/get-support.png deleted file mode 100644 index 427ba670de..0000000000 Binary files a/windows/security/threat-protection/images/get-support.png and /dev/null differ diff --git a/windows/security/threat-protection/images/lab-creation-page.png b/windows/security/threat-protection/images/lab-creation-page.png deleted file mode 100644 index 75540493da..0000000000 Binary files a/windows/security/threat-protection/images/lab-creation-page.png and /dev/null differ diff --git a/windows/security/threat-protection/images/linux-mdatp-1.png b/windows/security/threat-protection/images/linux-mdatp-1.png deleted file mode 100644 index f8c9c07b16..0000000000 Binary files a/windows/security/threat-protection/images/linux-mdatp-1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/linux-mdatp.png b/windows/security/threat-protection/images/linux-mdatp.png deleted file mode 100644 index f8c9c07b16..0000000000 Binary files a/windows/security/threat-protection/images/linux-mdatp.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mobile-security-guide-fig1.png b/windows/security/threat-protection/images/mobile-security-guide-fig1.png deleted file mode 100644 index 4bdc6c0c9c..0000000000 Binary files a/windows/security/threat-protection/images/mobile-security-guide-fig1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mobile-security-guide-fig2.png b/windows/security/threat-protection/images/mobile-security-guide-fig2.png deleted file mode 100644 index becb48f0ed..0000000000 Binary files a/windows/security/threat-protection/images/mobile-security-guide-fig2.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mobile-security-guide-figure3.png b/windows/security/threat-protection/images/mobile-security-guide-figure3.png deleted file mode 100644 index f78d187b04..0000000000 Binary files a/windows/security/threat-protection/images/mobile-security-guide-figure3.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mobile-security-guide-figure4.png b/windows/security/threat-protection/images/mobile-security-guide-figure4.png deleted file mode 100644 index 6f9b3725f8..0000000000 Binary files a/windows/security/threat-protection/images/mobile-security-guide-figure4.png and /dev/null differ diff --git a/windows/security/threat-protection/images/mte-icon.png b/windows/security/threat-protection/images/mte-icon.png deleted file mode 100644 index 1d5693a399..0000000000 Binary files a/windows/security/threat-protection/images/mte-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/ngp-icon.png b/windows/security/threat-protection/images/ngp-icon.png deleted file mode 100644 index 9aca3db517..0000000000 Binary files a/windows/security/threat-protection/images/ngp-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/images/np-notif.png b/windows/security/threat-protection/images/np-notif.png deleted file mode 100644 index 69eb1bbeee..0000000000 Binary files a/windows/security/threat-protection/images/np-notif.png and /dev/null differ diff --git a/windows/security/threat-protection/images/powershell-example.png b/windows/security/threat-protection/images/powershell-example.png deleted file mode 100644 index 4ec2be97af..0000000000 Binary files a/windows/security/threat-protection/images/powershell-example.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-asr-blocks.png b/windows/security/threat-protection/images/sccm-asr-blocks.png deleted file mode 100644 index 00225ec18c..0000000000 Binary files a/windows/security/threat-protection/images/sccm-asr-blocks.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-asr-rules.png b/windows/security/threat-protection/images/sccm-asr-rules.png deleted file mode 100644 index dfb1cb201b..0000000000 Binary files a/windows/security/threat-protection/images/sccm-asr-rules.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-cfa-block.png b/windows/security/threat-protection/images/sccm-cfa-block.png deleted file mode 100644 index 2868712541..0000000000 Binary files a/windows/security/threat-protection/images/sccm-cfa-block.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-cfa.png b/windows/security/threat-protection/images/sccm-cfa.png deleted file mode 100644 index bd2e57d73f..0000000000 Binary files a/windows/security/threat-protection/images/sccm-cfa.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-ep-xml.png b/windows/security/threat-protection/images/sccm-ep-xml.png deleted file mode 100644 index d7a896332a..0000000000 Binary files a/windows/security/threat-protection/images/sccm-ep-xml.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-ep.png b/windows/security/threat-protection/images/sccm-ep.png deleted file mode 100644 index 1d16250401..0000000000 Binary files a/windows/security/threat-protection/images/sccm-ep.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-np-block.png b/windows/security/threat-protection/images/sccm-np-block.png deleted file mode 100644 index 0655fdad69..0000000000 Binary files a/windows/security/threat-protection/images/sccm-np-block.png and /dev/null differ diff --git a/windows/security/threat-protection/images/sccm-np.png b/windows/security/threat-protection/images/sccm-np.png deleted file mode 100644 index a9f11a2e95..0000000000 Binary files a/windows/security/threat-protection/images/sccm-np.png and /dev/null differ diff --git a/windows/security/threat-protection/images/seccon-framework.png b/windows/security/threat-protection/images/seccon-framework.png deleted file mode 100644 index 06f66acf99..0000000000 Binary files a/windows/security/threat-protection/images/seccon-framework.png and /dev/null differ diff --git a/windows/security/threat-protection/images/security-compliance-toolkit-1.png b/windows/security/threat-protection/images/security-compliance-toolkit-1.png deleted file mode 100644 index 270480af39..0000000000 Binary files a/windows/security/threat-protection/images/security-compliance-toolkit-1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/security-control-classification.png b/windows/security/threat-protection/images/security-control-classification.png deleted file mode 100644 index 75467f2098..0000000000 Binary files a/windows/security/threat-protection/images/security-control-classification.png and /dev/null differ diff --git a/windows/security/threat-protection/images/security-control-deployment-methodologies.png b/windows/security/threat-protection/images/security-control-deployment-methodologies.png deleted file mode 100644 index 4f869474e2..0000000000 Binary files a/windows/security/threat-protection/images/security-control-deployment-methodologies.png and /dev/null differ diff --git a/windows/security/threat-protection/images/security-update.png b/windows/security/threat-protection/images/security-update.png deleted file mode 100644 index f7ca20f34e..0000000000 Binary files a/windows/security/threat-protection/images/security-update.png and /dev/null differ diff --git a/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg b/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg deleted file mode 100644 index e79d2b057d..0000000000 Binary files a/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg and /dev/null differ diff --git a/windows/security/threat-protection/images/svg/check-no.svg b/windows/security/threat-protection/images/svg/check-no.svg deleted file mode 100644 index 89a87afa8b..0000000000 --- a/windows/security/threat-protection/images/svg/check-no.svg +++ /dev/null @@ -1,7 +0,0 @@ - - Check mark no - - \ No newline at end of file diff --git a/windows/security/threat-protection/images/svg/check-yes.svg b/windows/security/threat-protection/images/svg/check-yes.svg deleted file mode 100644 index 483ff5fefc..0000000000 --- a/windows/security/threat-protection/images/svg/check-yes.svg +++ /dev/null @@ -1,7 +0,0 @@ - - Check mark yes - - \ No newline at end of file diff --git a/windows/security/threat-protection/images/tpm-capabilities.png b/windows/security/threat-protection/images/tpm-capabilities.png deleted file mode 100644 index aecbb68522..0000000000 Binary files a/windows/security/threat-protection/images/tpm-capabilities.png and /dev/null differ diff --git a/windows/security/threat-protection/images/tpm-remote-attestation.png b/windows/security/threat-protection/images/tpm-remote-attestation.png deleted file mode 100644 index fa092591a1..0000000000 Binary files a/windows/security/threat-protection/images/tpm-remote-attestation.png and /dev/null differ diff --git a/windows/security/threat-protection/images/turn-windows-features-on-or-off.png b/windows/security/threat-protection/images/turn-windows-features-on-or-off.png deleted file mode 100644 index 8d47a53b51..0000000000 Binary files a/windows/security/threat-protection/images/turn-windows-features-on-or-off.png and /dev/null differ diff --git a/windows/security/threat-protection/images/vbs-example.png b/windows/security/threat-protection/images/vbs-example.png deleted file mode 100644 index 6a1cc80fd4..0000000000 Binary files a/windows/security/threat-protection/images/vbs-example.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna1.png b/windows/security/threat-protection/images/wanna1.png deleted file mode 100644 index e90d1cc12c..0000000000 Binary files a/windows/security/threat-protection/images/wanna1.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna2.png b/windows/security/threat-protection/images/wanna2.png deleted file mode 100644 index 7b4a1dcd97..0000000000 Binary files a/windows/security/threat-protection/images/wanna2.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna3.png b/windows/security/threat-protection/images/wanna3.png deleted file mode 100644 index 9b0b176366..0000000000 Binary files a/windows/security/threat-protection/images/wanna3.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna4.png b/windows/security/threat-protection/images/wanna4.png deleted file mode 100644 index 17fefde707..0000000000 Binary files a/windows/security/threat-protection/images/wanna4.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna5.png b/windows/security/threat-protection/images/wanna5.png deleted file mode 100644 index 92ecf67d20..0000000000 Binary files a/windows/security/threat-protection/images/wanna5.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna6.png b/windows/security/threat-protection/images/wanna6.png deleted file mode 100644 index 26824af34d..0000000000 Binary files a/windows/security/threat-protection/images/wanna6.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna7.png b/windows/security/threat-protection/images/wanna7.png deleted file mode 100644 index 634bd1449d..0000000000 Binary files a/windows/security/threat-protection/images/wanna7.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wanna8.png b/windows/security/threat-protection/images/wanna8.png deleted file mode 100644 index 59b42eb6f6..0000000000 Binary files a/windows/security/threat-protection/images/wanna8.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdatp-pillars2.png b/windows/security/threat-protection/images/wdatp-pillars2.png deleted file mode 100644 index 8a67d190b7..0000000000 Binary files a/windows/security/threat-protection/images/wdatp-pillars2.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdeg.png b/windows/security/threat-protection/images/wdeg.png deleted file mode 100644 index 312167da41..0000000000 Binary files a/windows/security/threat-protection/images/wdeg.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png deleted file mode 100644 index 01801a519d..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png deleted file mode 100644 index 38404d7569..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-export.png b/windows/security/threat-protection/images/wdsc-exp-prot-export.png deleted file mode 100644 index eac90e96f5..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-export.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png deleted file mode 100644 index 53edeb6135..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/images/wdsc-exp-prot.png b/windows/security/threat-protection/images/wdsc-exp-prot.png deleted file mode 100644 index 67abde13e0..0000000000 Binary files a/windows/security/threat-protection/images/wdsc-exp-prot.png and /dev/null differ diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md deleted file mode 100644 index 307fd1ee4b..0000000000 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) -description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. -ms.prod: windows-client -ms.localizationpriority: medium -ms.author: dansimp -author: dansimp -ms.reviewer: -manager: aaroncz -ms.technology: itpro-security -ms.date: 12/31/2017 -ms.topic: article ---- - -# What is Microsoft Baseline Security Analyzer and its uses? - -Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. - -MBSA was largely used in situations where Microsoft Update a local WSUS or Configuration Manager server wasn't available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016. - -> [!NOTE] -> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file. - -## The Solution -A script can help you with an alternative to MBSA’s patch-compliance checking: - -- [Using WUA to Scan for Updates Offline](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script. -For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0). - -For example: - -[![VBS script.](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) -[![PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) - -The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. -The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers. - -## More Information - -For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit. - -- [Windows security baselines](windows-security-baselines.md) -- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319) -- [Microsoft Security Guidance blog](/archive/blogs/secguide/) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png deleted file mode 100644 index 08cb4d5676..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png deleted file mode 100644 index 9e58d99ead..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png deleted file mode 100644 index 877b707030..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png deleted file mode 100644 index 5172022256..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png deleted file mode 100644 index daa96d291d..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg deleted file mode 100644 index 21a6b4f235..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg deleted file mode 100644 index ab2d5152ca..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg +++ /dev/null @@ -1,20 +0,0 @@ - - - - - - - - - - MsPortalFx.base.images-10 - - - - - - - - - - \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg deleted file mode 100644 index dbbad7d780..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg deleted file mode 100644 index 06ab4c09d7..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg +++ /dev/null @@ -1,22 +0,0 @@ - - - - - - - - - - - - - - - - - - - Icon-general-18 - - - \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png deleted file mode 100644 index a3286fb528..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png deleted file mode 100644 index e51cd9384c..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md deleted file mode 100644 index 0ee92c6736..0000000000 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows) -description: Learn how employees can use Windows Security to set up Microsoft Defender SmartScreen. Microsoft Defender SmartScreen protects users from running malicious apps. -ms.prod: windows-client -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 10/13/2017 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.technology: itpro-security -ms.topic: how-to ---- - -# Set up and use Microsoft Defender SmartScreen on individual devices - -**Applies to:** -- Windows 10, version 1703 -- Windows 11 -- Microsoft Edge - -Microsoft Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files. - -## How users can use Windows Security to set up Microsoft Defender SmartScreen -Starting with Windows 10, version 1703, users can use Windows Security to set up Microsoft Defender SmartScreen for an individual device; unless an administrator has used Group Policy or Microsoft Intune to prevent it. - ->[!NOTE] ->If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. - -**To use Windows Security to set up Microsoft Defender SmartScreen on a device** -1. Open the Windows Security app, and then select **App & browser control** > **Reputation-based protection settings**. - -2. In the **Reputation-based protection** screen, choose from the following options: - - - In the **Check apps and files** area: - - - **On.** Warns users that the apps and files being downloaded from the web are potentially dangerous but allows the action to continue. - - - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. - - - In the **Microsoft Defender SmartScreen for Microsoft Edge** area: - - - **On.** Warns users that sites and downloads are potentially dangerous but allows the action to continue while running in Microsoft Edge. - - - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files. - - In the **Potentially unwanted app blocking** area: - - - **On.** Turns on both the 'Block apps' and 'Block downloads settings. To learn more, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md#potentially-unwanted-application-pua). - - **Block apps.** This setting will prevent new apps from installing on the device and warn users of apps that are existing on the device. - - - **Block downloads.** This setting will alert users and stop the downloads of apps in the Microsoft Edge browser (based on Chromium). - - - **Off.** Turns off Potentially unwanted app blocking, so a user isn't alerted or stopped from downloading or installing potentially unwanted apps. - - - In the **Microsoft Defender SmartScreen from Microsoft Store apps** area: - - - **On.** Warns users that the sites and downloads used by Microsoft Store apps are potentially dangerous but allows the action to continue. - - - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. - - ![Windows Security, Microsoft Defender SmartScreen controls.](images/windows-defender-smartscreen-control-2020.png) - -## How Microsoft Defender SmartScreen works when a user tries to run an app -Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization. - -By default, users can bypass Microsoft Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Microsoft Defender SmartScreen (not recommended). - -## How users can report websites as safe or unsafe -Microsoft Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. - -**To report a website as safe from the warning message** -- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions. - -**To report a website as unsafe from Microsoft Edge** -- If a site seems potentially dangerous, users can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. - -**To report a website as unsafe from Internet Explorer 11** -- If a site seems potentially dangerous, users can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. - -## Related topics -- [Threat protection](../index.md) - -- [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md) - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index 1afd00892e..1aa90a6526 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -47,7 +47,7 @@ Because vulnerabilities can exist when this value is configured and when it's no ### Best practices -The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](../windows-security-baselines.md) recommend a value of 10 could be an acceptable starting point for your organization. +The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend a value of 10 could be an acceptable starting point for your organization. As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). @@ -117,7 +117,7 @@ Because vulnerabilities can exist when this value is configured and when it's no - Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account. - [Windows security baselines](../windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack. + [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack. Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it's needed to help mitigate massive lockouts caused by an attack on your systems. diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md index bd80ebe594..760392434f 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, management, and security conside ## Reference -This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more information, see [Microsoft Accounts](../../identity-protection/access-control/microsoft-accounts.md). +This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more information, see [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts). There are two options if this setting is enabled: diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png b/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png deleted file mode 100644 index 52acafba66..0000000000 Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png and /dev/null differ diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png b/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png deleted file mode 100644 index 858be4e70e..0000000000 Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png and /dev/null differ diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png b/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png deleted file mode 100644 index 2efa6877c8..0000000000 Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png and /dev/null differ diff --git a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md deleted file mode 100644 index f0dbde13f1..0000000000 --- a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 1/4/2019 -ms.reviewer: -manager: aaroncz -ms.topic: include -ms.prod: m365-security ---- -Using SMB packet signing can degrade performance on file service transactions, depending on the version of SMB and available CPU cycles. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index 91919d8ae3..92341b9213 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -52,7 +52,7 @@ encrypting the information and keeping the cached credentials in the system's re ### Best practices -The [Windows security baselines](../windows-security-baselines.md) don't recommend configuring this setting. +The [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) don't recommend configuring this setting. ### Location diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 02c1a25fd5..f9b90574fd 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -35,7 +35,7 @@ The **Minimum password age** policy setting determines the period of time (in da ### Best practices -[Windows security baselines](../windows-security-baselines.md) recommend setting **Minimum password age** to one day. +[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend setting **Minimum password age** to one day. Setting the number of days to 0 allows immediate password changes. This setting isn't recommended. Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again. diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md index 1891e3b322..275d4a0bd8 100644 --- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md +++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md @@ -40,7 +40,7 @@ The disadvantage of a high setting is that users lock themselves out for an inco Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. -[Windows security baselines](../windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). +[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). ### Location @@ -69,7 +69,7 @@ Users can accidentally lock themselves out of their accounts if they mistype the ### Countermeasure -[Windows security baselines](../windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15. +[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index f8f1af1c61..205e5f9c9a 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -59,7 +59,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it's operating in FIPS 140-2 approved mode. -For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](../windows-security-baselines.md). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](../fips-140-validation.md). +For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](../fips-140-validation.md). ### Location diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md deleted file mode 100644 index acdfc6b79b..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ /dev/null @@ -1,165 +0,0 @@ ---- -title: Use audit events to create then enforce WDAC policy rules (Windows) -description: Learn how audits allow admins to discover apps, binaries, and scripts that should be added to a WDAC policy, then learn how to switch that WDAC policy from audit to enforced mode. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: windows-client -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -author: jsuther1974 -ms.reviewer: jogeurte -ms.author: vinpa -manager: aaroncz -ms.date: 05/03/2021 -ms.technology: itpro-security -ms.topic: article ---- - -# Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced - -**Applies to:** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md). - -Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your Windows Defender Application Control policy (WDAC) but should be included. - -While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed. - -## Overview of the process to create WDAC policy to allow apps using audit events - -> [!NOTE] -> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md). - -To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy. - -1. Install and run an application not allowed by the WDAC policy but that you want to allow. - -2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md). - - **Figure 1. Exceptions to the deployed WDAC policy**
- - ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png) - -3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**. - - ```powershell - $PolicyName= "Lamna_FullyManagedClients_Audit" - $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml" - $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml" - $EventsPolicyWarnings=$env:userprofile+"\Desktop\EventsPolicyWarnings.txt" - ``` - -4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**. - - ```powershell - New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings - ``` - - > [!NOTE] - > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md). - -5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](wdac-wizard-editing-policy.md)). - -6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level. - - > [!NOTE] - > New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the WDAC policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**. - -7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy. - - For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md). - -8. Convert the Base or Supplemental policy to binary and deploy using your preferred method. - -## Convert WDAC **BASE** policy from audit to enforced - -As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. - -**Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout. - -Alice previously created and deployed a policy for the organization's [fully managed devices](create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode. - -1. Initialize the variables that will be used and create the enforced policy by copying the audit version. - - ```powershell - $EnforcedPolicyName = "Lamna_FullyManagedClients_Enforced" - $AuditPolicyXML = $env:USERPROFILE+"\Desktop\Lamna_FullyManagedClients_Audit.xml" - $EnforcedPolicyXML = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+".xml" - cp $AuditPolicyXML $EnforcedPolicyXML - ``` - -2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new policy a unique ID, and descriptive name. Changing the ID and name lets you deploy the enforced policy side by side with the audit policy. Do this step if you plan to harden your WDAC policy over time. If you prefer to replace the audit policy in-place, you can skip this step. - - ```powershell - $EnforcedPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedPolicyXML -PolicyName $EnforcedPolicyName -ResetPolicyID - $EnforcedPolicyID = $EnforcedPolicyID.Substring(11) - ``` - - > [!NOTE] - > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly. - -3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment. - - ```powershell - Set-RuleOption -FilePath $EnforcedPolicyXML -Option 9 - Set-RuleOption -FilePath $EnforcedPolicyXML -Option 10 - ``` - -4. Use Set-RuleOption to delete the audit mode rule option, which changes the policy to enforcement: - - ```powershell - Set-RuleOption -FilePath $EnforcedPolicyXML -Option 3 -Delete - ``` - -5. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary: - - > [!NOTE] - > If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML. - - ```powershell - $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml" - ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary - ``` - -## Make copies of any needed **supplemental** policies to use with the enforced base policy - -Since the enforced policy was given a unique PolicyID in the previous procedure, you need to duplicate any needed supplemental policies to use with the enforced policy. Supplemental policies always inherit the Audit or Enforcement mode from the base policy they modify. If you didn't reset the enforcement base policy's PolicyID, you can skip this procedure. - -1. Initialize the variables that will be used and create a copy of the current supplemental policy. Some variables and files from the previous procedure will also be used. - - ```powershell - $SupplementalPolicyName = "Lamna_Supplemental1" - $CurrentSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Audit.xml" - $EnforcedSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Enforced.xml" - ``` - -2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new supplemental policy a unique ID and descriptive name, and change which base policy to supplement. - - ```powershell - $SupplementalPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedSupplementalPolicy -PolicyName $SupplementalPolicyName -SupplementsBasePolicyID $EnforcedPolicyID -BasePolicyToSupplementPath $EnforcedPolicyXML -ResetPolicyID - $SupplementalPolicyID = $SupplementalPolicyID.Substring(11) - ``` - - > [!NOTE] - > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly. - -3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC supplemental policy to binary: - - ```powershell - $EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml" - ConvertFrom-CIPolicy $EnforcedSupplementalPolicy $EnforcedSuppPolicyBinary - ``` - -4. Repeat the steps above if you have other supplemental policies to update. - -## Deploy your enforced policy and supplemental policies - -Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png b/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png deleted file mode 100644 index dac1240786..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png b/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png deleted file mode 100644 index 6d265509ea..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png deleted file mode 100644 index cefb124344..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png deleted file mode 100644 index 938e397751..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png deleted file mode 100644 index 3c93b2b948..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png deleted file mode 100644 index 4f6746eddf..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png deleted file mode 100644 index e3729e8214..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png deleted file mode 100644 index 782c2017ae..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png deleted file mode 100644 index b9a4b1881f..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png deleted file mode 100644 index 25f73eb190..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png deleted file mode 100644 index d640052d26..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png deleted file mode 100644 index 3a33c13350..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png b/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png deleted file mode 100644 index 12ec2b924f..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png deleted file mode 100644 index 5cdb4cf3c4..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png deleted file mode 100644 index 8ef2d0e3ce..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png deleted file mode 100644 index f201956d4d..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png deleted file mode 100644 index 0c5eacc3f9..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png deleted file mode 100644 index 98e5507000..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png deleted file mode 100644 index 1b5483103b..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png deleted file mode 100644 index c37d55910d..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png deleted file mode 100644 index e132440266..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png deleted file mode 100644 index cbd0366eff..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png deleted file mode 100644 index 4d8325baa6..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png deleted file mode 100644 index e5ae089d6b..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png deleted file mode 100644 index 55f5173b03..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png deleted file mode 100644 index 67df953a08..0000000000 Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png deleted file mode 100644 index 363648cbc0..0000000000 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png deleted file mode 100644 index eec35c6dcf..0000000000 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png deleted file mode 100644 index abf5a30659..0000000000 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md deleted file mode 100644 index a3773ffe67..0000000000 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Manage Windows Security in Windows 10 in S mode -description: Learn how to manage Windows Security settings in Windows 10 in S mode. Windows 10 in S mode is streamlined for tighter security and superior performance. -keywords: windows 10 in s mode, windows 10 s, windows 10 s mode, wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows -search.product: eADQiWindows 10XVcnh -ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: vinaypamnani-msft -ms.author: vinpa -ms.date: 04/30/2018 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-security -ms.topic: how-to ---- - -# Manage Windows Security in Windows 10 in S mode - -**Applies to** - -- Windows 10 in S mode, version 1803 - -Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software. - -The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically. - -:::image type="content" alt-text="Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode." source="images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png"::: - -For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode). - -## Managing Windows Security settings with Intune - -In the enterprise, you can only manage security settings for devices running Windows 10 in S mode with Microsoft Intune or other mobile device management apps. Windows 10 in S mode prevents making changes via PowerShell scripts. - -For information about using Intune to manage Windows Security settings on your organization's devices, see [Set up Intune](/intune/setup-steps) and [Endpoint protection settings for Windows 10 (and later) in Intune](/intune/endpoint-protection-windows-10). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png b/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png deleted file mode 100644 index 99e8cb1384..0000000000 Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png deleted file mode 100644 index fbd6a798b0..0000000000 Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png deleted file mode 100644 index 865af86b19..0000000000 Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index f605793303..6c14ed44e0 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -23,7 +23,7 @@ ms.topic: conceptual - Windows 11 - Windows 10 -This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective. +This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective. > [!NOTE] > System Guard Secure Launch feature requires a supported processor. For more information, see [System requirements for System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md#system-requirements-for-system-guard). @@ -76,7 +76,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic ![Verifying Secure Launch is running in the Windows Security app.](images/secure-launch-msinfo.png) > [!NOTE] -> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). +> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). > [!NOTE] > For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md deleted file mode 100644 index 759c9f4ce3..0000000000 --- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows) -description: Evaluating Windows Defender Firewall with Advanced Security Design Examples -ms.reviewer: jekrynit -ms.author: paoloma -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -ms.topic: conceptual -ms.date: 09/08/2021 -ms.technology: itpro-security -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 ---- - -# Evaluating Windows Defender Firewall with Advanced Security Design Examples - - -The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization. - -- [Firewall Policy with Advanced Security Design Example](firewall-policy-design-example.md) - -- [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) - -- [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) - -- [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) - diff --git a/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif b/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif deleted file mode 100644 index 5c7dfb0ebc..0000000000 Binary files a/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif and /dev/null differ diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md deleted file mode 100644 index 430a461918..0000000000 --- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: Procedures Used in This Guide (Windows) -description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide. -ms.reviewer: jekrynit -ms.author: paoloma -ms.prod: windows-client -ms.localizationpriority: medium -author: paolomatarazzo -manager: aaroncz -ms.topic: conceptual -ms.date: 09/08/2021 -ms.technology: itpro-security -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 ---- - -# Procedures Used in This Guide - - -The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. - -- [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) - -- [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) - -- [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) - -- [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md) - -- [Configure Authentication Methods](configure-authentication-methods.md) - -- [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md) - -- [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md) - -- [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md) - -- [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md) - -- [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md) - -- [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md) - -- [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) - -- [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md) - -- [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) - -- [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) - -- [Create a Group Policy Object](create-a-group-policy-object.md) - -- [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) - -- [Create an Authentication Request Rule](create-an-authentication-request-rule.md) - -- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md) - -- [Create an Inbound Port Rule](create-an-inbound-port-rule.md) - -- [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) - -- [Create an Outbound Port Rule](create-an-outbound-port-rule.md) - -- [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md) - -- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md) - -- [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) - -- [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md) - -- [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md) - -- [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md) - -- [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) - -- [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) - -- [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md) - -- [Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall.md) - -- [Open Windows Defender Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md) - -- [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md) - -- [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) - -- [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md) diff --git a/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png b/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png deleted file mode 100644 index 94be89b74f..0000000000 Binary files a/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png deleted file mode 100644 index 242f5dd9bc..0000000000 Binary files a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png and /dev/null differ