deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/microsoftdocs/windows-itpro-docs

Browse Source
This commit is contained in:
Liza Poggemeyer
2019-06-12 15:28:43 -07:00
parent aa7d233d9d 9087e8c7fd
commit 60c3687667
7 changed files with 70 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
View File

@ -142,7 +142,7 @@ Stop-Website "Microsoft BitLocker Administration and Monitoring"
### Move the Recovery Database from Server A to Server B ### Move the Recovery Database from Server A to Server B
Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B. Use Windows Explorer to move the **MBAM Recovery Database Data.bak** file from Server A to Server B.
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:

2
store-for-business/acquire-apps-microsoft-store-for-business.md
View File

@ -38,7 +38,7 @@ There are a couple of things we need to know when you pay for apps. You can add
## Allow users to shop ## Allow users to shop
**Allow users to shop** controls the shopping experience in Microsoft Store for Education. When this setting is on, **Purchasers** and **Basic Purchasers** can purchase products and services from Microsoft Store for Education. If your school chooses to closely control how purchases are made, admins can turn off **Allow users to shop**. When the setting is off: **Allow users to shop** controls the shopping experience in Microsoft Store for Education. When this setting is on, **Purchasers** and **Basic Purchasers** can purchase products and services from Microsoft Store for Education. If your school chooses to closely control how purchases are made, admins can turn off **Allow users to shop**. When the setting is off:
- The shopping experience is not availalbe - The shopping experience is not available
- **Purchasers** and **Basic Purchasers** can't purchase products and services from Microsoft Store for Education - **Purchasers** and **Basic Purchasers** can't purchase products and services from Microsoft Store for Education
- Admins can't assign shopping roles to users - Admins can't assign shopping roles to users
- Products and services previously purchased by **Basic Purchasers** can be managed by admins. - Products and services previously purchased by **Basic Purchasers** can be managed by admins.

5
windows/client-management/mdm/policy-csp-bitlocker.md
View File

@ -83,12 +83,17 @@ The following list shows the supported values:
<!--/Policy--> <!--/Policy-->
<hr/> <hr/>
> [!NOTE]
> To manage encryption of PCs and devices, use [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
Footnote: Footnote:
- 1 - Added in Windows 10, version 1607. - 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703. - 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709. - 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803. - 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
<!--/Policies--> <!--/Policies-->

3
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -2638,6 +2638,9 @@ GP Info:
<!--Policy--> <!--Policy-->
<a href="" id="localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon"></a>**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon** <a href="" id="localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon"></a>**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**
> [!Warning]
> Starting with Windows 10 version 1803, this policy is deprecated.
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
<tr> <tr>

98
windows/configuration/kiosk-mdm-bridge.md
View File

@ -31,59 +31,59 @@ Heres an example to set AssignedAccess configuration:
3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. 3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
4. Execute the following script: 4. Execute the following script:
```ps ```xml
$nameSpaceName="root\cimv2\mdm\dmmap" $nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess" $className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = @" $obj.Configuration = @"
&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot; ?&gt; <?xml version="1.0" encoding="utf-8" ?>
&lt;AssignedAccessConfiguration xmlns=&quot;http://schemas.microsoft.com/AssignedAccess/2017/config&quot;&gt; <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
&lt;Profiles&gt; <Profiles>
&lt;Profile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;&gt; <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
&lt;AllAppsList&gt; <AllAppsList>
&lt;AllowedApps&gt; <AllowedApps>
&lt;App AppUserModelId=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt; <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
&lt;App AppUserModelId=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt; <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
&lt;App AppUserModelId=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt; <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
&lt;App AppUserModelId=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt; <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
&lt;App AppUserModelId=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt; <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
&lt;App DesktopAppPath=&quot;%windir%\system32\mspaint.exe&quot; /&gt; <App DesktopAppPath="%windir%\system32\mspaint.exe" />
&lt;App DesktopAppPath=&quot;C:\Windows\System32\notepad.exe&quot; /&gt; <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
&lt;/AllowedApps&gt; </AllowedApps>
&lt;/AllAppsList&gt; </AllAppsList>
&lt;StartLayout&gt; <StartLayout>
&lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot; Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt; <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
&lt;LayoutOptions StartTileGroupCellWidth=&quot;6&quot; /&gt; <LayoutOptions StartTileGroupCellWidth="6" />
&lt;DefaultLayoutOverride&gt; <DefaultLayoutOverride>
&lt;StartLayoutCollection&gt; <StartLayoutCollection>
&lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot;&gt; <defaultlayout:StartLayout GroupCellWidth="6">
&lt;start:Group Name=&quot;Group1&quot;&gt; <start:Group Name="Group1">
&lt;start:Tile Size=&quot;4x4&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt; <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;2&quot; AppUserModelID=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt; <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt; <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt; <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
&lt;start:Tile Size=&quot;4x2&quot; Column=&quot;0&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt; <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
&lt;/start:Group&gt; </start:Group>
&lt;start:Group Name=&quot;Group2&quot;&gt; <start:Group Name="Group2">
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; DesktopApplicationLinkPath=&quot;%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk&quot; /&gt; <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; DesktopApplicationLinkPath=&quot;%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk&quot; /&gt; <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
&lt;/start:Group&gt; </start:Group>
&lt;/defaultlayout:StartLayout&gt; </defaultlayout:StartLayout>
&lt;/StartLayoutCollection&gt; </StartLayoutCollection>
&lt;/DefaultLayoutOverride&gt; </DefaultLayoutOverride>
&lt;/LayoutModificationTemplate&gt; </LayoutModificationTemplate>
]]&gt; ]]>
&lt;/StartLayout&gt; </StartLayout>
&lt;Taskbar ShowTaskbar=&quot;true&quot;/&gt; <Taskbar ShowTaskbar="true"/>
&lt;/Profile&gt; </Profile>
&lt;/Profiles&gt; </Profiles>
&lt;Configs&gt; <Configs>
&lt;Config&gt; <Config>
&lt;Account&gt;MultiAppKioskUser&lt;/Account&gt; <Account>MultiAppKioskUser</Account>
&lt;DefaultProfile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;/&gt; <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
&lt;/Config&gt; </Config>
&lt;/Configs&gt; </Configs>
&lt;/AssignedAccessConfiguration&gt; </AssignedAccessConfiguration>
"@ "@
Set-CimInstance -CimInstance $obj Set-CimInstance -CimInstance $obj

2
windows/deployment/update/feature-update-mission-critical.md
View File

@ -29,7 +29,7 @@ Devices and shared workstations that are online and available 24 hours a day, 7
You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example:
- **LTSC feature updates.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. - **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. - **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments.
- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. - **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs.

12
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -22,13 +22,17 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>[!IMPORTANT] >[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019.
Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1704 and 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019.
To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
- Executable files and scripts used in Office apps or web mail that attempt to download or run files - Executable files and scripts used in Office apps or web mail that attempt to download or run files
@ -63,6 +67,8 @@ Event ID | Description
1121 | Event when rule fires in Block-mode 1121 | Event when rule fires in Block-mode
1122 | Event when rule fires in Audit-mode 1122 | Event when rule fires in Audit-mode
The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed.
## Attack surface reduction rules ## Attack surface reduction rules
@ -207,7 +213,7 @@ GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
### Block credential stealing from the Windows local security authority subsystem (lsass.exe) ### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
>[!NOTE] >[!NOTE]
>In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
@ -284,3 +290,5 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) - [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
- [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)