deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into nimishasatapathy-5178244

Browse Source
This commit is contained in:
Nimisha Satapathy 2021-07-13 22:19:03 +05:30 committed by GitHub
commit 691ef6c62b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
124 changed files with 2368 additions and 1924 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.openpublishing.publish.config.json
View File

@ -129,20 +129,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "SV",
"build_source_folder": "windows/sv",
"build_output_subfolder": "SV",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-access-protection",
"build_source_folder": "windows/access-protection",

20
.openpublishing.redirection.json
View File

@ -18919,6 +18919,26 @@
"source_path": "windows/security/threat-protection/device-control/device-control-report.md",
"redirect_url": "/microsoft-365/security/defender-endpoint/device-control-report",
"redirect_document_id": false
},
{
"source_path": "windows/privacy/deploy-data-processor-service-windows.md",
"redirect_url": "/windows/privacy/windows-10-and-privacy-compliance",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/intelligence/ransomware-malware.md",
"redirect_url": "/security/compass/human-operated-ransomware",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows",
"redirect_document_id": false
},
{
"source_path": "windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md",
"redirect_url": "/windows/privacy/windows-10-and-privacy-compliance",
"redirect_document_id": false
}
]
}

2
browsers/internet-explorer/TOC.yml
View File

@ -356,6 +356,6 @@
- name: KB Troubleshoot
items:
- name: Internet Explorer and Microsoft Edge FAQ for IT Pros
href: kb-support/ie-edge-faqs.md
href: kb-support/ie-edge-faqs.yml
- name: Microsoft Edge and Internet Explorer troubleshooting
href: /troubleshoot/browsers/welcome-browsers

220
browsers/internet-explorer/kb-support/ie-edge-faqs.md
View File

@ -1,220 +0,0 @@
---
title: IE and Microsoft Edge FAQ for IT Pros
description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals.
audience: ITPro
manager: msmets
author: ramakoni1
ms.author: ramakoni
ms.reviewer: ramakoni, DEV_Triage
ms.prod: internet-explorer
ms.technology:
ms.topic: kb-support
ms.custom: CI=111020
ms.localizationpriority: medium
ms.date: 01/23/2020
---
# Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros
## Cookie-related questions
### What is a cookie?
An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol.
### How does Internet Explorer handle cookies?
For more information about how Internet Explorer handles cookies, see the following articles:
- [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios)
- [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p)
- [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq)
- [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content)
- [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies)
### Where does Internet Explorer store cookies?
To see where Internet Explorer stores its cookies, follow these steps:
1. Start File Explorer.
2. Select **Views** \> **Change folder and search options**.
3. In the **Folder Options** dialog box, select **View**.
4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**.
5. Clear **Hide protected operation system files (Recommended)**.
6. Select **Apply**.
7. Select **OK**.
The following are the folder locations where the cookies are stored:
**In Windows 10**
C:\Users\username\AppData\Local\Microsoft\Windows\INetCache
**In Windows 8 and Windows 8.1**
C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies
**In Windows 7**
C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low
### What is the per-domain cookie limit?
Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie.
There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value.
The JavaScript limitation was updated to 10 KB from 4 KB.
For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq).
#### Additional information about cookie limits
**What does the Cookie RFC allow?**
RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following:
- At least 300 cookies total
- At least 20 cookies per unique host or domain name
For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer.
### Cookie size limit per domain
Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies.
## Proxy Auto Configuration (PAC)-related questions
### Is an example Proxy Auto Configuration (PAC) file available?
Here is a simple PAC file:
```vb
function FindProxyForURL(url, host)
{
return "PROXY proxyserver:portnumber";
}
```
> [!NOTE]
> The previous PAC always returns the **proxyserver:portnumber** proxy.
For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/).
**Third-party information disclaimer**
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
### How to improve performance by using PAC scripts
- [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr)
- [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/)
## Other questions
### How to set home and start pages in Microsoft Edge and allow user editing
For more information, see the following blog article:
[How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/)
### How to add sites to the Enterprise Mode (EMIE) site list
For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md).
### What is Content Security Policy (CSP)?
By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites.
Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly.
CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run.
For more information, see the following articles:
- [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/)
- [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy)
### Where to find Internet Explorer security zones registry entries
Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users).
This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11.
The default Zone Keys are stored in the following locations:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
### Why don't HTML5 videos play in Internet Explorer 11?
To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**.
- 0 (the default value): Allow
- 3: Disallow
This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone.
For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie).
For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions).
For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running)
### What is the Enterprise Mode Site List Portal?
This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
### What is Enterprise Mode Feature?
For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md).
### Where can I obtain a list of HTTP Status codes?
For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes).
### What is end of support for Internet Explorer 11?
Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed.
For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer).
### How to configure TLS (SSL) for Internet Explorer
For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380).
### What is Site to Zone?
Site to Zone usually refers to one of the following:
**Site to Zone Assignment List**
This is a Group Policy policy setting that can be used to add sites to the various security zones.
The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones:
- Intranet zone
- Trusted Sites zone
- Internet zone
- Restricted Sites zone
If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site.
**Site to Zone Mapping**
Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list:
- HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
**Site to Zone Assignment List policy**
This policy setting is available for both Computer Configuration and User Configuration:
- Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
- User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
**References**
[How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices)
### What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer?
For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)).
### What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting?
The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server.
For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer).

245
browsers/internet-explorer/kb-support/ie-edge-faqs.yml Normal file
View File

@ -0,0 +1,245 @@
### YamlMime:FAQ
metadata:
title: IE and Microsoft Edge FAQ for IT Pros
description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals.
audience: ITPro
manager: msmets
author: ramakoni1
ms.author: ramakoni
ms.reviewer: ramakoni, DEV_Triage
ms.prod: internet-explorer
ms.technology:
ms.topic: kb-support
ms.custom: CI=111020
ms.localizationpriority: medium
ms.date: 01/23/2020
title: Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros
summary: |
sections:
- name: Cookie-related questions
questions:
- question: |
What is a cookie?
answer: |
An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol.
- question: |
How does Internet Explorer handle cookies?
answer: |
For more information about how Internet Explorer handles cookies, see the following articles:
- [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios)
- [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p)
- [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq)
- [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content)
- [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies)
- question: |
Where does Internet Explorer store cookies?
answer: |
To see where Internet Explorer stores its cookies, follow these steps:
1. Start File Explorer.
2. Select **Views** \> **Change folder and search options**.
3. In the **Folder Options** dialog box, select **View**.
4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**.
5. Clear **Hide protected operation system files (Recommended)**.
6. Select **Apply**.
7. Select **OK**.
The following are the folder locations where the cookies are stored:
**In Windows 10**
C:\Users\username\AppData\Local\Microsoft\Windows\INetCache
**In Windows 8 and Windows 8.1**
C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies
**In Windows 7**
C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low
- question: |
What is the per-domain cookie limit?
answer: |
Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie.
There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value.
The JavaScript limitation was updated to 10 KB from 4 KB.
For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq).
- name: Additional information about cookie limits
questions:
- question: |
What does the Cookie RFC allow?
answer: |
RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following:
- At least 300 cookies total
- At least 20 cookies per unique host or domain name
For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer.
- question: |
Cookie size limit per domain
answer: |
Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies.
- name: Proxy Auto Configuration (PAC)-related questions
questions:
- question: |
Is an example Proxy Auto Configuration (PAC) file available?
answer: |
Here is a simple PAC file:
```vb
function FindProxyForURL(url, host)
{
return "PROXY proxyserver:portnumber";
}
```
> [!NOTE]
> The previous PAC always returns the **proxyserver:portnumber** proxy.
For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/).
**Third-party information disclaimer**
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
- question: |
How to improve performance by using PAC scripts
answer: |
- [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/en-us/topic/effa1aa0-8e95-543d-6606-03ac68e3f490)
- [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](/troubleshoot/browsers/optimize-pac-performance)
- name: Other questions
questions:
- question: |
How to set home and start pages in Microsoft Edge and allow user editing
answer: |
For more information, see the following blog article:
[How do I set the home page in Microsoft Edge?](https://support.microsoft.com/en-us/microsoft-edge/change-your-browser-home-page-a531e1b8-ed54-d057-0262-cc5983a065c6)
- question: |
How to add sites to the Enterprise Mode (EMIE) site list
answer: |
For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md).
- question: |
What is Content Security Policy (CSP)?
answer: |
By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites.
Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly.
CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run.
For more information, see the following articles:
- [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/)
- [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy)
- question: |
Where to find Internet Explorer security zones registry entries
answer: |
Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users).
This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11.
The default Zone Keys are stored in the following locations:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
- question: |
Why don't HTML5 videos play in Internet Explorer 11?
answer: |
To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**.
- 0 (the default value): Allow
- 3: Disallow
This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone.
For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie).
For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions).
For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running)
- question: |
What is the Enterprise Mode Site List Portal?
answer: |
This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
- question: |
What is Enterprise Mode Feature?
answer: |
For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md).
- question: |
Where can I obtain a list of HTTP Status codes?
answer: |
For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes).
- question: |
What is end of support for Internet Explorer 11?
answer: |
Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed.
For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer).
- question: |
How to configure TLS (SSL) for Internet Explorer
answer: |
For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380).
- question: |
What is Site to Zone?
answer: |
Site to Zone usually refers to one of the following:
**Site to Zone Assignment List**
This is a Group Policy policy setting that can be used to add sites to the various security zones.
The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones:
- Intranet zone
- Trusted Sites zone
- Internet zone
- Restricted Sites zone
If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site.
**Site to Zone Mapping**
Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list:
- HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
**Site to Zone Assignment List policy**
This policy setting is available for both Computer Configuration and User Configuration:
- Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
- User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
**References**
[How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices)
- question: |
What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer?
answer: |
For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)).
- question: |
What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting?
answer: |
The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server.
For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer).

2
windows/application-management/index.yml
View File

@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r
metadata:
title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about managing applications in Windows 10. # Required; article description that is displayed in search results. < 160 chars.
description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice

2
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -87,4 +87,4 @@ The table below lists the supported configurations for remotely connecting to an
## Related topics
[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop)
[How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c)

53
windows/client-management/mdm/Language-pack-management-csp.md Normal file
View File

@ -0,0 +1,53 @@
---
title: Language Pack Management CSP
description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10.
ms.reviewer:
manager: dansimp
ms.author: v-nsatapathy
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.date: 06/22/2021
---
# Language Pack Management CSP
The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of "optional FODs" (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings.
1. Enumerate installed languages with GET command on the "InstalledLanguages" node
**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages**
**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers**
**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers**
The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1).
- Indicates the language pack installed is a System Language Pack (non-LXP)
- Indicates that the LXP is installed.
- Indicates that both are installed.
2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example,
**ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/**
**EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation**
The installation is an asynchronous operation. You can query the **Status** node by using the following commands:
**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status**
**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode**
Status: 0 not started; 1 in process; 2 succeeded; 3 failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed.
> [!NOTE]
> If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail.
3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed.
**DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN(Delete command)**
4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node
**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages**

36
windows/client-management/mdm/bitlocker-csp.md
View File

@ -172,11 +172,15 @@ If you want to disable this policy, use the following SyncML:
</SyncBody>
</SyncML>
```
> [!NOTE]
> Currently only used space encryption is supported when using this CSP.
<!--/Policy-->
<!--Policy-->
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
<!--Description-->
Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the BitLocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
<!--/Description-->
<!--SupportedValues-->
<table>
@ -204,7 +208,7 @@ ADMX Info:
<ul>
<li>GP English name: <em>Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)</em></li>
<li>GP name: <em>EncryptionMethodWithXts_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
@ -260,7 +264,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".
This setting is a direct mapping to the BitLocker Group Policy "Require additional authentication at startup".
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -289,7 +293,7 @@ ADMX Info:
<ul>
<li>GP English name: <em>Require additional authentication at startup</em></li>
<li>GP name: <em>ConfigureAdvancedStartup_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
@ -368,7 +372,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".
This setting is a direct mapping to the BitLocker Group Policy "Configure minimum PIN length for startup".
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -397,7 +401,7 @@ ADMX Info:
<ul>
<li>GP English name:<em>Configure minimum PIN length for startup</em></li>
<li>GP name: <em>MinimumPINLength_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
@ -444,7 +448,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL"
This setting is a direct mapping to the BitLocker Group Policy "Configure pre-boot recovery message and URL"
(PrebootRecoveryInfo_Name).
<!--/Description-->
<!--SupportedSKUs-->
@ -474,7 +478,7 @@ ADMX Info:
<ul>
<li>GP English name: <em>Configure pre-boot recovery message and URL</em></li>
<li>GP name: <em>PrebootRecoveryInfo_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
@ -534,7 +538,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -563,7 +567,7 @@ ADMX Info:
<ul>
<li>GP English name: <em>Choose how BitLocker-protected operating system drives can be recovered</em></li>
<li>GP name: <em>OSRecoveryUsage_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
@ -631,7 +635,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -660,7 +664,7 @@ ADMX Info:
<ul>
<li>GP English name: <em>Choose how BitLocker-protected fixed drives can be recovered</em></li>
<li>GP name: <em>FDVRecoveryUsage_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Fixed Drives</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
@ -737,7 +741,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
This setting is a direct mapping to the BitLocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -766,7 +770,7 @@ ADMX Info:
<ul>
<li>GP English name: <em>Deny write access to fixed drives not protected by BitLocker</em></li>
<li>GP name: <em>FDVDenyWriteAccess_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Fixed Drives</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
@ -806,7 +810,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
This setting is a direct mapping to the BitLocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -835,7 +839,7 @@ ADMX Info:
<ul>
<li>GP English name: <em>Deny write access to removable drives not protected by BitLocker</em></li>
<li>GP name: <em>RDVDenyWriteAccess_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Removeable Drives</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removeable Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->

196
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -71,7 +71,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -97,7 +97,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -123,7 +123,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -149,7 +149,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -201,7 +201,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -227,7 +227,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -253,7 +253,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -305,7 +305,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -331,7 +331,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -358,7 +358,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
@ -384,7 +384,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -410,7 +410,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -436,7 +436,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -462,7 +462,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -514,7 +514,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -540,7 +540,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -566,7 +566,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -592,7 +592,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -618,7 +618,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -644,7 +644,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -670,7 +670,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -722,7 +722,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -748,7 +748,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -774,7 +774,6 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -802,7 +801,6 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -829,7 +827,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -882,7 +880,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -934,7 +932,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -960,7 +958,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1012,7 +1010,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1037,9 +1035,9 @@ Additional lists:
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" />
<a href="https://docs.microsoft.com/windows/client-management/mdm/implement-server-side-mobile-application-management#integration-with-windows-information-protection">Only for mobile application management (MAM)</td>
<a href="/windows/client-management/mdm/implement-server-side-mobile-application-management#integration-with-windows-information-protection">Only for mobile application management (MAM)</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1065,10 +1063,9 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
@ -1092,7 +1089,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1118,7 +1115,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1144,7 +1141,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1168,7 +1165,7 @@ Additional lists:
<th>Mobile</th>
</tr>
<tr>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3<sup></td>
@ -1196,10 +1193,10 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
</tr>
</table>
@ -1248,7 +1245,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1273,10 +1270,10 @@ Additional lists:
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
@ -1284,6 +1281,33 @@ Additional lists:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[LanguagePackManagement CSP](language-pack-management-csp.md)
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[Maps CSP](maps-csp.md)
@ -1300,7 +1324,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1378,7 +1402,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1404,7 +1428,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1482,7 +1506,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1534,7 +1558,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1560,7 +1584,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1586,7 +1610,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1638,7 +1662,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1664,7 +1688,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1688,12 +1712,12 @@ Additional lists:
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
<td><img src="images/checkmark.png" alt="check mark" /> (Provisioning only)</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>B<sup></td>
</tr>
</table>
@ -1716,7 +1740,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1742,7 +1766,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1768,7 +1792,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1794,7 +1818,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1820,7 +1844,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1846,7 +1870,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1872,7 +1896,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1898,7 +1922,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1924,7 +1948,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -1950,7 +1974,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -1976,7 +2000,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2002,7 +2026,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -2028,7 +2052,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2132,7 +2156,7 @@ Additional lists:
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
@ -2159,7 +2183,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -2185,7 +2209,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2211,7 +2235,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2237,7 +2261,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2290,7 +2314,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2316,7 +2340,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -2368,7 +2392,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -2421,7 +2445,7 @@ Additional lists:
<tr>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2447,7 +2471,7 @@ Additional lists:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
@ -2503,7 +2527,6 @@ Additional lists:
<td></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
</tr>
</table>
@ -2555,7 +2578,7 @@ The following list shows the CSPs supported in HoloLens devices:
[PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup> | ![check mark](images/checkmark.png) |
| [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup> | ![check mark](images/checkmark.png) |
| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup> | ![check mark](images/checkmark.png) |
| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>10</sup> |
| [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
@ -2627,6 +2650,8 @@ The following list shows the CSPs supported in HoloLens devices:
<hr>
Footnotes:
- A - Only for mobile application management (MAM).
- B - Provisioning only.
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
@ -2637,3 +2662,4 @@ The following list shows the CSPs supported in HoloLens devices:
- 8 - Added in Windows 10, version 2004.
- 9 - Added in Windows 10 Team 2020 Update
- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2)

108
windows/client-management/mdm/defender-csp.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 06/02/2021
ms.date: 06/23/2021
---
# Defender CSP
@ -59,6 +59,10 @@ Defender
--------TamperProtection (Added in Windows 10, version 1903)
--------EnableFileHashComputation (Added in Windows 10, version 1903)
--------SupportLogLocation (Added in the next major release of Windows 10)
--------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
--------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
--------SignaturesUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
--------DisableGradualRelease (Added with the 4.18.2106.5 Defender platform release)
----Scan
----UpdateSignature
----OfflineScan (Added in Windows 10 version 1803)
@ -518,9 +522,109 @@ When enabled or disabled exists on the client and admin moves the setting to not
More details:
- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
<a href="" id="configuration-platformupdateschannel"></a>**Configuration/PlatformUpdatesChannel**
Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
- 0: Not configured (Default)
- 1: Beta Channel - Prerelease
- 2: Current Channel (Preview)
- 3: Current Channel (Staged)
- 4: Current Channel (Broad)
More details:
- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
<a href="" id="configuration-engineupdateschannel"></a>**Configuration/EngineUpdatesChannel**
Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
- 0 - Not configured (Default)
- 1 - Beta Channel - Prerelease
- 2 - Current Channel (Preview)
- 3 - Current Channel (Staged)
- 4 - Current Channel (Broad)
More details:
- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
<a href="" id="configuration-definitionupdateschannel"></a>**Configuration/DefinitionUpdatesChannel**
Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid Values are:
- 0: Not configured (Default)
- 3: Current Channel (Staged)
- 4: Current Channel (Broad)
More details:
- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
<a href="" id="configuration-disablegradualrelease"></a>**Configuration/DisableGradualRelease**
Enable this policy to disable gradual rollout of monthly and daily Microsoft Defender updates.
Devices will be offered all Microsoft Defender updates after the gradual release cycle completes. This is best for datacenters that only receive limited updates.
> [!NOTE]
> This setting applies to both monthly as well as daily Microsoft Defender updates and will override any previously configured channel selections for platform and engine updates.
If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
• 1 Enabled.
• 0 (default) Not Configured.
More details:
- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
<a href="" id="scan"></a>**Scan**
Node that can be used to start a Windows Defender scan on a device.

30
windows/client-management/mdm/devicestatus-csp.md
View File

@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 04/30/2019
ms.date: 06/25/2021
---
# DeviceStatus CSP
@ -150,8 +150,8 @@ Node for the compliance query.
<a href="" id="devicestatus-compliance-encryptioncompliance"></a>**DeviceStatus/Compliance/EncryptionCompliance**
Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following:
- 0 - not encrypted
- 1 - encrypted
- 0 - Not encrypted
- 1 - Encrypted
Supported operation is Get.
@ -179,8 +179,8 @@ Supported operation is Get.
Added in Windows, version 1803. Read only node that specifies the device mode.
Valid values:
- 0 - the device is in standard configuration
- 1 - the device is in S mode configuration
- 0 - The device is in standard configuration
- 1 - The device is in S mode configuration
Supported operation is Get.
@ -211,10 +211,10 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
Valid values:
- 0 Antivirus is on and monitoring
- 1 Antivirus is disabled
- 2 Antivirus is not monitoring the device/PC or some options have been turned off
- 3 (default) Antivirus is temporarily not completely monitoring the device/PC
- 0 Antivirus is on and monitoring.
- 1 Antivirus is disabled.
- 2 Antivirus is not monitoring the device/PC or some options have been turned off.
- 3 (default) Antivirus is temporarily not completely monitoring the device/PC.
- 4 Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
Supported operation is Get.
@ -263,10 +263,10 @@ Added in Windows, version 1607. Integer that specifies the status of the firewa
Valid values:
- 0 Firewall is on and monitoring
- 1 Firewall has been disabled
- 2 Firewall is not monitoring all networks or some rules have been turned off
- 3 (default) Firewall is temporarily not monitoring all networks
- 0 Firewall is on and monitoring.
- 1 Firewall has been disabled.
- 2 Firewall is not monitoring all networks or some rules have been turned off.
- 3 (default) Firewall is temporarily not monitoring all networks.
- 4 Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
Supported operation is Get.
@ -331,8 +331,8 @@ Added in Windows, version 1709. Virtualization-based security status. Value is
- 0 - Running
- 1 - Reboot required
- 2 - 64 bit architecture required
- 3 - not licensed
- 4 - not configured
- 3 - Not licensed
- 4 - Not configured
- 5 - System doesn't meet hardware requirements
- 42 Other. Event logs in Microsoft-Windows-DeviceGuard have more details

68
windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
View File

@ -133,74 +133,6 @@ Example: Export the Debug logs
</SyncML>
```
**To collect logs manually**
1. Download and install the [Field Medic]( https://go.microsoft.com/fwlink/p/?LinkId=718232) app from the store.
2. Open the Field Medic app and then click on **Advanced**.
![field medic screenshot 2](images/diagnose-mdm-failures2.png)
3. Click on **Choose with ETW provider to use**.
![field medic screenshot 3](images/diagnose-mdm-failures3.png)
4. Check **Enterprise** and un-check the rest.
![field medic screenshot 4](images/diagnose-mdm-failures4.png)
5. In the app, click on **Start Logging** and then perform the operation that you want to troubleshoot.
![field medic screenshot 5](images/diagnose-mdm-failures2.png)
6. When the operation is done, click on **Stop Logging**.
![field medic screenshot 6](images/diagnose-mdm-failures5.png)
7. Save the logs. They will be stored in the Field Medic log location on the device.
8. You can send the logs via email by attaching the files from **Documents > Field Medic > Reports > ...** folder.
![device documents folder](images/diagnose-mdm-failures6.png)![device folder screenshot 7](images/diagnose-mdm-failures7.png)![device folder screenshot 8](images/diagnose-mdm-failures8.png)
The following table contains a list of common providers and their corresponding GUIDs.
| GUID | Provider Name |
|--------------------------------------|--------------------------------------------------------|
| 099614a5-5dd7-4788-8bc9-e29f43db28fc | Microsoft-Windows-LDAP-Client |
| 0f67e49f-fe51-4e9f-b490-6f2948cc6027 | Microsoft-Windows-Kernel-Processor-Power |
| 0ff1c24b-7f05-45c0-abdc-3c8521be4f62 | Microsoft-Windows-Mobile-Broadband-Experience-SmsApi |
| 10e4f0e0-9686-4e62-b2d6-fd010eb976d3 | Microsoft-WindowsPhone-Shell-Events |
| 1e39b4ce-d1e6-46ce-b65b-5ab05d6cc266 | Microsoft-Windows-Networking-RealTimeCommunication |
| 22a7b160-f6e8-46b9-8e0b-a51989c85c66 | Microsoft-WindowsPhone-Bluetooth-AG |
| 2f94e1cc-a8c5-4fe7-a1c3-53d7bda8e73e | Microsoft-WindowsPhone-ConfigManager2 |
| 331c3b3a-2005-44c2-ac5e-77220c37d6b4 | Microsoft-Windows-Kernel-Power |
| 33693e1d-246a-471b-83be-3e75f47a832d | Microsoft-Windows-BTH-BTHUSB |
| 3742be72-99a9-42e6-9fd5-c01a330e3625 | Microsoft-WindowsPhone-PhoneAudio |
| 3b9602ff-e09b-4c6c-bc19-1a3dfa8f2250 | Microsoft-WindowsPhone-OmaDm-Client-Provider |
| 3da494e4-0fe2-415C-b895-fb5265c5c83b | Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider |
| 3f471139-acb7-4a01-b7a7-ff5da4ba2d43 | Microsoft-Windows-AppXDeployment-Server |
| 4180c4f7-e238-5519-338f-ec214f0b49aa | Microsoft.Windows.ResourceManager |
| 4637124c-1d40-4b4d-892f-2aaecf24ff06 | Microsoft-Windows-WinJson |
| 4d13548f-c7b8-4174-bb7a-d7f64bf22d29 | Microsoft-WindowsPhone-LocationServiceProvider |
| 4eacb4d0-263b-4b93-8cd6-778a278e5642 | Microsoft-Windows-GenericRoaming |
| 4f386063-ef17-4629-863c-d71597af743d | Microsoft-WindowsPhone-NotificationService |
| 55404e71-4db9-4deb-a5f5-8f86e46dde56 | Microsoft-Windows-Winsock-NameResolution |
| 59819d0a-adaf-46b2-8d7c-990bc39c7c15 | Microsoft-Windows-Battery |
| 5c103042-7e75-4629-a748-bdfa67607fac | Microsoft-WindowsPhone-Power |
| 69c1c3f1-2b5c-41d0-a14a-c7ca5130640e | Microsoft-WindowsPhone-Cortana |
| 6ad52b32-d609-4be9-ae07-ce8dae937e39 | Microsoft-Windows-RPC |
| 7263516b-6eb0-477b-b64f-17b91d29f239 | Microsoft-WindowsPhone-BatterySense |
| 7dd42a49-5329-4832-8dfd-43d979153a88 | Microsoft-Windows-Kernel-Network |
| ae4bd3be-f36f-45b6-8d21-bdd6fb832853 | Microsoft-Windows-Audio |
| daa6a96b-f3e7-4d4d-a0d6-31a350e6a445 | Microsoft-Windows-WLAN-Driver |
| 4d13548f-c7b8-4174-bb7a-d7f64bf22d29 | Microsoft-WindowsPhone-LocationServiceProvider |
| 74e106b7-00be-4a55-b707-7ab58d6a9e90 | Microsoft-WindowsPhone-Shell-OOBE |
| cbda4dbf-8d5d-4f69-9578-be14aa540d22 | Microsoft-Windows-AppLocker |
| e595f735-b42a-494b-afcd-b68666945cd3 | Microsoft-Windows-Firewall |
| e5fc4a0f-7198-492f-9b0f-88fdcbfded48 | Microsoft-Windows Networking VPN |
| e5c16d49-2464-4382-bb20-97a4b5465db9 | Microsoft-Windows-WiFiNetworkManager |
 -->
## Collect logs remotely from Windows 10 Holographic
For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).

5
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -117,9 +117,6 @@ Requirements:
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use.
> [!NOTE]
> **Device Credential** Credential Type may work, however, it is not yet supported by Intune. We don't recommend using this option until it's supported.
![MDM autoenrollment policy](images/autoenrollment-policy.png)
5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
@ -128,7 +125,7 @@ Requirements:
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
>
> The default behavior for older releases is to revert to **User Credential**.
> **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device.
> **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop.
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."

16
windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
View File

@ -20,6 +20,7 @@ The EnterpriseDesktopAppManagement configuration service provider is used to han
Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example).
The following shows the EnterpriseDesktopAppManagement CSP in tree format.
```
./Device/Vendor/MSFT
EnterpriseDesktopAppManagement
@ -37,6 +38,7 @@ EnterpriseDesktopAppManagement
--------UpgradeCode
------------Guid
```
<a href="" id="--vendor-msft-enterprisedesktopappmanagement"></a>**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement**
The root node for the EnterpriseDesktopAppManagement configuration service provider.
@ -195,14 +197,14 @@ The following table describes the fields in the previous sample:
The following table describes the fields in the previous sample:
| Name | Description |
|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application. |
|--------|-----------------------|
| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.|
| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. |
| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to preceed the Exec command.**
**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.**
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">
@ -292,7 +294,8 @@ The following table describes the fields in the previous sample:
> **Note**  Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at <https://technet.microsoft.com/library/cc759262(v=ws.10).aspx>.
> [!Note]
> Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx).
@ -401,7 +404,7 @@ The following table MsiInstallJob describes the schema elements.
<td>Command-line options to be used when calling MSIEXEC.exe</td>
</tr>
<tr class="even">
<td>Timeout</td>
<td>TimeOut</td>
<td>Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation.</td>
</tr>
<tr class="odd">
@ -565,6 +568,3 @@ Here's a list of references:
</Item>
</Alert>
```

4
windows/client-management/mdm/euiccs-csp.md
View File

@ -25,6 +25,10 @@ eUICCs
--------IsActive
--------PPR1Allowed
--------PPR1AlreadySet
--------DownloadServers
------------ServerName
----------------DiscoveryState
----------------AutoEnable
--------Profiles
------------ICCID
----------------ServerName

48
windows/client-management/mdm/federated-authentication-device-enrollment.md
View File

@ -266,12 +266,10 @@ The following is an enrollment policy request example with a received security t
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken ValueType=
"http: //schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
EncodingType=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken
ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken>
</wsse:Security>
@ -410,12 +408,9 @@ The following example shows the enrollment web service request for federated aut
https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken wsse:ValueType=
"http:"//schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken
wsse:EncodingType=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
>
<wsse:BinarySecurityToken
wsse:ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
wsse:EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken>
</wsse:Security>
@ -520,19 +515,16 @@ The following example shows the enrollment web service response.
<TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</TokenType>
<DispositionMessage xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"/> <RequestedSecurityToken>
<DispositionMessage xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"/>
<RequestedSecurityToken>
<BinarySecurityToken
ValueType=
"http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
EncodingType=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</BinarySecurityToken>
</RequestedSecurityToken>
<RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0
</RequestID>
<RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0</RequestID>
</RequestSecurityTokenResponse>
</RequestSecurityTokenResponseCollection>
</s:Body>
@ -581,8 +573,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
<parm name="MAXBACKOFFTIME" value="120000" />
<parm name="BACKCOMPATRETRYDISABLED" />
<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
<parm name="SSLCLIENTCERTSEARCHCRITERIA" value=
"Subject=DC%3dcom%2cDC%3dmicrosoft%2cCN%3dUsers%2cCN%3dAdministrator&amp;amp;Stores=My%5CUser"/>
<parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=DC%3dcom%2cDC%3dmicrosoft%2cCN%3dUsers%2cCN%3dAdministrator&amp;amp;Stores=My%5CUser"/>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="CLIENT"/>
<parm name="AAUTHTYPE" value="DIGEST"/>
@ -598,25 +589,24 @@ The following code shows sample provisioning XML (presented in the preceding pac
</characteristic>
<characteristic type="DMClient"> <!-- In Windows 10, an enrollment server should use DMClient CSP XML to configure DM polling schedules. -->
<characteristic type="Provider">
<!-- ProviderID in DMClient CSP must match to PROVIDER-ID in w7 APPLICATION characteristics -->
<!-- ProviderID in DMClient CSP must match to PROVIDER-ID in w7 APPLICATION characteristics -->
<characteristic type="TestMDMServer">
<parm name="UPN" value="UserPrincipalName@contoso.com" datatype="string" />
<parm name="EntDeviceName" value="Administrator_Windows" datatype="string" />
<characteristic type="Poll">
<parm name="NumberOfFirstRetries" value="8" datatype="integer" />
<parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" />
<parm name="NumberOfSecondRetries" value="5" datatype="integer" />
<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
<parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
<parm name="PollOnLogin" value="true" datatype="boolean" />
</characteristic>
<parm name="EntDeviceName" value="Administrator_Windows" datatype="string" />
</characteristic>
</characteristic>
</characteristic>
<!-- For Windows 10, we removed EnterpriseAppManagement from the enrollment
protocol. -->
</characteristic>
<!-- For Windows 10, we removed EnterpriseAppManagement from the enrollment protocol. -->
</wap-provisioningdoc>
```

13
windows/client-management/mdm/healthattestation-csp.md
View File

@ -502,8 +502,8 @@ The following list of data points are verified by the DHA-Service in DHA-Report
- [HealthStatusMismatchFlags](#healthstatusmismatchflags)
\* TPM 2.0 only
** Reports if Bitlocker was enabled during initial boot.
*** The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot.
\*\* Reports if BitLocker was enabled during initial boot.
\*\*\* The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot.
Each of these are described in further detail in the following sections, along with the recommended actions to take.
@ -547,8 +547,8 @@ Each of these are described in further detail in the following sections, along w
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
<a href="" id="bitlockerstatus"></a>**BitlockerStatus** (at boot time)
<p style="margin-left: 20px">When Bitlocker is reported &quot;on&quot; at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.</p>
<a href="" id="bitlockerstatus"></a>**BitLockerStatus** (at boot time)
<p style="margin-left: 20px">When BitLocker is reported &quot;on&quot; at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.</p>
<p style="margin-left: 20px">Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.</p>
@ -614,7 +614,7 @@ Each of these are described in further detail in the following sections, along w
- Disallow all access
- Disallow access to HBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as enabling VSM using WMI or a Powershell script.
- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.
<a href="" id="oskerneldebuggingenabled"></a>**OSKernelDebuggingEnabled**
<p style="margin-left: 20px">OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.</p>
@ -659,7 +659,7 @@ Each of these are described in further detail in the following sections, along w
- Disallow all access
- Disallow access to HBI and MBI assets
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as enabling test signing using WMI or a Powershell script.
- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
<a href="" id="safemode"></a>**SafeMode**
<p style="margin-left: 20px">Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.</p>
@ -1176,4 +1176,3 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio
[Configuration service provider reference](configuration-service-provider-reference.md)

9
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1371,6 +1371,7 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
</dl>
## ADMX_ICM policies
<dl>
@ -6781,6 +6782,14 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
</dl>
### Language Pack Management CSP policies
<dl>
<dd>
<a href="./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons" id="lanmanworkstation-enableinsecureguestlogons">LanmanWorkstation/EnableInsecureGuestLogons</a>
</dd>
</dl>
### Licensing policies
<dl>

8
windows/client-management/mdm/policy-csp-admx-printing.md
View File

@ -1838,15 +1838,15 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse master servers for the domain.
Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse main servers for the domain.
On domains with Active Directory, shared printer resources are available in Active Directory and are not announced.
If you enable this setting, the print spooler announces shared printers to the print browse master servers.
If you enable this setting, the print spooler announces shared printers to the print browse main servers.
If you disable this setting, shared printers are not announced to print browse master servers, even if Active Directory is not available.
If you disable this setting, shared printers are not announced to print browse main servers, even if Active Directory is not available.
If you do not configure this setting, shared printers are announced to browse master servers only when Active Directory is not available.
If you do not configure this setting, shared printers are announced to browse main servers only when Active Directory is not available.
> [!NOTE]
> A client license is used each time a client computer announces a printer to a print browse master on the domain.

4
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -114,7 +114,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
> [!NOTE]
> Currently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition.
> Currently, this policy is supported only in HoloLens 2, HoloLens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition.
Specifies whether the user must input a PIN or password when the device resumes from an idle state.
@ -757,7 +757,7 @@ PIN enforces the following behavior for desktop and mobile devices:
- 1 - Digits only
- 2 - Digits and lowercase letters are required
- 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts.
- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop.
- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or HoloLens.
The default value is 1. The following list shows the supported values and actual enforced values:

3
windows/client-management/mdm/policy-csp-localusersandgroups.md
View File

@ -14,9 +14,6 @@ manager: dansimp
# Policy CSP - LocalUsersAndGroups
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->

2
windows/client-management/mdm/policy-csp-storage.md
View File

@ -719,7 +719,7 @@ ADMX Info:
<!--/SupportedValues-->
<!--Example-->
Example for setting the device custom OMA-URI setting to enable this policy:
To deny write access to removable storage within Intunes custom profile, set OMA-URI to ```.\[device|user]\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1.
To deny write access to removable storage within Intunes custom profile, set OMA-URI to ```./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1.
See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles.
<!--/Example-->

288
windows/client-management/mdm/policy-csp-system.md
View File

@ -28,6 +28,9 @@ manager: dansimp
<dd>
<a href="#system-allowcommercialdatapipeline">System/AllowCommercialDataPipeline</a>
</dd>
<dd>
<a href="#system-allowdesktopanalyticsprocessing">System/AllowDesktopAnalyticsProcessing </a>
</dd>
<dd>
<a href="#system-allowdevicenameindiagnosticdata">System/AllowDeviceNameInDiagnosticData</a>
</dd>
@ -43,6 +46,9 @@ manager: dansimp
<dd>
<a href="#system-allowlocation">System/AllowLocation</a>
</dd>
<dd>
<a href="#system-allowmicrosoftmanageddesktopprocessing">System/AllowMicrosoftManagedDesktopProcessing</a>
</dd>
<dd>
<a href="#system-allowstoragecard">System/AllowStorageCard</a>
</dd>
@ -50,11 +56,14 @@ manager: dansimp
<a href="#system-allowtelemetry">System/AllowTelemetry</a>
</dd>
<dd>
<a href="#system-allowUpdateComplianceProcessing">System/AllowUpdateComplianceProcessing</a>
<a href="#system-allowupdatecomplianceprocessing">System/AllowUpdateComplianceProcessing</a>
</dd>
<dd>
<a href="#system-allowusertoresetphone">System/AllowUserToResetPhone</a>
</dd>
<dd>
<a href="#system-allowwufbcloudprocessing">System/AllowWuFBCloudProcessing</a>
</dd>
<dd>
<a href="#system-bootstartdriverinitialization">System/BootStartDriverInitialization</a>
</dd>
@ -114,11 +123,7 @@ manager: dansimp
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -186,11 +191,7 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -215,13 +216,20 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
This policy setting opts the device into the Windows enterprise data pipeline.
This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering).
If you enable this setting, data collected from the device will be opted into the Windows enterprise data pipeline.
To enable this behavior, you must complete two steps:
If you disable or don't configure this setting, all data from the device will be collected and processed in accordance with our policies for the Windows standard data pipeline.
1. Enable this policy setting
2. Join an Azure Active Directory account to the device
Configuring this setting does not change the telemetry collection level or the ability of the user to change the level. This setting only applies to the Windows operating system and apps included with Windows, not third-party apps or services running on Windows 10.
Windows diagnostic data is collected when the Allow Telemetry policy setting is set to 1 **Required (Basic)** or above.
If you disable or do not configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsofts [privacy statement](https://go.microsoft.com/fwlink/?LinkId=521839) unless you have enabled policies like Allow Update Compliance Processing or Allow Desktop Analytics Processing.
Configuring this setting does not change the Windows diagnostic data collection level set for the device or the operation of optional analytics processor services like Desktop Analytics and Update Compliance.
See the documentation at [ConfigureWDD](https://aka.ms/ConfigureWDD) for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data.
<!--/Description-->
<!--ADMXMapped-->
@ -250,6 +258,36 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="system-allowdesktopanalyticsprocessing"></a>**System/AllowDesktopAnalyticsProcessing**
<!--/Scope-->
<!--Description-->
This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID policy settings, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering).
To enable this behavior, you must complete three steps:
1. Enable this policy setting
2. Set **AllowTelemetry** to 1 **Required (Basic)** or above
3. Set the Configure the Commercial ID setting for your Desktop Analytics workspace
This setting has no effect on devices unless they are properly enrolled in Desktop Analytics.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
If you disable or do not configure this policy setting, devices will not appear in Desktop Analytics.
The following list shows the supported values:
- 0 (default) Disabled.
- 2 Allowed.
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="system-allowdevicenameindiagnosticdata"></a>**System/AllowDeviceNameInDiagnosticData**
@ -265,11 +303,7 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -338,11 +372,7 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -398,11 +428,7 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -463,11 +489,7 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -542,11 +564,7 @@ To verify if System/AllowFontProviders is set to true:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -602,6 +620,27 @@ The following list shows the supported values:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="system-allowmicrosoftmanageddesktopprocessing"></a>**System/AllowMicrosoftManagedDesktopProcessing**
<!--/Scope-->
<!--Description-->
This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data.
For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data.md).
This setting has no effect on devices unless they are properly enrolled in Microsoft Managed Desktop.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
If you disable this policy setting, devices may not appear in Microsoft Managed Desktop.
>[!IMPORTANT]
> You should not disable or make changes to this policy as that will severely impact the ability of Microsoft Managed Desktop to manage the devices.
<hr/>
<!--Policy-->
<a href="" id="system-allowstoragecard"></a>**System/AllowStorageCard**
@ -617,11 +656,7 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -677,11 +712,7 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -742,11 +773,19 @@ The following list shows the supported values for Windows 8.1:
In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft.
The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets):
- 0 **Off (Security)** This turns Windows diagnostic data off.
**Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1.
> [!NOTE]
> This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1.
- 1 **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
- 2 (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps.
**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1.
> [!NOTE]
> **Enhanced** is no longer an option for Windows Holographic, version 21H1.
- 3 **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs.
Most restrictive value is 0.
@ -795,7 +834,7 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="system-allowUpdateComplianceProcessing"></a>**System/AllowUpdateComplianceProcessing**
<a href="" id="system-allowupdatecomplianceprocessing"></a>**System/AllowUpdateComplianceProcessing**
<!--SupportedSKUs-->
<table>
@ -809,11 +848,7 @@ ADMX Info:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -838,11 +873,18 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance.
If you enable this setting, it enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service.
This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID policy settings, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering).
If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance.
To enable this behavior, you must complete three steps:
1. Enable this policy setting
2. Set **AllowTelemetry** to 1 **Required (Basic)** or above
3. Set the Configure the Commercial ID setting for your Update Compliance workspace
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
If you disable or do not configure this policy setting, devices will not appear in Update Compliance.
<!--/Description-->
<!--ADMXMapped-->
@ -880,11 +922,7 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -925,6 +963,28 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="system-allowwufbcloudprocessing"></a>**System/AllowWuFBCloudProcessing**
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering).
To enable this behavior, you must complete three steps:
1. Enable this policy setting
2. Set **AllowTelemetry** to 1 **Required (Basic)** or above
3. Join an Azure Active Directory account to the device
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
If you disable or do not configure this policy setting, devices enrolled to the Windows Update for Business deployment service will not be able to take advantage of some deployment service features.
<hr/>
<!--Policy-->
<a href="" id="system-bootstartdriverinitialization"></a>**System/BootStartDriverInitialization**
@ -940,11 +1000,7 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -1016,11 +1072,7 @@ ADMX Info:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -1090,11 +1142,7 @@ ADMX Info:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -1157,11 +1205,7 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -1229,11 +1273,7 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -1300,11 +1340,7 @@ ADMX Info:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -1371,11 +1407,7 @@ ADMX Info:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -1431,11 +1463,7 @@ ADMX Info:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -1513,11 +1541,7 @@ To validate on Desktop, do the following:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -1589,11 +1613,7 @@ ADMX Info:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -1647,11 +1667,7 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -1676,20 +1692,25 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
This policy setting, in combination with the System/AllowTelemetry
policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.
This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.
To enable this behavior, you must complete two steps:
- Enable this policy setting
- Set the **AllowTelemetry** level:
- For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1)
1. Enable this policy setting.
2. Set the **AllowTelemetry** level:
- For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced.
> [!NOTE]
> **Enhanced** is no longer an option for Windows Holographic, version 21H1.
- For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full)
When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: <a href="/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields" data-raw-source="[Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields)">Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics</a>.
Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft.
Enabling enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft.
If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy.
@ -1722,11 +1743,7 @@ ADMX Info:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -1784,11 +1801,7 @@ ADMX Info:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup> <sup>11</sup></td>
</tr>
<tr>
<td>Enterprise</td>
@ -1855,5 +1868,6 @@ Footnotes:
- 8 - Available in Windows 10, version 2004.
- 9 - Available in Windows 10, version 20H2.
- 10 - Available in Windows 10, version 21H1.
- 11 - Also applies to Windows 10 Business.
<!--/Policies-->

2
windows/client-management/mdm/update-csp.md
View File

@ -17,7 +17,7 @@ ms.date: 02/23/2018
The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
> [!NOTE]
> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
> The Update CSP functionality of 'ApprovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
The following shows the Update configuration service provider in tree format.

4
windows/client-management/mdm/vpnv2-csp.md
View File

@ -390,6 +390,9 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile.
The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface.
> [!NOTE]
> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT.
<a href="" id="vpnv2-profilename-domainnameinformationlist-dnirowid"></a>**VPNv2/**<em>ProfileName</em>**/DomainNameInformationList/**<em>dniRowId</em>
A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
@ -1600,4 +1603,3 @@ Servers

2
windows/client-management/troubleshoot-tcpip-port-exhaust.md
View File

@ -90,7 +90,7 @@ If you suspect that the machine is in a state of port exhaustion:
![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png)
3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
![Screenshot of netstate command output](images/tcp-ts-20.png)

2
windows/client-management/windows-10-mobile-and-mdm.md
View File

@ -978,7 +978,7 @@ This is a list of attributes that are supported by DHA and can trigger the corre
- **Boot Manager Version** The version of the Boot Manager running on the device. The HAS can check this version to determine whether the most current Boot Manager is running, which is more secure (trusted).
- **Code integrity version** Specifies the version of code that is performing integrity checks during the boot sequence. The HAS can check this version to determine whether the most current version of code is running, which is more secure (trusted).
- **Secure Boot Configuration Policy (SBCP) present** Specifies whether the hash of the custom SBCP is present. A device with an SBCP hash present is more trustworthy than a device without an SBCP hash.
- **Boot cycle whitelist** The view of the host platform between boot cycles as defined by the manufacturer compared to a published allow list. A device that complies with the allow list is more trustworthy (secure) than a device that is noncompliant.
- **Boot cycle allow list** The view of the host platform between boot cycles as defined by the manufacturer compared to a published allow list. A device that complies with the allow list is more trustworthy (secure) than a device that is noncompliant.
#### Example scenario

4
windows/configuration/TOC.yml
View File

@ -117,7 +117,7 @@
items:
- name: Set up and test Cortana in Windows 10, version 2004 and later
href: cortana-at-work/set-up-and-test-cortana-in-windows-10.md
- name: Testing scenarios using Cortana in your business or organization
- name: Cortana at work testing scenarios
href: cortana-at-work/cortana-at-work-testing-scenarios.md
- name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
href: cortana-at-work/cortana-at-work-scenario-1.md
@ -138,7 +138,7 @@
- name: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
href: cortana-at-work/cortana-at-work-o365.md
- name: Testing scenarios using Cortana in your business or organization
href: cortana-at-work/cortana-at-work-testing-scenarios.md
href: cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
- name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
href: cortana-at-work/test-scenario-1.md
- name: Test scenario 2 - Perform a quick search with Cortana at work

14
windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
View File

@ -1,31 +1,25 @@
---
title: Testing scenarios using Cortana in your business or organization (Windows 10)
description: A list of suggested testing scenarios that you can use to test Cortana in your organization.
title: Cortana at work testing scenarios
description: Suggested testing scenarios that you can use to test Cortana in your organization.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.date: 10/05/2017
ms.date: 06/28/2021
ms.reviewer:
manager: dansimp
---
# Testing scenarios using Cortana in your business or organization
# Cortana at work testing scenarios
We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
- [Sign into Azure AD, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md)
- [Perform a Bing search with Cortana](cortana-at-work-scenario-2.md)
- [Set a reminder](cortana-at-work-scenario-3.md)
- [Use Cortana to find free time on your calendar](cortana-at-work-scenario-4.md)
- [Find out about a person](cortana-at-work-scenario-5.md)
- [Change your language and perform a quick search with Cortana](cortana-at-work-scenario-6.md)
- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organizations entries in the notebook](cortana-at-work-scenario-7.md)

18
windows/deployment/TOC.yml
View File

@ -1,11 +1,11 @@
- name: Deploy and update Windows 10
- name: Deploy and update Windows client
href: index.yml
items:
- name: Get started
items:
- name: What's new
href: deploy-whats-new.md
- name: Windows 10 deployment scenarios
- name: Windows client deployment scenarios
href: windows-10-deployment-scenarios.md
- name: What is Windows as a service?
href: update/waas-quick-start.md
@ -33,6 +33,8 @@
- name: Plan
items:
- name: Plan for Windows 11
href: /windows/whats-new/windows-11-plan
- name: Create a deployment plan
href: update/create-deployment-plan.md
- name: Define readiness criteria
@ -67,6 +69,8 @@
- name: Prepare
items:
- name: Prepare for Windows 11
href: /windows/whats-new/windows-11-prepare
- name: Prepare to deploy Windows 10 updates
href: update/prepare-deploy-windows.md
- name: Evaluate and update infrastructure
@ -96,11 +100,11 @@
- name: Deploy
items:
- name: Deploy Windows 10
- name: Deploy Windows client
items:
- name: Deploy Windows 10 with Autopilot
- name: Deploy Windows client with Autopilot
href: windows-autopilot/index.yml
- name: Deploy Windows 10 with Configuration Manager
- name: Deploy Windows client with Configuration Manager
items:
- name: Deploy to a new device
href: deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@ -110,7 +114,7 @@
href: deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
- name: In-place upgrade
href: deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
- name: Deploy Windows 10 with MDT
- name: Deploy Windows client with MDT
items:
- name: Deploy to a new device
href: deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@ -263,6 +267,8 @@
items:
- name: How does Windows Update work?
href: update/how-windows-update-works.md
- name: Windows 10 upgrade paths
href: upgrade/windows-10-upgrade-paths.md
- name: Deploy Windows 10 with Microsoft 365
href: deploy-m365.md
- name: Understanding the Unified Update Platform

14
windows/deployment/deploy-whats-new.md
View File

@ -1,9 +1,9 @@
---
title: What's new in Windows 10 deployment
title: What's new in Windows client deployment
ms.reviewer:
manager: laurawi
ms.author: greglin
description: Use this article to learn about new solutions and online content related to deploying Windows 10 in your organization.
description: Use this article to learn about new solutions and online content related to deploying Windows in your organization.
keywords: deployment, automate, tools, configure, news
ms.mktglfcycl: deploy
ms.localizationpriority: medium
@ -16,19 +16,25 @@ ms.topic: article
ms.custom: seo-marvel-apr2020
---
# What's new in Windows 10 deployment
# What's new in Windows client deployment
**Applies to:**
- Windows 10
- Windows 11
## In this topic
This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization.
This topic provides an overview of new solutions and online content related to deploying Windows client in your organization.
- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index).
## Latest news
Check out the following new articles about Windows 11:
- [Overview of Windows 11](/windows/whats-new/windows-11)
- [Plan for Windows 11](/windows/whats-new/windows-11-plan)
- [Prepare for Windows 11](/windows/whats-new/windows-11-prepare)
[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.<br>
The [Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install) is available.<br>
New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).<br>

16
windows/deployment/index.yml
View File

@ -1,10 +1,10 @@
### YamlMime:Landing
title: Windows 10 deployment resources and documentation # < 60 chars
summary: Learn about deploying and keeping Windows 10 up to date. # < 160 chars
title: Windows client deployment resources and documentation # < 60 chars
summary: Learn about deploying and keeping Windows client devices up to date. # < 160 chars
metadata:
title: Windows 10 deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
@ -13,7 +13,7 @@ metadata:
ms.collection: windows-10
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 08/05/2020 #Required; mm/dd/yyyy format.
ms.date: 06/24/2021 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -40,7 +40,7 @@ landingContent:
linkLists:
- linkListType: how-to-guide
links:
- text: Prepare to deploy Windows 10 updates
- text: Prepare to deploy Windows updates
url: update/prepare-deploy-windows.md
- text: Prepare updates using Windows Update for Business
url: update/waas-manage-updates-wufb.md
@ -65,8 +65,10 @@ landingContent:
- linkListType: overview
links:
- text: What's new in Windows deployment
url: windows-10-deployment-scenarios.md
- text: Windows 10 deployment scenarios
url: deploy-whats-new.md
- text: Windows 11 overview
url: /windows/whats-new/windows-11.md
- text: Windows client deployment scenarios
url: windows-10-deployment-scenarios.md
- text: Basics of Windows updates, channels, and tools
url: update/get-started-updates-channels-tools.md

6
windows/deployment/update/deployment-service-overview.md
View File

@ -125,7 +125,7 @@ Deployment scheduling controls are always available, but to take advantage of th
> Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect.
- Diagnostic data is set to *Required* or *Optional*.
- The **AllowWUfBCloudProcessing** policy is set to **1**.
- The **AllowWUfBCloudProcessing** policy is set to **8**.
#### Set the **AllowWUfBCloudProcessing** policy
@ -148,8 +148,8 @@ Following is an example of setting the policy using Microsoft Endpoint Manager:
- Name: **AllowWUfBCloudProcessing**
- Description: Enter a description.
- OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing`
- Data type: **String**
- Value: **1**
- Data type: **Integer**
- Value: **8**
6. In **Assignments**, select the groups that will receive the profile, and then select **Next**.
7. In **Review + create**, review your settings, and then select **Create**.
8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**.

2
windows/deployment/update/fod-and-lang-packs.md
View File

@ -18,6 +18,8 @@ ms.custom: seo-marvel-apr2020
> Applies to: Windows 10
In Windows 10 version 21H2, non-Administrator user accounts can add both a display language and its corresponding language features.
As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.

3
windows/deployment/update/media-dynamic-update.md
View File

@ -84,6 +84,9 @@ This table shows the correct sequence for applying the various tasks to the file
> [!NOTE]
> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
> [!NOTE]
> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
### Multiple Windows editions
The main operating system file (install.wim) contains multiple editions of Windows 10. Its possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.

3
windows/deployment/update/update-baseline.md
View File

@ -40,8 +40,7 @@ For the complete detailed list of all settings and their values, see the MSFT Wi
## How do I get started?
The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) from theDownload Center.
The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from theDownload Center.
Today, the Update Baseline toolkit is currently only available for use with Group Policy.

2
windows/deployment/update/update-compliance-configuration-manual.md
View File

@ -47,7 +47,7 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e
|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
| **System/AllowUpdateComplianceProcessing** |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
| **System/**[**AllowUpdateComplianceProcessing**](/windows/client-management/mdm/policy-csp-system#system-allowUpdateComplianceProcessing) |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
### Group policies

2
windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md
View File

@ -32,7 +32,7 @@ This article describes how system administrators can upgrade eligible Windows Ph
The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. To determine if the device is eligible for an upgrade with MDM, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in.
If you use a list of allowed applications (app allow listing) with MDM, verify that system applications are allow-listed before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whitelist) with app allow-lists that could adversely affect the device after you upgrade.
If you use a list of allowed applications (app allow listing) with MDM, verify that system applications are allow-listed before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management) with app allow-lists that could adversely affect the device after you upgrade.
Some enterprises might want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can block the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to restrict the Upgrade Advisor app, see the [How to restrict the Upgrade Advisor app](#howto-restrict) section in this article. Enterprises that have restricted the Upgrade Advisor app can use the solution described in this article to select the upgrade timing on a per-device basis.

9
windows/deployment/windows-10-subscription-activation.md
View File

@ -103,9 +103,9 @@ For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 E
If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/en-us/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
#### Multi-factor authentication
#### Multifactor authentication
An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription.
An issue has been identified with Hybrid Azure AD joined devices that have enabled [multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription.
To resolve this issue:
@ -197,7 +197,7 @@ You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, a
To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer:
```console
cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43</pre>
cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
```
The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
@ -226,7 +226,8 @@ When you have the required Azure AD subscription, group-based licensing is the p
If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
Caution: Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE(Out Of Box Experience)
> [!CAUTION]
> Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience).
If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.

7
windows/hub/TOC.yml
View File

@ -1,8 +1,13 @@
- name: Windows 10
- name: Windows
href: index.yml
items:
- name: What's new
expanded: true
items:
- name: What's new in Windows
href: /windows/whats-new
- name: Windows 11
href: /windows/whats-new/windows-11
- name: Release information
href: /windows/release-health
- name: Deployment

40
windows/hub/index.yml
View File

@ -1,11 +1,11 @@
### YamlMime:Landing
title: Windows 10 resources and documentation for IT Pros # < 60 chars
summary: Plan, deploy, secure, and manage devices running Windows 10. # < 160 chars
title: Windows client resources and documentation for IT Pros # < 60 chars
summary: Plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # < 160 chars
metadata:
title: Windows 10 documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Evaluate, plan, deploy, secure and manage devices running Windows 10. # Required; article description that is displayed in search results. < 160 chars.
title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
@ -13,7 +13,7 @@ metadata:
ms.collection: windows-10
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 10/20/2020 #Required; mm/dd/yyyy format.
ms.date: 06/01/2020 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -26,13 +26,17 @@ landingContent:
linkLists:
- linkListType: overview
links:
- text: Windows 11 overview
url: /windows/whats-new/windows-11
- text: Windows 11 requirements
url: /windows/whats-new/windows-11-requirements
- text: Plan for Windows 11
url: /windows/whats-new/windows-11-plan
- text: Prepare for Windows 11
url: /windows/whats-new/windows-11-prepare
- text: What's new in Windows 10, version 21H1
url: /windows/whats-new/whats-new-windows-10-version-21H1
- text: What's new in Windows 10, version 20H2
url: /windows/whats-new/whats-new-windows-10-version-20H2
- text: What's new in Windows 10, version 2004
url: /windows/whats-new/whats-new-windows-10-version-2004
- text: Windows 10 release information
- text: Windows release information
url: /windows/release-health/release-information
# Card (optional)
@ -40,7 +44,7 @@ landingContent:
linkLists:
- linkListType: how-to-guide
links:
- text: Configure Windows 10
- text: Configure Windows
url: /windows/configuration/index
- text: Accessibility information for IT Pros
url: /windows/configuration/windows-10-accessibility-for-itpros
@ -54,13 +58,13 @@ landingContent:
linkLists:
- linkListType: deploy
links:
- text: Deploy and update Windows 10
- text: Deploy and update Windows
url: /windows/deployment/index
- text: Windows 10 deployment scenarios
- text: Windows deployment scenarios
url: /windows/deployment/windows-10-deployment-scenarios
- text: Create a deployment plan
url: /windows/deployment/update/create-deployment-plan
- text: Prepare to deploy Windows 10
- text: Prepare to deploy Windows client
url: /windows/deployment/update/prepare-deploy-windows
@ -69,7 +73,7 @@ landingContent:
linkLists:
- linkListType: how-to-guide
links:
- text: Windows 10 application management
- text: Windows application management
url: /windows/application-management/index
- text: Understand the different apps included in Windows 10
url: /windows/application-management/apps-in-windows-10
@ -83,9 +87,9 @@ landingContent:
linkLists:
- linkListType: how-to-guide
links:
- text: Windows 10 client management
- text: Windows client management
url: /windows/client-management/index
- text: Administrative tools in Windows 10
- text: Administrative tools
url: /windows/client-management/administrative-tools-in-windows-10
- text: Create mandatory user profiles
url: /windows/client-management/mandatory-user-profile
@ -97,7 +101,7 @@ landingContent:
linkLists:
- linkListType: how-to-guide
links:
- text: Windows 10 Enterprise Security
- text: Windows Enterprise Security
url: /windows/security/index
- text: Windows Privacy
url: /windows/privacy/index

26
windows/privacy/changes-to-windows-diagnostic-data-collection.md
View File

@ -24,10 +24,10 @@ ms.date: 07/21/2020
Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we are moving our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this will provide our customers with a simpler experience information should be easier to find, easier to understand, and easier to act upon through the tools we provide.
This topic is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas:
This article is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas:
- [Taxonomy changes](#taxonomy-changes)
- [Behavioral changes](#behaviorial-changes)
- [Behavioral changes](#behavioral-changes)
> [!NOTE]
> You can test the behavioral changes now in Windows 10 Insider Preview build 19577 and later.
@ -36,7 +36,7 @@ This topic is meant for IT administrators and explains the changes Windows is ma
In Windows 10, version 1903 and newer, you will see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes.
Additionally, in an upcoming release of Windows 10, were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. Were also clarifying the Security diagnostic data level to more accurately reflect its behavior by changing it to **Diagnostic data off**. All of these changes are explained in the section named **Behavioral changes**.
Additionally, in an upcoming release of Windows 10, were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. Were also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**.
## Taxonomy changes
@ -48,9 +48,9 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience
> [!IMPORTANT]
> No action is required for the taxonomy changes, and your existing settings will be maintained as part of this update.
## Behaviorial changes
## Behavioral changes
In an upcoming release of Windows 10, were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see the section named, **Services that rely on Enhanced diagnostic data**, later in this topic. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see the section named **Configure a Windows 10 device to limit crash dumps and logs**. For more information on services that rely on Enhanced diagnostic data, see **Services that rely on Enhanced diagnostic data**.
In an upcoming release of Windows 10, were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see [Configure a Windows 10 device to limit crash dumps and logs](#configure-a-windows-10-device-to-limit-crash-dumps-and-logs). For more information on services that rely on Enhanced diagnostic data, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data).
Additionally, you will see the following policy changes in an upcoming release of Windows 10:
@ -70,7 +70,7 @@ A final set of changes includes two new policies that can help you fine-tune dia
- MDM policy: System/LimitDiagnosticLogCollection
>[!Important]
>All of the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier.
>All the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier.
## Configure a Windows 10 device to limit crash dumps and logs
@ -87,5 +87,19 @@ With the Enhanced diagnostic data level being split out into new policies, we're
Customers who use services that depend on Windows diagnostic data, such as Microsoft Managed Desktop or Desktop Analytics, may be impacted by the behavioral changes when they are released. These services will be updated to address these changes and guidance will be published on how to configure them properly.
The following provides information on the current configurations:
- [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data)
- [Desktop Analytics](/mem/configmgr/desktop-analytics/overview)
## New Windows diagnostic data processor configuration
**Applies to**
- Windows 10 Edu, Pro, Enterprise editions, version 1809 with July 2021 update and newer
Enterprise customers will now have a new option for controlling their Windows diagnostic data for their Azure Active Directory joined devices.
Previously, enterprise customers had two options in managing their Windows diagnostic data: 1) allow Microsoft to be the [controller](/compliance/regulatory/gdpr#terminology) of that data and responsible for determining the purposes and means of the processing of Windows diagnostic data in order to improve the Windows 10 operating system and deliver analytical services, or 2) turn off diagnostic data flows altogether.
Now, customers will have a third option that allows them to be the controller for their Windows diagnostic data, while still benefiting from the purposes that this data serves, such as quality of updates and device drivers. Under this approach, Microsoft will act as a data [processor](/compliance/regulatory/gdpr#terminology), processing Windows diagnostic data on behalf of the controller.
This new option will enable customers to use familiar tools to manage, export, or delete data to help them meet their compliance obligations. For example, using the Microsoft Azure portal, customers will have the means to respond to their own users requests, such as delete and export diagnostic data. Admins can easily enable the Windows diagnostic data processor configuration for Windows devices using group policy or mobile device management ([MDM](/windows/client-management/mdm/policy-csp-system)). For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)

74
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -22,22 +22,23 @@ ms.date: 10/13/2020
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Professional
- Windows Server 2016 and newer
This article applies to Windows 10, Windows Server, Surface Hub, and HoloLens diagnostic data only. It describes the types of diagnostic data thats sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers.
This article applies to Windows 10, Windows Server, Surface Hub, and HoloLens diagnostic data only. It describes the types of diagnostic data sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers.
>[!IMPORTANT]
>Microsoft is [increasing transparency](https://blogs.microsoft.com/on-the-issues/2019/04/30/increasing-transparency-and-customer-control-over-data/) by categorizing the data we collect as required or optional. Windows 10 is in the process of updating devices to reflect this new categorization, and during this transition Basic diagnostic data will be recategorized as Required diagnostic data and Full diagnostic data will be recategorized as Optional diagnostic data. For more information, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md).
## Overview
Microsoft collects Windows diagnostic data to solve problems and to keep Windows up to date, secure, and operating properly. It also helps us improve Windows and related Microsoft products and services and, for customers who have turned on the **Tailored experiences** setting, to provide more relevant tips and recommendations to enhance Microsoft and third-party products and services for the customers needs.
Microsoft collects Windows diagnostic data to solve problems and to keep Windows up to date, secure, and operating properly. It also helps us improve Windows and related Microsoft products and services and, for customers who have turned on the **Tailored experiences** setting, to provide more relevant tips and recommendations to enhance Microsoft and third-party products and services for each customers needs.
For more information about how Windows diagnostic data is used, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
### Diagnostic data gives users a voice
Diagnostic data gives every user a voice in the operating systems development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behaves in the real world, focus on user priorities, and make informed decisions that benefit both consumer and enterprise customers. The following sections offer real examples of these benefits.
Diagnostic data gives every user a voice in the operating systems development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behave in the real world, focus on user priorities, and make informed decisions that benefit both consumer and enterprise customers. The following sections offer real examples of these benefits.
### _Improve app and driver quality_
@ -73,7 +74,7 @@ Later in this document we provide further details about how to control whats
### Data transmission
All diagnostic data is encrypted using TLS and uses certificate pinning during transfer from the device to the Microsoft data management services.
All diagnostic data is encrypted using Transport Layer Security (TLS) and uses certificate pinning during transfer from the device to the Microsoft data management services.
### Endpoints
@ -169,7 +170,7 @@ Enhanced diagnostic data includes data about the websites you browse, how Window
- All crash dump types, except for heap dumps and full dumps. For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting).
### Optional diagnostic data
### Optional diagnostic data
Optional diagnostic data, previously labeled as **Full**, includes more detailed information about your device and its settings, capabilities, and device health. Optional diagnostic data also includes data about the websites you browse, device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. When you choose to send optional diagnostic data, required diagnostic data will always be included, and we collect the following additional information:
@ -224,6 +225,69 @@ You can use Group Policy to set your organizations diagnostic data setting:
Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) to apply the System/AllowTelemetry MDM policy.
## Enable Windows diagnostic data processor configuration
The Windows diagnostic data processor configuration enables you to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from your Windows devices that meet the configuration requirements.
### Prerequisites
- The device must have Windows 10 Pro, Education or Enterprise edition, version 1809 with July 2021 update or newer.
- The device must be joined to Azure Active Directory.
The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable:
- v10c.events.data.microsoft.com
- umwatsonc.events.data.microsoft.com
- kmwatsonc.events.data.microsoft.com
- settings-win.data.microsoft.com
- *.blob.core.windows.net
### Enabling Windows diagnostic data processor configuration
Use the instructions below to enable Windows diagnostic data processor configuration using a single setting, through Group Policy, or an MDM solution.
In Group Policy, to enable Windows diagnostic data processor configuration, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**.
If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**.
To use an MDM solution, such as [Microsoft Intune](/mem/intune/configuration/custom-settings-windows-10), to deploy the Windows diagnostic data processor configuration to your supported devices, use the following custom OMA-URI setting configuration:
- **Name:** System/AllowCommercialDataPipeline
- **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline
- **Data type:** Integer
Under **Value**, use **1** to enable the service.
If you wish to disable, at any time, switch the same setting to **0**. The default value is **0**.
>[!Note]
> - If you have any additional policies that also enable you to be a controller of Windows diagnostic data, such as the services listed below, you will need to turn off all the applicable policies in order to stop being a controller for Windows diagnostic data.
> - Windows diagnostic data collected from a device before it was enabled with Windows diagnostic data processor configuration will be deleted when this configuration is enabled.
> - When you enable devices with the Windows diagnostic data processor configuration, users may continue to submit feedback through various channels such as Windows feedback hub or Edge feedback. However, the feedback data is not subject to the terms of the Windows diagnostic data processor configuration. If this is not desired, we recommend that you disable feedback using the available policies or application management solutions.
You can also enable the Windows diagnostic data processor configuration by enrolling in services that use Windows diagnostic data. These services currently include Desktop Analytics, Update Compliance, Microsoft Managed Desktop, and Windows Update for Business.
For information on these services and how to configure the group policies, refer to the following documentation:
Desktop Analytics:
- [Enable data sharing for Desktop Analytics](/mem/configmgr/desktop-analytics/enable-data-sharing)
- [Desktop Analytics data privacy](/mem/configmgr/desktop-analytics/privacy)
- [Group policy settings for Desktop Analytics](/mem/configmgr/desktop-analytics/group-policy-settings)
Update Compliance:
- [Privacy in Update Compliance](/windows/deployment/update/update-compliance-privacy)
- [Manually configuring devices for Update Compliance](/windows/deployment/update/update-compliance-configuration-manual#required-policies)
Microsoft Managed Desktop:
- [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data)
Windows Update for Business:
- [How to enable deployment protections](/windows/deployment/update/deployment-service-overview#how-to-enable-deployment-protections)
## Limit optional diagnostic data for Desktop Analytics
For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](/mem/configmgr/desktop-analytics/enable-data-sharing).

324
windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md
View File

@ -1,324 +0,0 @@
---
title: Data processor service for Windows Enterprise public preview terms
description: Use this article to understand Windows public preview terms of service.
keywords: privacy, GDPR
ms.localizationpriority: high
ROBOTS: NOINDEX, NOFOLLOW
ms.prod: w10
ms.topic: article
f1.keywords:
- NOCSH
ms.author: siosulli
author: dansimp
manager: dansimp
audience: itpro
ms.collection:
- GDPR
- M365-security-compliance
---
# Data processor service for Windows Enterprise public preview terms
**These terms (“Terms”) must be read and accepted by a tenant admin with appropriate access rights and authority. By participating in this public preview, you: (a) agree to the following Terms, and (b) represent and warrant that you have such rights and authority.**
These Terms govern your use of the preview described below (“**Preview**”). In order to access the Preview, you must be a current Microsoft Windows customer with an Azure Active Directory (“**AAD**”) subscription. The Preview consists of features and services that are in preview, beta, or other pre-release form for use with Windows and AAD.
1. **Definitions**. The following terms have the following meanings:
1. "**Customer Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through your use of Windows or AAD.
2. "**Feedback**" means, collectively, suggestions, comments, feedback, ideas, or know-how, in any form, that you or your users provide to Microsoft about Microsofts business, products, or services.
3. "**Personal Data**" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
4. "**Preview Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through use of the Services.
5. "**Subprocessor**" means other processors used by Microsoft to process Personal Data.
2. **Scope of Services**. The Preview is for a service that enables organizations to become controllers of Windows diagnostic data on supported versions of Windows, with Microsoft operating as processor of the data (collectively, the “**_Services_**”). You will collaborate with Microsoft in order to provide Microsoft the ability to enable the Services for you. To access the Services, you will need to configure participating Windows devices; Microsoft will assist you in such configuration via documentation or other communications.
3. **Intellectual Property**.
1. **License Grant**. During the term of this Preview (“**Term**”), Microsoft grants you and authorized users in your tenant for Windows a non-exclusive, non-transferable, non-sublicensable right and license to access and use the Services in accordance with these Terms.
2. **Use Terms**. These Terms supersede any Microsoft terms and conditions or other agreement. You acknowledge that (i) the Services may not work correctly or in the manner that a commercial service may function; Microsoft may change the Services for the final, commercial version or choose not to release a commercial version; (ii) Microsoft may not provide support for the Services; (iii) the Online Services Terms (OST), including any obligations Microsoft may have regarding Customer Data, do not apply to the Services or Preview Data; (iv) Microsoft has no obligation to hold, export, or return Preview Data, except as described in these Terms; (v) Microsoft has no liability for the deletion of Preview Data, except as described in these Terms; and (vi) you may lose access to the Services and Preview Data after the Term.
3. **Acceptable Use**. Neither you, nor those that access the Services through you, may: (a) use the Services: (i) in a way prohibited by law, regulation, governmental order or decree; (ii) to violate the rights of others; (iii) to try to gain unauthorized access to or disrupt any service, device, data, account or network; (iv) to spam or distribute malware; or (v) in a way that could harm the Services or impair anyone elses use of it; or (b) reverse engineer, decompile, disassemble, or work around any technical limitations in the Services, or use the Services to create a competing product. You are responsible for responding to any third-party request regarding your use of the Services or Preview Data, such as a request to take down Preview Data under the U.S. Digital Millennium Copyright Act or other applicable laws.
4. **Data Collection, Use and Location**. The Microsoft Privacy Statement https://privacy.microsoft.com/privacystatement applies to the collection, use and location of Preview Data. In the event of a conflict between Privacy Statement and the terms of these Terms, the terms of these Terms will control.
4. **Confidentiality**. The following confidentiality terms apply to the Preview:
1. During the Term plus 5 years, the parties will hold in strictest confidence and not use or disclose to any third party any Confidential Information of the other party. “Confidential Information” means all non-public information a party designates in writing or orally as being confidential, or which under the circumstances of disclosure ought to be treated as confidential. Confidential Information includes information relating to: </br></br>
1. a partys released or unreleased software or hardware products;</br></br>
2. a partys source code;</br></br>
3. a partys product marketing or promotion;</br></br>
4. a partys business policies or practices;</br></br>
5. a partys customers or suppliers;</br></br>
6. information received from others that a party must treat as confidential; and</br></br>
7. information provided, obtained, or created by a party under these Terms, including:
* information in reports;
* the parties electronic or written correspondence, customer lists and customer information, regardless of source;
* Personal Data; and
* Transactional, sales, and marketing information.
2. A party will consult with the other if it questions what comprises Confidential Information. Confidential Information excludes information (i) known to a party before the disclosing partys disclosure to the receiving party, (ii) information publicly available through no fault of the receiving party, (iii) received from a third party without breach of an obligation owed to the disclosing party, or (iv) independently developed by a party without reference to or use of the disclosing partys Confidential Information.
3. Each party will employ security procedures to prevent disclosure of the other partys Confidential Information to unauthorized third parties. The receiving partys security procedures must include risk assessment and controls for:</br></br>
1. system access;</br></br>
2. system and application development and maintenance;</br></br>
3. change management;</br></br>
4. asset classification and control;</br></br>
5. incident response, physical and environmental security;</br></br>
6. disaster recovery/business continuity; and</br></br>
7. employee training.
5. **Data Protection.**
**Generally**. To the extent Microsoft is a processor of Personal Data, the General Data Protection Regulation (GDPR) Terms in Attachment 1 govern that processing and the parties also agree to the following terms:
1. Processing Details: The parties agree that:
* The subject-matter of the processing is limited to Personal Data within the scope of the GDPR;
* The duration of the processing shall be for the duration of your right to use the Services and until all Personal Data is deleted or returned in accordance with your instructions or these Terms;
* The nature and purpose of the processing shall be to provide the Services pursuant to these Terms;
* The types of Personal Data processed by the Services include those expressly identified in Article 4 of the GDPR to the extent included by Preview Data; and
* The categories of data subjects are your representatives and end users, such as employees, contractors, collaborators, and customers.
2. Data Transfers:
* Preview Data and Personal Data that Microsoft processes on your behalf may be transferred to, and stored and processed in, the United States or any other country in which Microsoft or its Subprocessors operate. You appoint Microsoft to perform any such transfer of Preview Data and Personal Data to any such country and to store and process Preview Data and Personal Data to provide the Services.
* All transfers of Preview Data and Personal Data out of the European Union, European Economic Area, United Kingdom, and Switzerland to provide the Online Services shall be governed by the Standard Contractual Clauses in Attachment 2.
* Microsoft will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area and Switzerland. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.
* In addition, Microsoft is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail. Microsoft agrees to notify you in the event that it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles.
6. **No Support or Incident Response.** Microsoft will have no obligation under these Terms to correct any bugs, defects or errors in the Services or AAD, provide any updates, upgrades or new releases, or otherwise provide any technical support or maintenance for any Services or AAD. You will make reasonable efforts to promptly report to Microsoft any defects you find in the Services, as an aid to creating improved revisions of the Services. Microsoft will have no obligation under these Terms to provide you with incident response as part of the Services.
7. **Term and Termination.** The term of the Preview begins when you accept these Terms and continues until: (a) either party terminates this Preview by providing the other party: (i) 2 days notice for any reason (or no reason), or (ii) notice of such partys breach of these Terms and such party fails to cure within 15 days, or (b) upon the general availability of the Services. When the Term ends, you will no longer have access to the Services, and Microsoft will no longer have the rights to access Customer Data granted herein. Each party will, on request, return or destroy the others Confidential Information provided under the Preview.
8. **Feedback.** Providing Feedback is voluntary. Microsoft is under no obligation to post or use any Feedback. By providing Feedback to Microsoft, you (and anyone providing Feedback through your use of the Preview) irrevocably and perpetually grant to Microsoft and its affiliates, under all of its (and their) owned or controlled intellectual property rights, a worldwide, non-exclusive, fully paid-up, royalty-free, transferable, sub-licensable right and license to make, use, reproduce, prepare derivative works based upon, distribute, publicly perform, publicly display, transmit, and otherwise commercialize the Feedback (including by combining or interfacing products, services or technologies that depend on or incorporate Feedback with other products, services or technologies of Microsoft or others), without attribution in any way and for any purpose. You warrant that (a) you will not provide Feedback that is subject to a license requiring Microsoft to license anything to third parties because Microsoft exercises any of the above rights in your Feedback; and (b) you own or otherwise control all of the rights to such Feedback and that no such Feedback is subject to any third-party rights (including any personality or publicity rights).
9. **Representations and Warranties; Limitation of Liability.**
1. **By the Parties.** Each party represents and warrants to the other party that (a) it has all necessary rights, title, and authority to enter into and perform under these Terms; (b) its performance under these Terms will not breach any agreement with a third party; and (c) it will comply with any and all laws, rules, and regulations that are applicable to its performance under these Terms.
2. **Disclaimer.** EXCEPT AS OTHERWISE PROVIDED IN THESE TERMS AND TO THE EXTENT APPLICABLE LAW PERMITS, MICROSOFT (a) PROVIDES THE SERVICES AS-IS; (b) PROVIDES NO WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE; AND (c) DOES NOT GUARANTEE THAT THE SERVICES WILL BE AVAILABLE, UNINTERRUPTED, OR ERROR-FREE, OR THAT LOSS OF PREVIEW DATA WILL NOT OCCUR.
3. **Limitation of Liability.** Except as otherwise described in this Section 9, the only remedy either party has for claims relating to these Terms or participation in the Preview is to terminate these Terms or your participation in the Preview. NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY DAMAGES, INCLUDING DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, OR DAMAGES FOR LOST REVENUE, LOST PROFIT, LOST BUSINESS INFORMATION, OR BUSINESS INTERRUPTION, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. The limitations in this Section 9 do not apply to claims arising from any breach of confidentiality obligations under Section 4.
10. **General.**
1. **Non-Exclusivity.** These Terms are nonexclusive. These Terms do not restrict either party from entering into the same or similar arrangement with any third party.
2. **Jurisdiction and Governing Law.** The laws of the State of Washington, excluding conflicts of law provisions, govern these Terms. If federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the federal courts in King County, Washington. If no federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the Superior Court of King County, Washington.
3. **Force Majeure.** A party will not be liable for failure to perform an obligation under these Terms to the extent that failure is due to a cause beyond that partys reasonable control, including natural disaster, war, civil disturbance, or governmental action.
4. **Attorneys fees.** If a party employs attorneys to enforce any rights arising out of or relating to these Terms, the prevailing party will be entitled to recover its reasonable attorneys fees, costs, and other expenses.
5. **Assignment**. You may not assign these Terms or delegate any of your rights or obligations under these Terms to a third party without Microsofts prior written consent.
6. **Entire Agreement.** These Terms are the entire agreement between the parties regarding its subject matter and replaces all prior agreements, communications, and representations between the parties regarding its subject matter.
7. **Survival.** Sections 3.b, 4, 7 (with respect to post-termination obligations), and 8-10 will survive these Terms expiration or termination.</br></br>
<p align="center">
<b>Attachment 1: GDPR Terms</b><br>
For purposes of these GDPR Terms, you and Microsoft agree that you are the controller of Personal Data and Microsoft is the processor of such data, except when you act as a processor of Personal Data, in which case Microsoft is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by Microsoft on your behalf. These GDPR Terms do not limit or reduce any data protection commitments Microsoft makes to you in other agreement between Microsoft and you. These GDPR Terms do not apply where Microsoft is a controller of Personal Data.
**Relevant GDPR Obligations: Articles 28, 32, and 33**
1. Microsoft shall not engage another processor without prior specific or your general written authorization. In the case of general written authorization, Microsoft shall inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes. (Article 28(2))
2. Processing by Microsoft shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on Microsoft with regard to you. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and your obligations and rights are set forth in the Terms above, including these GDPR Terms. In particular, Microsoft shall:
1. process the Personal Data only on your documented instructions, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Microsoft is subject; in such a case, Microsoft shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
2. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. take all measures required pursuant to Article 32 of the GDPR;
4. respect the conditions referred to in paragraphs 1 and 3 for engaging another processor;
5. taking into account the nature of the processing, assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;
6. assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Microsoft;
7. at your choice, delete or return all the Personal Data to you after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
8. make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.
9. immediately inform you if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3))
3. Where Microsoft engages another processor for carrying out specific processing activities on your behalf, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, Microsoft shall remain fully liable to you for the performance of that other processor's obligations. (Article 28(4))
4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, you and Microsoft shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
1. the pseudonymisation and encryption of Personal Data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (Article 32(1))
5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2))
6. You and Microsoft shall take steps to ensure that any natural person acting under your authority or Microsofts who has access to Personal Data does not process them except on instructions from you, unless he or she is required to do so by Union or Member State law. (Article 32(4))
7. Microsoft shall notify you without undue delay after becoming aware of a personal data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to Microsoft.
<p align="center">
<b>Attachment 2 The Standard Contractual Clauses (Processors)</b><br>
In countries where regulatory approval is required for use of the Standard Contractual Clauses, the Standard Contractual Clauses cannot be relied upon under European Commission 2010/87/EU (of February 2010) to legitimize export of data from the country, unless Customer has the required regulatory approval.
Beginning May 25, 2018 and thereafter, references to various Articles from the Directive 95/46/EC in the Standard Contractual Clauses below will be treated as references to the relevant and appropriate Articles in the GDPR.
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, Customer (as data exporter) and Microsoft Corporation (as data importer, whose signature appears below), each a “party,” together “the parties,” have agreed on the following Contractual Clauses (the “Clauses” or “Standard Contractual Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
**Clause 1: Definitions**
1. 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
1. 'the data exporter' means the controller who transfers the personal data;
1. 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
1. 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
1. 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
1. 'technical and organizational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
**Clause 2: Details of the transfer**
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 below which forms an integral part of the Clauses.
**Clause 3: Third-party beneficiary clause**
1. The data subject can enforce against the data exporter this Clause, Clause 4(2) to (9), Clause 5(1) to (5), and (7) to (10), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2.1.exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
1. The data subject can enforce against the subprocessor this Clause, Clause 5(1) to (5) and (7), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
1. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
**Clause 4: Obligations of the data exporter**
The data exporter agrees and warrants:
1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
1. that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
1. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 below;
1. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
1. that it will ensure compliance with the security measures;
1. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
1. to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(2) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
1. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
1. that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
1. that it will ensure compliance with Clause 4(1) to (9).
**Clause 5: Obligations of the data importer**
The data importer agrees and warrants:
1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
1. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
1. that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
1. that it will promptly notify the data exporter about:
1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
1. any accidental or unauthorised access, and
1. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
1. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
1. at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
1. to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
1. that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
1. that the processing services by the subprocessor will be carried out in accordance with Clause 11; and
1. to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
**Clause 6: Liability**
1. The parties agree that any data subject who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
1. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
1. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
**Clause 7: Mediation and jurisdiction**
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
1. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
1. to refer the dispute to the courts in the Member State in which the data exporter is established.
1. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
**Clause 8: Cooperation with supervisory authorities**
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
1. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
1. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (2).
**Clause 9: Governing Law**
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
**Clause 10: Variation of the contract**
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
**Clause 11: Subprocessing**
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
1. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
1. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
1. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
**Clause 12: Obligation after the termination of personal data processing services**
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
1. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
**Appendix 1 to the Standard Contractual Clauses**
**Data exporter**: Customer is the data exporter. The data exporter is a user of the Services.
**Data importer**: The data importer is MICROSOFT CORPORATION, a global producer of software and services.
**Data subjects**: Data subjects include the data exporters representatives and end-users including employees, contractors, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the services provided by data importer. Microsoft acknowledges that, depending on Customers use of the Services, Customer may elect to include personal data from any of the following types of data subjects in the personal data:
* Employees, contractors and temporary workers (current, former, prospective) of data exporter;
* Dependents of the above;
* Data exporter's collaborators/contact persons (natural persons) or employees, contractors or temporary workers of legal entity collaborators/contact persons (current, prospective, former);
* Users (e.g., customers, clients, patients, visitors, etc.) and other data subjects that are users of data exporter's services;
* Partners, stakeholders or individuals who actively collaborate, communicate or otherwise interact with employees of the data exporter and/or use communication tools such as apps and websites provided by the data exporter;
* Stakeholders or individuals who passively interact with data exporter (e.g., because they are the subject of an investigation, research or mentioned in documents or correspondence from or to the data exporter);
* Minors; or
* Professionals with professional privilege (e.g., doctors, lawyers, notaries, religious workers, etc.).
**Categories of data**: The personal data transferred that is included in data processed by the Services. Microsoft acknowledges that, depending on Customers use of the Services, Customer may elect to include personal data from any of the following categories in the personal data:
* Basic personal data (for example place of birth, street name and house number (address), postal code, city of residence, country of residence, mobile phone number, first name, last name, initials, email address, gender, date of birth), including basic personal data about family members and children;
* Authentication data (for example user name, password or PIN code, security question, audit trail);
* Contact information (for example addresses, email, phone numbers, social media identifiers; emergency contact details);
* Unique identification numbers and signatures (for example Social Security number, bank account number, passport and ID card number, driver's license number and vehicle registration data, IP addresses, employee number, student number, patient number, signature, unique identifier in tracking cookies or similar technology);
* Pseudonymous identifiers;
* Financial and insurance information (for example insurance number, bank account name and number, credit card name and number, invoice number, income, type of assurance, payment behavior, creditworthiness);
* Commercial Information (for example history of purchases, special offers, subscription information, payment history);
* Biometric Information (for example DNA, fingerprints and iris scans);
* Location data (for example, Cell ID, geo-location network data, location by start call/end of the call. Location data derived from use of wifi access points);
* Photos, video and audio;
* Internet activity (for example browsing history, search history, reading, television viewing, radio listening activities);
* Device identification (for example IMEI-number, SIM card number, MAC address);
* Profiling (for example based on observed criminal or anti-social behavior or pseudonymous profiles based on visited URLs, click streams, browsing logs, IP-addresses, domains, apps installed, or profiles based on marketing preferences);
* HR and recruitment data (for example declaration of employment status, recruitment information (such as curriculum vitae, employment history, education history details), job and position data, including worked hours, assessments and salary, work permit details, availability, terms of employment, tax details, payment details, insurance details and location and organizations);
* Education data (for example education history, current education, grades and results, highest degree achieved, learning disability);
* Citizenship and residency information (for example citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit);
* Information processed for the performance of a task carried out in the public interest or in the exercise of an official authority;
* Special categories of data (for example racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural persons sex life or sexual orientation, or data relating to criminal convictions or offences); or
* Any other personal data identified in Article 4 of the GDPR.
**Processing operations**: The personal data transferred will be subject to the following basic processing activities:
1. **Duration and Object of Data Processing**. The duration of data processing shall be for the term of the Preview. The objective of the data processing is the performance of the Services.
1. **Scope and Purpose of Data Processing**. The scope and purpose of processing personal data is described in Section 5 of this agreement. The data importer operates a global network of data centers and management/support facilities, and processing may take place in any jurisdiction where data importer or its sub-processors operate such facilities.
1. **Customer Data and Personal Data Access**. For the term designated under the applicable volume licensing agreement data importer will at its election and as necessary under applicable law implementing Article 12(b) of the EU Data Protection Directive, either: (1) provide data exporter with the ability to correct, delete, or block Customer Data and personal data, or (2) make such corrections, deletions, or blockages on its behalf.
1. **Data Exporters Instructions**. For Online Services and Professional Services, data importer will only act upon data exporters instructions as conveyed by Microsoft.
1. **Preview Data and Personal Data Deletion or Return**. Upon expiration or termination of data exporters use of the Services, it may extract Customer Data and personal data and data importer will delete Customer Data and personal data, each in accordance with the terms of this agreement.
**Subcontractors**: In accordance with the DPA, the data importer may hire other companies to provide limited services on data importers behalf, such as providing customer support. Any such subcontractors will be permitted to obtain Customer Data and personal data only to deliver the services the data importer has retained them to provide, and they are prohibited from using Customer Data and personal data for any other purpose.
**Appendix 2 to the Standard Contractual Clauses**
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(4) and 5(3):
1. **Personnel**. Data importers personnel will not process Preview Data or personal data without authorization. Personnel are obligated to maintain the confidentiality of any such Preview Data and personal data and this obligation continues even after their engagement ends.
2. **Data Privacy Contact**. The data privacy officer of the data importer can be reached at the following address: </br>Microsoft Corporation </br>Attn: Chief Privacy Officer</br>1 Microsoft Way</br>Redmond, WA 98052 USA
3. **Technical and Organization Measures**. The data importer has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect Preview Data and personal data, as defined in Attachment 1 of this agreement, against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows: The technical and organizational measures, internal controls, and information security routines set forth in Attachment 1 of this agreement are hereby incorporated into this Appendix 2 by this reference and are binding on the data importer as if they were set forth in this Appendix 2 in their entirety.

96
windows/privacy/deploy-data-processor-service-windows.md
View File

@ -1,96 +0,0 @@
---
title: Technical Deployment of the data processor service for Windows Enterprise
description: Use this article to understand how to deploy and manage the data processor service for Windows Enterprise.
keywords: privacy, GDPR
ms.localizationpriority: high
ROBOTS: NOINDEX, NOFOLLOW
ms.prod: w10
ms.topic: article
f1.keywords:
- NOCSH
ms.author: siosulli
author: dansimp
manager: dansimp
audience: itpro
ms.collection:
- GDPR
- M365-security-compliance
---
# Data processor service for Windows Enterprise Overview
>[!NOTE]
>This topic is intended for participants in the data processor service for Windows Enterprise preview program and requires acceptance of specific terms of use. To learn
more about the program and agree to the terms of use, see [https://aka.ms/WindowsEnterprisePublicPreview](https://aka.ms/WindowsEnterprisePublicPreview).
The privacy landscape keeps evolving, and with it, we make changes to our services to meet our customers needs.
The data processor service for Windows Enterprise empowers you to be in control of diagnostic data from Windows devices, and act as data controllers for that data, under the definition of the European Union General Data Protection Regulation (GDPR).
The data processor service for Windows Enterprise will serve as a foundation for other Microsoft services that use Windows diagnostic data.
The data processor service for Windows Enterprise offering enables you to store and manage your Windows diagnostic data in the cloud, on top of an end-to-end data platform designed and built with compliance in mind, to help you meet your compliance obligations.
Your data is routed and stored inside an enterprise compliance boundary, operating under a prescriptive and focused set of compliance requirements, in accordance with industry standards.
The data processor service for Windows Enterprise provides you with controls that help respond to delete data subject requests (DSRs) on diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, youre able to execute an export DSR for a specific Azure AD User ID.
Should you desire so, Microsoft will accommodate a data processor service for Windows Enterprise tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for diagnostic data, but still wish to remain an Azure customer.
>[!Note]
>Tenant account closure will lead to the deletion of all data associated with that tenant.
## Deployment of data processor service for Windows Enterprise
Use the instructions below to easily manage the data processor service for Windows Enterprise using a single setting, through Group Policy, or an MDM solution, in Windows 10, version 1809 or Windows Server 2019 and newer.
### Prerequisites
#### Versions supported
The data processor service for Windows Enterprise is currently supported on Windows 10, version 1809, and newer versions.
#### Network requirements
The following endpoints need to be reachable from devices enrolled into the data processor service for Windows Enterprise:
login.live.com
cy2.vortex.data.microsoft.com.akadns.net
v10.events.data.microsoft.com
v10.vortex-win.data.microsoft.com/collect/v1
For additional information, see the “device authentication” and “diagnostic data” sections in the endpoint articles for each respective Windows version:
[Windows 10, version 1809 endpoints](./manage-windows-1809-endpoints.md)
[Windows 10, version 1903 endpoints](./manage-windows-1903-endpoints.md)
### Deploying data processor service for Windows Enterprise
You can use either Group Policy or an MDM solution to deploy the data processor service for Windows Enterprise to your supported devices.
In Group Policy, to enable data collection through the data processor service for Windows Enterprise, go to **Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**.
If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**.
To use an MDM solution, such as [Microsoft Intune](/intune/custom-settings-Windows-10), to deploy the data processor service for Windows Enterprise to your supported devices, use the following custom OMA-URI setting configuration:
- **Name:** System/AllowCommercialDataPipeline
- **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline
- **Data type:** Integer
Under **Value**, use **1** to enable the service.
If you wish to disable, at any time, switch the same setting to **0** to disable. The default is **0**.
>[!Note]
>Data collected from a device, before it was enrolled into the data processor service for Windows Enterprise, will not be moved into the enterprise compliance boundary.
## Managing data processor service for Windows Enterprise
### Executing user-based data subject requests (DSRs)
To perform user-based DSRs, the data processor service for Windows Enterprise requires your organization to be reflected in Azure AD.
If your environment is cloud-only and managed in Azure, or all your devices are Azure AD joined - you dont need to take any further action.
If your environment uses on-premises Active Directory to manage identities - Azure AD Connect synchronization is required, and your environment needs to be configured for hybrid Azure AD join.
To learn more, visit [How To: Plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) and [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
Once you have Azure AD join or hybrid Azure AD join in place, you can learn more about executing user-based DSRs, by visiting this [page](https://review.docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-windows?branch=siosulli-wps&view=o365-worldwide).
## Geo-location
Windows Diagnostic Data collected through the data processor service for Windows Enterprise is hosted in our datacenter in the United States.

147
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -27,13 +27,13 @@ ms.date: 5/21/2021
This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
> [!IMPORTANT]
> - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices.
> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic)
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Microsoft Defender Antivirus. Accordingly, we do not recommend disabling any of these features.
> - It is recommended that you restart a device after making configuration changes to it.
> - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
@ -42,13 +42,13 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
> - To restrict a device effectively (first time or subsequently), it is recommended to apply the Restricted Traffic Limited Functionality Baseline settings package in offline mode.
> - During update or upgrade of Windows, egress traffic may occur.
To use Microsoft Intune cloud-based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](./manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md).
To use Microsoft Intune cloud-based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm.md).
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
## Management options for each setting
The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections
The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Microsoft Defender Antivirus diagnostic data and MSRT reporting, and turn off all of these connections
### Settings for Windows 10 Enterprise edition
@ -103,12 +103,14 @@ The following table lists management options for each setting, beginning with Wi
| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | |
| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
### Settings for Windows Server 2016 with Desktop Experience
@ -131,7 +133,7 @@ See the following table for a summary of the management settings for Windows Ser
| [18. Settings > Privacy](#bkmk-settingssection) | | | |
| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
@ -148,7 +150,7 @@ See the following table for a summary of the management settings for Windows Ser
| [14. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [19. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [22. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Microsoft Defender Antivirus](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [29. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
### Settings for Windows Server 2016 Nano Server
@ -213,12 +215,14 @@ See the following table for a summary of the management settings for Windows Ser
| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) |
| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | |
| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
## How to configure each setting
@ -423,7 +427,7 @@ To turn off Insider Preview builds for Windows 10:
| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar. <br /> **Set Value to: Disabled**|
| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar. <br /> **Set Value to: Enabled** </br> You can also turn this off in the UI by clearing the <strong>Internet Options</strong> &gt; **Advanced** &gt; **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. <br /> **Set Value to: Enabled**|
| Prevent managing Windows Defender SmartScreen | Choose whether employees can manage the Windows Defender SmartScreen in Internet Explorer. <br /> **Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.|
| Prevent managing Microsoft Defender SmartScreen | Choose whether employees can manage the Microsoft Defender SmartScreen in Internet Explorer. <br /> **Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.|
| Registry Key | Registry path |
@ -432,7 +436,7 @@ To turn off Insider Preview builds for Windows 10:
| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer<br />REG_DWORD: AllowServicePoweredQSA <br />**Set Value to: 0**|
| Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete<br/>REG_SZ: AutoSuggest <br />Set Value to: **no** |
| Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation<br/>REG_DWORD: PolicyDisableGeolocation <br />**Set Value to: 1** |
| Prevent managing Windows Defender SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter<br/>REG_DWORD: EnabledV9 <br />**Set Value to: 0** |
| Prevent managing Microsoft Defender SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter<br/>REG_DWORD: EnabledV9 <br />**Set Value to: 0** |
There are more Group Policy objects that are used by Internet Explorer:
@ -569,7 +573,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Configure Do Not Track | Choose whether employees can send Do Not Track headers.<br /> **Set to Enabled** |
| Configure Password Manager | Choose whether employees can save passwords locally on their devices. <br /> **Set to Disabled** |
| Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions. <br /> **Set to Disabled** |
| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off. <br /> **Set to Disabled** |
| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender SmartScreen is turned on or off. <br /> **Set to Disabled** |
| Allow web content on New Tab page | Choose whether a new tab page appears. <br /> **Set to Disabled** |
| Configure Start pages | Choose the Start page for domain-joined devices. <br /> **Enabled** and **Set this to <<about:blank>>** |
| Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage. <br /> **Set to: Enable** |
@ -594,7 +598,9 @@ Alternatively, you can configure the following Registry keys as described:
### <a href="" id="bkmk-edgegp"></a>13.2 Microsoft Edge Enterprise
> [!Important]
For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies).
> [!IMPORTANT]
> - The following settings are applicable to Microsoft Edge version 77 or later.
> - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems).
> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge).
@ -602,34 +608,20 @@ Alternatively, you can configure the following Registry keys as described:
| Policy | Group Policy Path | Registry Path |
|----------------------------------|--------------------|---------------------------------------------|
| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: SearchSuggestEnabled Set to 0** |
| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: AutofillAddressEnabled Set to 0** |
| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: AutofillCreditCardEnabled Set to 0** |
| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Enabled**| **REG_DWORD name: ConfigureDoNotTrackSet to 1** |
| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: PasswordManagerEnabled Set to 0** |
| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: DefaultSearchProviderEnabled Set to 0** |
| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Enabled**| **REG_DWORD name: HideFirstRunExperience Set to 1** |
| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: SmartScreenEnabled Set to 0** |
| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Enabled-Value “about:blank”**| **REG_SZ name: NewTabPageLocation Set to about:blank** |
| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: RestoreOnStartupSet to 5** |
| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page-Sites to open when the browser starts | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs |
| | **Set to Disabled**| **REG_SZ name: 1 Set to about:blank** |
| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
| | **Set to Enabled - 'Updates disabled'**| **REG_DWORD name: UpdateDefault Set to 0** |
| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
| | **Set to Enabled - Set Value for Minutes between update checks to 0**| **REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0** |
| **Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
| | **Set to RestrictedMode**| **REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0** |
| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions <br> **Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: SearchSuggestEnabled Set to 0**|
| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses <br> **Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: AutofillAddressEnabled Set to 0**|
| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards <br> **Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: AutofillCreditCardEnabled Set to 0**|
| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track <br> **Set to Enabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: ConfigureDoNotTrackSet to 1** |
| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager <br> **Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: PasswordManagerEnabled Set to 0**|
| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider <br> **Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: DefaultSearchProviderEnabled Set to 0**|
| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen <br> **Set to Enabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: HideFirstRunExperience Set to 1**|
| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen <br> **Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: SmartScreenEnabled Set to 0**|
| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL <br> **Set to Enabled-Value “about:blank”**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_SZ name: NewTabPageLocation Set to about:blank**|
| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup <br> **Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: RestoreOnStartupSet to 5**|
| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page-Sites to open when the browser starts <br> **Set to Disabled**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs <br> **REG_SZ name: 1 Set to about:blank**|
| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default <br> **Set to Enabled - 'Updates disabled'** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate <br> **REG_DWORD name: UpdateDefault Set to 0**|
| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override <br> **Set to Enabled - Set Value for Minutes between update checks to 0**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate <br> **REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0**|
|**Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override <br> **Set to RestrictedMode**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate <br> **REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0**|
|||
### <a href="" id="bkmk-ncsi"></a>14. Network Connection Status Indicator
@ -642,9 +634,8 @@ You can turn off NCSI by doing one of the following:
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off Windows Network Connectivity Status Indicator active tests**
> [!NOTE]
> After you apply this policy, you must restart the device for the policy setting to take effect.
> [!NOTE]
> After you apply this policy, you must restart the device for the policy setting to take effect.
-or-
@ -700,8 +691,9 @@ To remove the News app:
- Right-click the app in Start, and then click **Uninstall**.
-or-
> [!IMPORTANT]
> If you have any issues with these commands, restart the system and try the scripts again.
> [!IMPORTANT]
> If you have any issues with the following commands, restart the system and try the scripts again.
- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
@ -871,11 +863,11 @@ Use Settings &gt; Privacy to configure some settings that may be important to yo
To turn off **Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)**:
> [!NOTE]
> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
- Turn off the feature in the UI.
> [!NOTE]
> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
-or-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **User Profiles** &gt; **Turn off the advertising ID**.
@ -908,11 +900,11 @@ To turn off **Let Windows track app launches to improve Start and search results
To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
> [!NOTE]
> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
- Turn off the feature in the UI.
> [!NOTE]
> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
-or-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **User Profiles** &gt; **Turn off the advertising ID**.
@ -925,7 +917,7 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin
- Create a REG_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one).
To turn off **Turn on Windows Defender SmartScreen to check web content (URLs) that Microsoft Store apps use**:
To turn off **Turn on Microsoft Defender SmartScreen to check web content (URLs) that Microsoft Store apps use**:
- Turn off the feature in the UI.
@ -1303,11 +1295,10 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
To change how frequently **Windows should ask for my feedback**:
> [!NOTE]
> Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
To change how frequently **Windows should ask for my feedback**:
- To change from **Automatically (Recommended)**, use the drop-down list in the UI.
@ -1587,11 +1578,11 @@ You can control if your settings are synchronized:
To turn off Messaging cloud sync:
> [!NOTE]
> There is no Group Policy corresponding to this registry key.
- Create a REG_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Messaging** and set to a **value of 0 (zero)**.
> [!NOTE]
> There is no Group Policy corresponding to this registry key.
### <a href="" id="bkmk-teredo"></a>22. Teredo
You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](/previous-versions/windows/it-pro/windows-vista/cc722030(v=ws.10)).
@ -1628,13 +1619,13 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but theyre non-functional and they cant be controlled by the employee.
### <a href="" id="bkmk-defender"></a>24. Windows Defender
### <a href="" id="bkmk-defender"></a>24. Microsoft Defender Antivirus
You can disconnect from the Microsoft Antimalware Protection Service.
> [!IMPORTANT]
> **Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903**
> 1. Ensure Windows and Windows Defender are fully up to date.
> **Required Steps BEFORE setting the Microsoft Defender Antivirus Group Policy or RegKey on Windows 10 version 1903**
> 1. Ensure Windows and Microsoft Defender Antivirus are fully up to date.
> 2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**.
- **Enable** the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Defender Antivirus** &gt; **MAPS** &gt; **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS**
@ -1682,8 +1673,8 @@ You can turn off **Malicious Software Reporting Tool (MSRT) diagnostic data**:
- Set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to **1**.
> [!NOTE]
> There is no Group Policy to turn off the Malicious Software Reporting Tool diagnostic data.
> [!NOTE]
> There is no Group Policy to turn off the Malicious Software Reporting Tool diagnostic data.
You can turn off **Enhanced Notifications** as follows:
@ -1699,9 +1690,9 @@ You can turn off **Enhanced Notifications** as follows:
- Create a new REG_DWORD registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** and enter the decimal value **1**.
### <a href="" id="bkmk-defender-smartscreen"></a>24.1 Windows Defender SmartScreen
### <a href="" id="bkmk-defender-smartscreen"></a>24.1 Microsoft Defender SmartScreen
To disable Windows Defender SmartScreen:
To disable Microsoft Defender SmartScreen:
In Group Policy, configure:
@ -1884,11 +1875,9 @@ For a comprehensive list of Delivery Optimization Policies, see [Delivery Optimi
- Create a new REG_DWORD registry setting named **DODownloadMode** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization** to a value of **99 (Ninety-nine)**.
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684).
For IT Professionals, information about Delivery Optimization is available here: [Delivery Optimization for Windows 10 updates]
(https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization).
For IT Professionals, information about Delivery Optimization is available here: [Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization).
### <a href="" id="bkmk-wu"></a>29. Windows Update
@ -1942,6 +1931,30 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre
- Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the **value to 0 (zero)**.
### <a href="" id="bkmk-clcp"></a>30. Cloud Clipboard
Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access it. Clipboard items in the cloud can be downloaded and pasted across your Windows 10 devices.
Most restricted value is 0.
ADMX Info:
- GP English name: Allow Clipboard synchronization across devices<br>
- GP name: AllowCrossDeviceClipboard<br>
- GP path: System/OS Policies<br>
- GP ADMX file name: OSPolicy.admx<br>
The following list shows the supported values:<br>
- 0 Not allowed<br>
- 1 (default) Allowed<br>
### <a href="" id="bkmk-svccfg"></a>31. Services Configuration
Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.
You can turn off Services Configuration by setting the following registry entries:
Add a REG_DWORD value named **DisableOneSettingsDownloads** to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection** and set the value to **1**.
### <a href="" id="bkmk-allowedtraffic"></a> Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline

164
windows/privacy/manage-windows-1809-endpoints.md
View File

@ -55,8 +55,8 @@ If you [turn off traffic to this endpoint](manage-connections-from-windows-opera
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| explorer | HTTP | tile-service.weather.microsoft.com |
| | HTTP | blob.weather.microsoft.com |
| explorer | HTTP | `tile-service.weather.microsoft.com` |
| | HTTP | `blob.weather.microsoft.com` |
The following endpoint is used for OneNote Live Tile.
To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
@ -65,7 +65,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | HTTPS | cdn.onenote.net/livetile/?Language=en-US |
| | HTTPS | `cdn.onenote.net/livetile/?Language=en-US` |
The following endpoints are used for Twitter updates.
To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
@ -74,8 +74,8 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | HTTPS | wildcard.twimg.com |
| svchost.exe | | oem.twimg.com/windows/tile.xml |
| | HTTPS | `wildcard.twimg.com` |
| svchost.exe | | `oem.twimg.com/windows/tile.xml` |
The following endpoint is used for Facebook updates.
To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
@ -84,7 +84,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | | star-mini.c10r.facebook.com |
| | | `star-mini.c10r.facebook.com` |
The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office.
To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
@ -93,7 +93,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
| WindowsApps\Microsoft.Windows.Photos | HTTPS | `evoke-windowsservices-tas.msedge.net` |
The following endpoint is used for Candy Crush Saga updates.
To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
@ -102,7 +102,7 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | TLS v1.2 | candycrushsoda.king.com |
| | TLS v1.2 | `candycrushsoda.king.com` |
The following endpoint is used for by the Microsoft Wallet app.
To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
@ -111,24 +111,24 @@ Additionally, the Microsoft Store won't be able to revoke malicious Store apps a
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
| system32\AppHostRegistrationVerifier.exe | HTTPS | `wallet.microsoft.com` |
The following endpoint is used by the Groove Music app for update HTTP handler status.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app.
| Source process | Protocol | Destination |
|----------------|----------|------------|
| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
| system32\AppHostRegistrationVerifier.exe | HTTPS | `mediaredirect.microsoft.com` |
The following endpoints are used when using the Whiteboard app.
To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | HTTPS | wbd.ms |
| | HTTPS | int.whiteboard.microsoft.com |
| | HTTPS | whiteboard.microsoft.com |
| | HTTP / HTTPS | whiteboard.ms |
| | HTTPS | `wbd.ms` |
| | HTTPS | `int.whiteboard.microsoft.com` |
| | HTTPS | `whiteboard.microsoft.com` |
| | HTTP / HTTPS | `whiteboard.ms` |
## Cortana and Search
@ -137,28 +137,28 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| searchui | HTTPS |store-images.s-microsoft.com |
| searchui | HTTPS | `store-images.s-microsoft.com` |
The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| backgroundtaskhost | HTTPS | www.bing.com/client |
| backgroundtaskhost | HTTPS | `www.bing.com/client` |
The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| backgroundtaskhost | HTTPS | www.bing.com/proactive |
| backgroundtaskhost | HTTPS | `www.bing.com/proactive` |
The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| searchui <br> backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx |
| searchui <br> backgroundtaskhost | HTTPS | `www.bing.com/threshold/xls.aspx` |
## Certificates
@ -171,7 +171,7 @@ If traffic to this endpoint is turned off, Windows no longer automatically downl
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| svchost | HTTP | ctldl.windowsupdate.com |
| svchost | HTTP | `ctldl.windowsupdate.com` |
## Device authentication
@ -180,7 +180,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | HTTPS | login.live.com/ppsecure |
| | HTTPS | `login.live.com/ppsecure` |
## Device metadata
@ -189,8 +189,8 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | | dmd.metaservices.microsoft.com.akadns.net |
| | HTTP | dmd.metaservices.microsoft.com |
| | | `dmd.metaservices.microsoft.com.akadns.net` |
| | HTTP | `dmd.metaservices.microsoft.com` |
## Diagnostic Data
@ -199,22 +199,22 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
| svchost | | `cy2.vortex.data.microsoft.com.akadns.net` |
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 |
| svchost | HTTPS | `v10.vortex-win.data.microsoft.com/collect/v1` |
The following endpoints are used by Windows Error Reporting.
To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| wermgr | | watson.telemetry.microsoft.com |
| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
| wermgr | | `watson.telemetry.microsoft.com` |
| | TLS v1.2 | `modern.watson.data.microsoft.com.akadns.net` |
## Font streaming
@ -223,8 +223,8 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| svchost | | fs.microsoft.com |
| | | fs.microsoft.com/fs/windows/config.json |
| svchost | | `fs.microsoft.com` |
| | | `fs.microsoft.com/fs/windows/config.json` |
## Licensing
@ -233,7 +233,7 @@ To turn off traffic for this endpoint, disable the Windows License Manager Servi
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content |
| licensemanager | HTTPS | `licensing.mp.microsoft.com/v7.0/licenses/content` |
## Location
@ -242,8 +242,8 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | HTTP | location-inference-westus.cloudapp.net |
| | HTTPS | inference.location.live.net |
| | HTTP | `location-inference-westus.cloudapp.net` |
| | HTTPS | `inference.location.live.net` |
## Maps
@ -252,7 +252,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| svchost | HTTPS | *g.akamaiedge.net |
| svchost | HTTPS | `*g.akamaiedge.net` |
## Microsoft account
@ -261,11 +261,11 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | | login.msa.akadns6.net |
| | | login.live.com |
| | | account.live.com |
| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
| | | us.configsvc1.live.com.akadns.net |
| | | `login.msa.akadns6.net` |
| | | `login.live.com` |
| | | `account.live.com` |
| system32\Auth.Host.exe | HTTPS | `auth.gfx.ms` |
| | | `us.configsvc1.live.com.akadns.net` |
## Microsoft Store
@ -274,32 +274,32 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | HTTPS | *.wns.windows.com |
| | HTTPS | `*.wns.windows.com` |
The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | HTTP | storecatalogrevocation.storequality.microsoft.com |
| | HTTP | `storecatalogrevocation.storequality.microsoft.com` |
The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net |
| backgroundtransferhost | HTTPS | store-images.microsoft.com |
| | HTTPS | `img-prod-cms-rt-microsoft-com.akamaized.net` |
| backgroundtransferhost | HTTPS | `store-images.microsoft.com` |
The following endpoints are used to communicate with Microsoft Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | HTTP | storeedgefd.dsx.mp.microsoft.com |
| | HTTP \ HTTPS | pti.store.microsoft.com |
||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
| svchost | HTTPS | displaycatalog.mp.microsoft.com |
| | HTTP | `storeedgefd.dsx.mp.microsoft.com` |
| | HTTP \ HTTPS | `pti.store.microsoft.com` |
||TLS v1.2| `cy2.*.md.mp.microsoft.com.*.` |
| svchost | HTTPS | `displaycatalog.mp.microsoft.com` |
## Network Connection Status Indicator (NCSI)
@ -308,7 +308,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | HTTP | www.msftconnecttest.com/connecttest.txt |
| | HTTP | `www.msftconnecttest.com/connecttest.txt` |
## Office
@ -318,13 +318,13 @@ If you turn off traffic for these endpoints, users won't be able to save documen
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | | *.a-msedge.net |
| hxstr | | *.c-msedge.net |
| | | *.e-msedge.net |
| | | *.s-msedge.net |
| | HTTPS | ocos-office365-s2s.msedge.net |
| | HTTPS | nexusrules.officeapps.live.com |
| | HTTPS | officeclient.microsoft.com |
| | | `*.a-msedge.net` |
| hxstr | | `*.c-msedge.net` |
| | | `*.e-msedge.net` |
| | | `*.s-msedge.net` |
| | HTTPS | `ocos-office365-s2s.msedge.net` |
| | HTTPS | `nexusrules.officeapps.live.com` |
| | HTTPS | `officeclient.microsoft.com` |
The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
@ -332,20 +332,20 @@ If you turn off traffic for these endpoints, users won't be able to save documen
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
| system32\Auth.Host.exe | HTTPS | `outlook.office365.com` |
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
|Windows Apps\Microsoft.Windows.Photos|HTTPS| `client-office365-tas.msedge.net` |
The following endpoint is used to connect the Office To-Do app to it's cloud service.
To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| |HTTPS|to-do.microsoft.com|
| |HTTPS| `to-do.microsoft.com` |
## OneDrive
@ -354,14 +354,14 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction |
| onedrive | HTTP \ HTTPS | `g.live.com/1rewlive5skydrive/ODSUProduction` |
The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| onedrive | HTTPS | oneclient.sfx.ms |
| onedrive | HTTPS | `oneclient.sfx.ms` |
## Settings
@ -370,21 +370,21 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| dmclient | | cy2.settings.data.microsoft.com.akadns.net |
| dmclient | | `cy2.settings.data.microsoft.com.akadns.net` |
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| dmclient | HTTPS | settings.data.microsoft.com |
| dmclient | HTTPS | `settings.data.microsoft.com` |
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| svchost | HTTPS | settings-win.data.microsoft.com |
| svchost | HTTPS | `settings-win.data.microsoft.com` |
## Skype
@ -392,9 +392,9 @@ The following endpoint is used to retrieve Skype configuration values. To turn o
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
| | HTTPS | browser.pipe.aria.microsoft.com |
| | | skypeecs-prod-usw-0-b.cloudapp.net |
|microsoft.windowscommunicationsapps.exe | HTTPS | `config.edge.skype.com` |
| | HTTPS | `browser.pipe.aria.microsoft.com` |
| | | `skypeecs-prod-usw-0-b.cloudapp.net` |
## Windows Defender
@ -403,24 +403,24 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | | wdcp.microsoft.com |
| | | `wdcp.microsoft.com` |
The following endpoints are used for Windows Defender definition updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | | definitionupdates.microsoft.com |
|MpCmdRun.exe|HTTPS|go.microsoft.com |
| | | `definitionupdates.microsoft.com` |
|MpCmdRun.exe|HTTPS| `go.microsoft.com` |
The following endpoints are used for Windows Defender Smartscreen reporting and notifications.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Windows Defender Smartscreen notifications will no appear.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| | HTTPS | ars.smartscreen.microsoft.com |
| | HTTPS | unitedstates.smartscreen-prod.microsoft.com |
| | | smartscreen-sn3p.smartscreen.microsoft.com |
| | HTTPS | `ars.smartscreen.microsoft.com` |
| | HTTPS | `unitedstates.smartscreen-prod.microsoft.com` |
| | | `smartscreen-sn3p.smartscreen.microsoft.com` |
## Windows Spotlight
@ -429,11 +429,11 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| backgroundtaskhost | HTTPS | arc.msn.com |
| backgroundtaskhost | | g.msn.com.nsatc.net |
| |TLS v1.2| *.search.msn.com |
| | HTTPS | ris.api.iris.microsoft.com |
| | HTTPS | query.prod.cms.rt.microsoft.com |
| backgroundtaskhost | HTTPS | `arc.msn.com` |
| backgroundtaskhost | | `g.msn.com.nsatc.net` |
| |TLS v1.2| `*.search.msn.com` |
| | HTTPS | `ris.api.iris.microsoft.com` |
| | HTTPS | `query.prod.cms.rt.microsoft.com` |
## Windows Update
@ -442,23 +442,23 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
| svchost | HTTPS | `*.prod.do.dsp.mp.microsoft.com` |
The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| svchost | HTTP | *.windowsupdate.com |
| svchost | HTTP | *.dl.delivery.mp.microsoft.com |
| svchost | HTTP | `*.windowsupdate.com` |
| svchost | HTTP | `*.dl.delivery.mp.microsoft.com` |
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| svchost | HTTPS | *.update.microsoft.com |
| svchost | HTTPS | *.delivery.mp.microsoft.com |
| svchost | HTTPS | `*.update.microsoft.com` |
| svchost | HTTPS | `*.delivery.mp.microsoft.com` |
These are dependent on enabling:
- [Device authentication](manage-windows-1809-endpoints.md#device-authentication)
@ -469,7 +469,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
| svchost | HTTPS | `tsfe.trafficshaping.dsp.mp.microsoft.com` |
## Microsoft forward link redirection service (FWLink)
@ -480,7 +480,7 @@ If you disable this endpoint, Windows Defender won't be able to update its malwa
| Source process | Protocol | Destination |
|----------------|:--------:|------------|
|Various|HTTPS|go.microsoft.com|
|Various|HTTPS| `go.microsoft.com` |
## Other Windows 10 editions

87
windows/privacy/windows-10-and-privacy-compliance.md
View File

@ -19,15 +19,14 @@ ms.date: 07/21/2020
# Windows 10 & Privacy Compliance:<br />A Guide for IT and Compliance Professionals
Applies to:
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Professional
- Windows Server 2016 and newer
## Overview
>[!IMPORTANT]
>Microsoft is [increasing transparency](https://blogs.microsoft.com/on-the-issues/2019/04/30/increasing-transparency-and-customer-control-over-data/) by categorizing the data we collect as required or optional. Windows 10 is in the process of updating devices to reflect this new categorization, and during this transition Basic diagnostic data will be recategorized as Required diagnostic data and Full diagnostic data will be recategorized as Optional diagnostic data. For more information, see [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md).
At Microsoft, we are committed to data privacy across all our products and services. With this guide, we provide administrators and compliance professionals with data privacy considerations for Windows 10.
Microsoft collects data through multiple interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, secure, and improve Windows 10 services. To help users and organizations control the collection of personal data, Windows 10 provides comprehensive transparency features, settings choices, controls, and support for data subject requests, all of which are detailed in this article.
@ -45,11 +44,11 @@ When setting up a device, a user can configure their privacy settings. Those pri
The following table provides an overview of the Windows 10 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information.
> [!NOTE]
> This table is limited to the privacy settings that are available as part of setting up a Windows 10 device (Windows 10, version 1809 and newer). For the full list of settings that involve data collection, [see Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
> This table is limited to the privacy settings that are available as part of setting up a Windows 10 device (Windows 10, version 1809 and newer). For the full list of settings that involve data collection, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
| Feature/Setting | Description | Supporting Content | Privacy Statement |
| --- | --- | --- | --- |
| Diagnostic Data | <p>Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns.</p><p>Diagnostic data is categorized into the following:<ul><li>**Required diagnostic data**<br />Previously known as basic diagnostic data, required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).</li><li>**Optional diagnostic data**<br />Previously known as full diagnostic data, optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./windows-diagnostic-data.md).</li></ul></p> | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)<br /><br />[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Diagnostic Data | <p>Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns.</p><p>Diagnostic data is categorized into the following:<ul><li>**Required diagnostic data**<br />Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).</li><li>**Optional diagnostic data**<br />Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./windows-diagnostic-data.md).</li></ul></p> | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)<br /><br />[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Inking and typing diagnostics | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Speech | Use your voice for dictation and to talk to Cortana and other apps that use Windows cloud-based speech recognition. Microsoft collects voice data to help improve speech services. | [Learn more](https://support.microsoft.com/help/4468250/windows-10-speech-voice-activation-inking-typing-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainspeechinkingtypingmodule) |
| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
@ -57,7 +56,7 @@ The following table provides an overview of the Windows 10 privacy settings pres
| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Advertising Id | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [Learn more](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | [Privacy statement](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) |
| Activity History/Timeline Cloud Sync | If you want Windows Timeline and other Windows features to help you continue what you were doing, even when you switch devices, send Microsoft your activity history, which includes info about websites you browse and how you use apps and services. | [Learn more](https://support.microsoft.com/help/4468227/windows-10-activity-history-and-your-privacy-microsoft-privacy) | [Privacy statement](https://privacy.microsoft.com/privacystatement#mainactivityhistorymodule) |
| Cortana | <p>Cortana is Microsofts personal digital assistant, which helps busy people get things done, even while theyre at work. Cortana on Windows is available in [certain regions and languages](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). Cortana learns from certain data about the user, such as location, searches, calendar, contacts, voice input, speech patterns, email, content and communication history from text messages. In Microsoft Edge, Cortana uses browsing history. The user is in control of how much data is shared.<br /><br />Cortana has powerful configuration options, specifically optimized for a business. By signing in with an Azure Active Directory (Azure AD) account, enterprise users can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.</p> | [Learn more](https://support.microsoft.com/help/4468233/cortana-and-privacy-microsoft-privacy)<br /><br />[Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) | [Privacy statement](https://privacy.microsoft.com/privacystatement#maincortanamodule) |
| Cortana | <p>Cortana is Microsofts personal digital assistant, which helps busy people get things done, even while theyre at work. Cortana on Windows is available in [certain regions and languages](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). Cortana learns from certain data about the user, such as location, searches, calendar, contacts, voice input, speech patterns, email, content, and communication history from text messages. In Microsoft Edge, Cortana uses browsing history. The user is in control of how much data is shared.<br /><br />Cortana has powerful configuration options, specifically optimized for a business. By signing in with an Azure Active Directory (Azure AD) account, enterprise users can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.</p> | [Learn more](https://support.microsoft.com/help/4468233/cortana-and-privacy-microsoft-privacy)<br /><br />[Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) | [Privacy statement](https://privacy.microsoft.com/privacystatement#maincortanamodule) |
### 1.2 Data collection monitoring
@ -65,6 +64,8 @@ The following table provides an overview of the Windows 10 privacy settings pres
An administrator can also use the Diagnostic Data Viewer for PowerShell module to view the diagnostic data collected from the device instead of using the Diagnostic Data Viewer UI. The [Diagnostic Data Viewer for PowerShell Overview](microsoft-diagnosticdataviewer.md) provides further information.
> [!Note]
> If the Windows diagnostic data processor configuration is enabled, IT administrators should use the admin portal to fulfill data subject requests to access or export Windows diagnostic data associated with a particular users device usage. See [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights).
## 2. Windows 10 data collection management
@ -81,14 +82,14 @@ Administrators can configure and control privacy settings across their organizat
The following table provides an overview of the privacy settings discussed earlier in this document with details on how to configure these policies. The table also provides information on what the default value would be for each of these privacy settings if you do not manage the setting by using policy and suppress the Out-of-box Experience (OOBE) during device setup. If youre interested in minimizing data collection, we also provide the recommended value to set.
> [!NOTE]
> This is not a complete list of settings that involve connecting to Microsoft services. To see a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
> This is not a complete list of settings that involve connecting to Microsoft services. For a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
| Feature/Setting | GP/MDM Documentation | Default State if the Setup experience is suppressed | State to stop/minimize data collection |
|---|---|---|---|
| [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:<br />**Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**<br /><br />MDM: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off |
| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**<br /><br />MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later) | Off |
| [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**<br /><br />MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off |
| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**<br /><br />MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Desktop editions:<br />Required diagnostic data (Windows 10, version 1903 and later)<br /><br />Server editions:<br />Required diagnostic data | Security and block endpoints |
| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**<br /><br />MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)<br /><br />**Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection is not recommended. See [Enabling the Windows diagnostic data processor configuration](#238-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration) below for more information. | Required diagnostic data (Windows 10, version 1903 and later)<br /><br />Server editions:<br />Enhanced diagnostic data | Security (Off) and block endpoints |
| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**<br /><br />MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off |
| Tailored Experiences | Group Policy:<br />**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**<br /><br />MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off |
| Advertising ID | Group Policy:<br />**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**<br /><br />MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off |
@ -108,8 +109,9 @@ If you want the ability to fully control and apply restrictions on data being se
Alternatively, your administrators can also choose to use Windows Autopilot. Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Autopilot profile and policies.
You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows 10:
- https://docs.microsoft.com/windows/deployment/windows-Autopilot/windows-Autopilot
- https://docs.microsoft.com/windows/deployment/windows-Autopilot/deployment-process
- [Overview of Windows Autopilot](/windows/deployment/windows-Autopilot/windows-Autopilot)
- [Windows Autopilot deployment process](/windows/deployment/windows-Autopilot/deployment-process)
#### _2.3.2 Managing connections from Windows components to Microsoft services_
@ -121,14 +123,15 @@ For more details, see [Manage connections from Windows operating system componen
Some Windows components, apps, and related services transfer data to Microsoft network endpoints. An administrator may want to block these endpoints for their organization to meet their specific compliance objectives.
[Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found on the [Windows Privacy site](./index.yml) under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu.
[Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found on the Windows Privacy site under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu.
#### _2.3.4 Limited functionality baseline_
An organization may want to further minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](/windows/security/threat-protection/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that dont want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization.
An organization may want to minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](/windows/security/threat-protection/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that dont want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization.
>[!IMPORTANT]
>We recommend that you fully test any modifications to these settings before deploying them in your organization.
> - We recommend that you fully test any modifications to these settings before deploying them in your organization.
> - We also recommend that if you plan to enable the Windows diagnostic data processor configuration, adjust the limited configuration baseline before deploying to ensure the Windows diagnostic setting is not turned off.
#### _2.3.5 Diagnostic data: Managing notifications for change of level at logon_
@ -140,27 +143,62 @@ Windows 10, version 1803 and newer allows users to change their diagnostic data
#### _2.3.7 Diagnostic data: Managing device-based data delete_
Windows 10, version 1809 and newer allows a user to delete diagnostic data collected from their device by using **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet.
Windows 10, version 1809 and newer allows a user to delete diagnostic data collected from their device by using **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet.
An administrator can disable a users ability to delete their devices diagnostic data by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Disable deleting diagnostic data** or the MDM policy `DisableDeviceDelete`.
>[!Note]
>If the Windows diagnostic data processor configuration is enabled, the Delete diagnostic data button will be disabled and the powershell cmdlet will not delete data collected under this configuration. IT administrators can instead delete diagnostic data collected by invoking a delete request from the admin portal.
#### _2.3.8 Diagnostic data: Enabling the Windows diagnostic data processor configuration_
**Applies to:**
- Windows 10 Enterprise, Pro, Education editions, version 1809 with July 2021 update and newer
The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows 10 devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities.
The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific AAD User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific AAD User ID. Additionally, youre able to execute an export DSR for diagnostic data related to a specific AAD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer.
We recommend that IT administrators who have enabled the Windows diagnostic data processor configuration consider the following:
- Restrict users ability to sign-in with a Microsoft Account (MSA) using [Block Microsoft account group policy](/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts).
- Restrict users ability to submit feedback, as any feedback or additional logs submitted by the user are not managed by the Windows diagnostic data processor configuration option. The Feedback hub app can be removed using [PowerShell](/powershell/module/appx/remove-appxpackage) and you can block the ability to submit feedback in Microsoft Edge using [Feedback group policy](/deployedge/microsoft-edge-policies#userfeedbackallowed).
>[!Note]
>Tenant account closure will lead to the deletion of all data associated with that tenant.
Specific services that depend on Windows diagnostic data will also result in the enterprise becoming controllers of their Windows diagnostic data. These services include Update Compliance, Desktop Analytics, Windows Update for Business, and Microsoft Managed Desktop. For more information, see [Related Windows product considerations](#5-related-windows-product-considerations).
For more information on how Microsoft can help you honor rights and fulfill obligations under the GDPR when using Windows diagnostic data processor configurations, see [General Data Protection Regulation Summary](/compliance/regulatory/gdpr).
## 3. The process for exercising data subject rights
This section discusses the different methods Microsoft provides for users and administrators to exercise data subject rights for data collected from a Windows 10 device.
For IT administrators who have devices using the Windows diagnostic data processor configuration, refer to the [Data Subject Requests for the GDPR and CCPA](/compliance/regulatory/gdpr-dsr-windows). Otherwise proceed to the sections below.
### 3.1 Delete
Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet.
Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet.
>[!Note]
>If the Windows diagnostic data processor configuration is being used, the Delete diagnostic data functionality will be disabled. IT administrators can delete diagnostic data associated with a user from the admin portal.
### 3.2 View
The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides a view into the diagnostic data being collected from a Windows 10 device. Administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet.
>[!Note]
>If the Windows diagnostic data processor configuration is enabled, IT administrators can view the diagnostic data that is associated with a user from the admin portal.
### 3.3 Export
The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides the ability to export the diagnostic data captured while the app is running, by clicking the **Export** data button in the top menu. Administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet script.
>[!Note]
>If the Windows diagnostic data processor configuration is enabled, IT administrators can also export the diagnostic data that is associated with a user from the admin portal.
### 3.4 Devices connected to a Microsoft account
If a user signs in to a Windows experience or app on their device with their Microsoft account, they can view, delete, and export data associated with their Microsoft account on the [Privacy dashboard](https://account.microsoft.com/privacy).
@ -168,11 +206,10 @@ If a user signs in to a Windows experience or app on their device with their Mic
## 4. Cross-border data transfers
Microsoft complies with applicable law regarding the collection, use, and retention of personal information, including its transfer across borders
Microsoft complies with applicable law regarding the collection, use, and retention of personal information, including its transfer across borders.
Microsofts [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) provides details on how we store and process personal data.
## 5. Related Windows product considerations
The following sections provide details about how privacy data is collected and managed across related Windows products.
@ -181,22 +218,32 @@ The following sections provide details about how privacy data is collected and m
Windows Server follows the same mechanisms as Windows 10 for handling of personal data.
>[!Note]
>The Windows diagnostic data processor configuration is not available for Windows Server.
### 5.2 Surface Hub
[Surface Hub](/surface-hub/) is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. To delete the Windows diagnostic data sent to Microsoft for Surface Hub, you can use the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store
[Surface Hub](/surface-hub/) is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. To delete the Windows diagnostic data sent to Microsoft for Surface Hub, you can use the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store.
>[!IMPORTANT]
>Apps and services that run on Windows but are not considered part of Windows will manage data collection using their own controls. Please contact the publisher for further guidance on how to control the data collection and transmission of these apps and services.
An administrator can configure privacy-related settings, such as choosing to only send required diagnostic data. Surface Hub does not support Group Policy for centralized management. However, administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, see [Manage settings with an MDM provider (Surface Hub)](/surface-hub/manage-settings-with-mdm-for-surface-hub).
>[!Note]
>The Windows diagnostic data processor configuration is not available for Surface Hub.
### 5.3 Desktop Analytics
[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows 10 and is dependent on enabling a minimum set of data collection on the device to function.
[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows 10 and is dependent on enabling a minimum set of data collection on the device to function.
### 5.4 Microsoft Managed Desktop
[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/?view=o365-worldwide) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Office 365 ProPlus, and Microsoft security services.
[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Office 365 ProPlus, and Microsoft security services.
### 5.5 Update Compliance
[Update Compliance](/windows/deployment/update/update-compliance-monitor) is a service that enables organizations to monitor security, quality and feature updates for Windows 10 Professional, Education, and Enterprise editions, and view a report of device and update issues related to compliance that need attention. Update Compliance uses Windows 10 diagnostic data for all its reporting.
## Additional Resources

34
windows/privacy/windows-diagnostic-data.md
View File

@ -28,7 +28,7 @@ Applies to:
Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 20H2 required diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories, and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944-1:2020 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories, and data use](https://www.iso.org/standard/79573.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
The data covered in this article is grouped into the following types:
@ -41,7 +41,7 @@ The data covered in this article is grouped into the following types:
- Inking, Typing, and Speech Utterance data
## Common data extensions
Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the equivalent definition for ISO/IEC 19944:2017.
Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the equivalent definition for ISO/IEC 19944-1:2020.
**Data Use for Common data extensions**
Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category.
@ -66,7 +66,7 @@ Information that is added to most diagnostic events, if relevant and available:
## Device, Connectivity, and Configuration data
This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration data is equivalent to ISO/IEC 19944-1:2020, 8.2.3.2.3 Connectivity data.
### Data Use for Device, Connectivity, and Configuration data
@ -178,7 +178,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Hashed IP address
## Product and Service Usage data
This type of data includes details about the usage of the device, operating system, applications, and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability.
This type of data includes details about the usage of the device, operating system, applications, and services. Product and Service Usage data is equivalent to ISO/IEC 19944-1:2020, 8.2.3.2.4 Observed Usage of the Service Capability.
### Data Use for Product and Service Usage data
@ -242,7 +242,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Login sessions and state
## Product and Service Performance data
This type of data includes details about the health of the device, operating system, apps, and drivers. Product and Service Performance data is equivalent to ISO/IEC 19944:2017 8.2.3.2.2 EUII Telemetry data.
This type of data includes details about the health of the device, operating system, apps, and drivers. Product and Service Performance data is equivalent to ISO/IEC 19944-1:2020 8.2.3.2.2 EUII Telemetry data.
### Data Use for Product and Service Performance data
@ -355,7 +355,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- License usage session
## Software Setup and Inventory data
This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a subtype of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a subtype of ISO/IEC 19944-1:2020 8.2.3.2.4 Observed Usage of the Service Capability.
### Data Use for Software Setup and Inventory data
@ -397,7 +397,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Windows Insider build details
## Browsing History data
This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client-side browsing history.
This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944-1:2020 8.2.3.2.8 Client-side browsing history.
### Data Use for Browsing History data
@ -429,7 +429,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Page title
## Inking Typing and Speech Utterance data
This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing, and Speech Utterance data is a subtype of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing, and Speech Utterance data is a subtype of ISO/IEC 19944-1:2020 8.2.3.2.1 End User Identifiable information.
### Data Use for Inking, Typing, and Speech Utterance data
@ -462,31 +462,31 @@ This type of data gathers details about the voice, inking, and typing input feat
- Whether user is known to be a child
- Confidence and success or failure of speech recognition
## ISO/IEC 19944:2017-specific terminology
## ISO/IEC 19944-1:2020-specific terminology
This section provides the ISO/IEC 19944:2017-specific definitions for use and de-identification qualifiers used in this article.
This section provides the ISO/IEC 19944-1:2020-specific definitions for use and de-identification qualifiers used in this article.
### Provide
ISO/IEC 19944:2017 Reference: **9.3.2 Provide**
ISO/IEC 19944-1:2020 Reference: **9.3.2 Provide**
Use of a specified data category by a Microsoft product or service to protect and provide the described service, including, (i) troubleshoot and fix issues with the product or service or (ii) provide product or service updates.
### Improve
ISO/IEC 19944:2017 Reference: **9.3.3 Improve**
ISO/IEC 19944-1:2020 Reference: **9.3.3 Improve**
Use of a specified data category to improve or increase the quality of a Microsoft product or service. Those improvements may be available to end users.
### Personalize
ISO/IEC 19944:2017 Reference: **9.3.4 Personalize**
ISO/IEC 19944-1:2020 Reference: **9.3.4 Personalize**
Use of the specified data categories to create a customized experience for the end user in any Microsoft product or service.
### Recommend
ISO/IEC 19944:2017 Reference: **9.3.4 Personalize**
ISO/IEC 19944-1:2020 Reference: **9.3.4 Personalize**
“Recommend” means use of the specified data categories to Personalize (9.3.4) the end users experience by recommending Microsoft products or services that can be accessed without the need to make a purchase or pay money.
@ -494,7 +494,7 @@ Use of the specified data categories give recommendations about Microsoft produc
### Offer
ISO/IEC 19944:2017 Reference: **9.3.5 Offer upgrades or upsell**
ISO/IEC 19944-1:2020 Reference: **9.3.5 Offer upgrades or upsell**
Implies that the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.
@ -502,13 +502,13 @@ Specifically, use of the specified data categories to make an offer or upsell ne
### Promote
ISO/IEC 19944:2017 Reference: **9.3.6 Market/advertise/promote**
ISO/IEC 19944-1:2020 Reference: **9.3.6 Market/advertise/promote**
Use of the specified data categories to promote a product or service in or on a first-party Microsoft product or service.
### Data identification qualifiers
Here are the data identification qualifiers and the ISO/IEC 19944:2017 reference:
Here are the data identification qualifiers and the ISO/IEC 19944-1:2020 reference:
- **<a name="pseudo">Pseudonymized Data</a>** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined.
- **<a name="anon">Anonymized Data</a>** 8.3.5 Anonymized data. Microsoft usage notes are as defined.

2
windows/security/identity-protection/access-control/special-identities.md
View File

@ -282,7 +282,7 @@ This group implicitly includes all users who are logged on to the system through
## Principal Self
This identify is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
| **Attribute** | **Value** |
| :--: | :--: |

103
windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md Normal file
View File

@ -0,0 +1,103 @@
---
title: Azure Active Directory join cloud only deployment
description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 device.
keywords: identity, Hello, Active Directory, cloud,
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
audience: ITPro
author: mapalko
ms.author: mapalko
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 06/23/2021
ms.reviewer:
---
# Azure Active Directory join cloud only deployment
## Introduction
When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed.
You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
> [!NOTE]
> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you dont have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
## Prerequisites
Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process.
The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment).
Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge.
Check and view this setting with the following MSOnline PowerShell command:
`Get-MsolDomainFederationSettings DomainName <your federated domain name>`
To disable this setting, run the following command. Note that this change impacts ALL Azure AD MFA scenarios for this federated domain.
`Set-MsolDomainFederationSettings -DomainName <your federated domain name> -SupportsMfa $false`
Example:
`Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false`
If you use this Supports MFA switch with value **True**, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP.
## Use Intune to disable Windows Hello for Business enrollment
We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't using Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business.
## Disable Windows Hello for Business using Intune Enrollment policy
1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center.
2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens.
3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**.
When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
> [!NOTE]
> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md).
## Disable Windows Hello for Business enrollment without Intune
The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s).
Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used.
Here are the registry settings an Intune policy would set.
Intune Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies`**
To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant)
These registry settings are pushed from Intune for user policies for your reference.
- Intune User Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\UserSid\Policies`**
- DWORD: **UsePassportForWork**
- Value = **0** for Disable, or Value = **1** for Enable
For your reference, these registry settings can be applied from Local or Group Policies.
- Local/GPO User Policy: **`HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork`**
- Local/GPO Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`**
- DWORD: **Enabled**
- Value = **0** for Disable or Value = **1** for Enable
If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results.
## Related reference documents for Azure AD join scenarios
- [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join)
- [Plan your Azure Active Directory device deployment](/azure/active-directory/devices/plan-device-deployment)
- [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan)
- [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin)
- [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal)
- [Azure AD Join Single Sign-on Deployment](hello-hybrid-aadj-sso.md)

42
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -23,7 +23,7 @@ ms.reviewer:
- Windows 10, version 1709 or later
Windows Hello for Business provides the capability for users to reset forgotten PINs using the "I forgot my PIN link" from the Sign-in options page in Settings or from above the lock screen. User's are required to authenticate and complete multi-factor authentication to reset their PIN.
Windows Hello for Business provides the capability for users to reset forgotten PINs using the "I forgot my PIN link" from the Sign-in options page in Settings or from above the lock screen. User's are required to authenticate and complete multifactor authentication to reset their PIN.
There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and does not require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.
@ -50,17 +50,17 @@ Destructive and non-destructive PIN reset use the same entry points for initiati
For Azure AD joined devices:
1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon.
1. Click **I forgot my PIN** from the PIN credential provider
1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (i.e. Password, PIN, Security key)
1. Follow the instructions provided by the provisioning process
1. Click **I forgot my PIN** from the PIN credential provider.
1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (i.e., Password, PIN, Security key).
1. Follow the instructions provided by the provisioning process.
1. When finished, unlock your desktop using your newly created PIN.
For Hybrid Azure AD joined devices:
1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon.
1. Click **I forgot my PIN** from the PIN credential provider
1. Click **I forgot my PIN** from the PIN credential provider.
1. Enter your password and press enter.
1. Follow the instructions provided by the provisioning process
1. Follow the instructions provided by the provisioning process.
1. When finished, unlock your desktop using your newly created PIN.
> [!NOTE]
@ -79,7 +79,7 @@ Visit the [Windows Hello for Business Videos](./hello-videos.md) page and watch
- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
- Windows 10, version 1709 to 1809, **Enterprise Edition**. There is no licensing requirement for this feature since version 1903.
When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multi-factor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory.
When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multifactor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory.
Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
@ -94,17 +94,23 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
### Connect Azure Active Directory with the PIN reset service
1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
1. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
1. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
> [!NOTE]
> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
1. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
> [!div class="mx-imgBorder"]
> ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png)
:::image type="content" alt-text="PIN reset service permissions page" source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png":::
### Configure Windows devices to use PIN reset using Group Policy
@ -122,7 +128,7 @@ You configure Windows 10 to use the Microsoft PIN Reset service using the comput
1. Set **Enable PIN recovery** to **Yes**.
> [!NOTE]
> You can also setup PIN recovery using configuration profiles.
> You can also set up PIN recovery using configuration profiles.
>
> 1. Sign in to Endpoint Manager.
> 1. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type.
@ -141,7 +147,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta
#### Sample User state Output for Destructive PIN Reset
```
```console
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
@ -160,7 +166,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta
#### Sample User state Output for Non-Destructive PIN Reset
```
```console
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
@ -189,21 +195,29 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
### Configuring Policy Using Intune
1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
1. Click **Devices**. Click **Configuration profiles**. Click **Create profile**.
1. For Platform select **Windows 10 and later** and for Profile type select **Templates**. In the list of templates that is loaded, select **Custom** and click Create.
1. In the **Name** field type **Web Sign In Allowed URLs** and optionally provide a description for the configuration. Click Next.
1. On the Configuration settings page, click **Add** to add a custom OMA-URI setting. Provide the following information for the custom settings
- **Name:** Web Sign In Allowed URLs
- **Description:** (Optional) List of domains that are allowed during PIN reset flows.
- **OMA-URI:** ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
- **Data type:** String
- **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be "signin.contoso.com;portal.contoso.com"
- **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks)
![Custom Configuration for ConfigureWebSignInAllowedUrls policy](images/pinreset/allowlist.png)
:::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy" source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png":::
1. Click the Save button to save the custom configuration.
1. On the Assignments page, use the Included groups and Excluded groups sections to define the groups of users or devices that should receive this policy. Once you have completed configuring groups click the Next button.
1. On the Applicability rules page, click Next.
1. Review the configuration that is shown on the Review + create page to make sure that it is accurate. Click create to save the profile and apply it to the configured groups.
> [!NOTE]

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
View File

@ -193,7 +193,7 @@ Sign-in to a certificate authority or management workstation with _Domain Admin
10. On the **Request Handling** tab, select the **Renew with same key** check box.
11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
11. On the **Security** tab, click **Add**. Type **Windows Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.

BIN
windows/security/identity-protection/hello-for-business/images/pinreset/allowlist.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 33 KiB

After

Width:  |  Height:  |  Size: 33 KiB

2
windows/security/identity-protection/hello-for-business/toc.yml
View File

@ -101,6 +101,8 @@
href: hello-cert-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-cert-trust-policy-settings.md
- name: Azure AD join cloud only deployment
href: hello-aad-join-cloud-only-deploy.md
- name: Managing Windows Hello for Business in your organization
href: hello-manage-in-organization.md
- name: Deploying Certificates to Key Trust Users to Enable RDP

2
windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
View File

@ -35,6 +35,6 @@ sections:
BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it.
Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is
not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network.
not available you will need to use the recovery key to unlock the computer if it can not be connected to the network.
For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).

15
windows/security/information-protection/tpm/tpm-recommendations.md
View File

@ -72,7 +72,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
>
> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
## Discrete, Integrated or Firmware TPM?
@ -95,7 +95,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of an existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
### IoT Core
@ -111,21 +111,20 @@ The following table defines which Windows features require TPM support.
Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
-|-|-|-|-
Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot
Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](../bitlocker/bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) including TPM 2.0 support
Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
Windows Defender Application Control (Device Guard) | No | Yes | Yes
Windows Defender System Guard | Yes | No | Yes
Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported.
Device Health Attestation| Yes | Yes | Yes
Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support.
Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers.
Device Health Attestation| Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage.
UEFI Secure Boot | No | Yes | Yes
TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes
Virtual Smart Card | Yes | Yes | Yes
Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM.
Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required.
SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
## OEM Status on TPM 2.0 system availability and certified parts

8
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -52,9 +52,9 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
## Create a WIP policy
1. Sign in to the Azure portal.
1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
2. Open Microsoft Intune and click **Client apps** > **App protection policies** > **Create policy**.
2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**.
![Open Client apps](images/create-app-protection-policy.png)
@ -486,7 +486,7 @@ Specify the proxy servers your devices will go through to reach your cloud resou
Using this server type indicates that the cloud resources youre connecting to are enterprise resources.
This list shouldnt include any servers listed in your Internal proxy servers list.
Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
Separate multiple resources with the ";" delimiter.
```console
@ -498,7 +498,7 @@ proxy.contoso.com:80;proxy2.contoso.com:443
Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources youre connecting to are enterprise resources.
This list shouldnt include any servers listed in your Proxy servers list.
Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
Separate multiple resources with the ";" delimiter.
```console

4
windows/security/threat-protection/TOC.yml
View File

@ -193,7 +193,7 @@
- name: Phishing
href: intelligence/phishing.md
- name: Ransomware
href: intelligence/ransomware-malware.md
href: /security/compass/human-operated-ransomware
- name: Rootkits
href: intelligence/rootkits-malware.md
- name: Supply chain attacks
@ -224,7 +224,7 @@
- name: Information for developers
items:
- name: Software developer FAQ
href: intelligence/developer-faq.md
href: intelligence/developer-faq.yml
- name: Software developer resources
href: intelligence/developer-resources.md
- name: The Windows Security app

4
windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
View File

@ -21,8 +21,7 @@ ms.technology: mde
- Windows 10
- Windows Server 2016
This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed.
This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985).
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------|
@ -35,4 +34,3 @@ This auditing subcategory should not have any events in it, but for some reason
- [4985](event-4985.md)(S): The state of a transaction has changed.

88
windows/security/threat-protection/auditing/basic-audit-account-management.md
View File

@ -45,50 +45,50 @@ You can configure this security setting by opening the appropriate policy under
| Account management events | Description |
|---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 624 | A user account was created. |
| 627 | A user password was changed. |
| 628 | A user password was set. |
| 630 | A user account was deleted. |
| 631 | A global group was created. |
| 632 | A member was added to a global group. |
| 633 | A member was removed from a global group. |
| 634 | A global group was deleted. |
| 635 | A new local group was created. |
| 636 | A member was added to a local group. |
| 637 | A member was removed from a local group. |
| 638 | A local group was deleted. |
| 639 | A local group account was changed. |
| 641 | A global group account was changed. |
| 642 | A user account was changed. |
| 643 | A domain policy was modified. |
| 644 | A user account was auto locked. |
| 645 | A computer account was created. |
| 646 | A computer account was changed. |
| 647 | A computer account was deleted. |
| 648 | A local security group with security disabled was created.<br>**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. |
| 649 | A local security group with security disabled was changed. |
| 650 | A member was added to a security-disabled local security group. |
| 651 | A member was removed from a security-disabled local security group. |
| 652 | A security-disabled local group was deleted. |
| 653 | A security-disabled global group was created. |
| 645 | A security-disabled global group was changed. |
| 655 | A member was added to a security-disabled global group. |
| 656 | A member was removed from a security-disabled global group. |
| 657 | A security-disabled global group was deleted. |
| 658 | A security-enabled universal group was created. |
| 659 | A security-enabled universal group was changed. |
| 660 | A member was added to a security-enabled universal group. |
| 661 | A member was removed from a security-enabled universal group. |
| 662 | A security-enabled universal group was deleted. |
| 663 | A security-disabled universal group was created. |
| 664 | A security-disabled universal group was changed. |
| 665 | A member was added to a security-disabled universal group. |
| 666 | A member was removed from a security-disabled universal group. |
| 667 | A security-disabled universal group was deleted. |
| 668 | A group type was changed. |
| 684 | Set the security descriptor of members of administrative groups. |
| 685 | Set the security descriptor of members of administrative groups.<br>**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. |
| :-----------------------: | :---------- |
| 4720 | A user account was created. |
| 4723 | A user password was changed. |
| 4724 | A user password was set. |
| 4726 | A user account was deleted. |
| 4727 | A global group was created. |
| 4728 | A member was added to a global group. |
| 4729 | A member was removed from a global group. |
| 4730 | A global group was deleted. |
| 4731 | A new local group was created. |
| 4732 | A member was added to a local group. |
| 4733 | A member was removed from a local group. |
| 4734 | A local group was deleted. |
| 4735 | A local group account was changed. |
| 4737 | A global group account was changed. |
| 4738 | A user account was changed. |
| 4739 | A domain policy was modified. |
| 4740 | A user account was auto locked. |
| 4741 | A computer account was created. |
| 4742 | A computer account was changed. |
| 4743 | A computer account was deleted. |
| 4744 | A local security group with security disabled was created.<br> **Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks |
| 4745 | A local security group with security disabled was changed. |
| 4746 | A member was added to a security-disabled local security group. |
| 4747 | A member was removed from a security-disabled local security group. |
| 4748 | A security-disabled local group was deleted. |
| 4749 | A security-disabled global group was created. |
| 4750 | A security-disabled global group was changed. |
| 4751 | A member was added to a security-disabled global group. |
| 4752 | A member was removed from a security-disabled global group. |
| 4753 | A security-disabled global group was deleted. |
| 4754 | A security-enabled universal group was created. |
| 4755 | A security-enabled universal group was changed. |
| 4756 | A member was added to a security-enabled universal group. |
| 4757 | A member was removed from a security-enabled universal group. |
| 4758 | A security-enabled universal group was deleted. |
| 4759 | A security-disabled universal group was created. |
| 4760 | A security-disabled universal group was changed. |
| 4761 | A member was added to a security-disabled universal group. |
| 4762 | A member was removed from a security-disabled universal group. |
| 4763 | A security-disabled universal group was deleted. |
| 4764 | A group type was changed. |
| 4780 | Set the security descriptor of members of administrative groups. |
| 685 | Set the security descriptor of members of administrative groups.<br> **Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. |
## Related topics

2
windows/security/threat-protection/auditing/event-4624.md
View File

@ -286,7 +286,7 @@ For 4624(S): An account was successfully logged on.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"New Logon\\Security ID"** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allow list. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you are concerned about. |

21
windows/security/threat-protection/auditing/event-4627.md
View File

@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
<img src="images/event-4627.png" alt="Event 4627 illustration" width="876" height="1418" hspace="10" align="left" />
<img src="images/event-4627.png" alt="Event 4627 illustration" width="554" height="896" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Group Membership](audit-group-membership.md)
@ -33,12 +33,14 @@ You must also enable the Success audit for [Audit Logon](audit-logon.md) subcate
Multiple events are generated if the group membership information cannot fit in a single security audit event.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
> [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
@ -86,7 +88,8 @@ Multiple events are generated if the group membership information cannot fit in
- **Security ID** \[Type = SID\]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
> [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about successful logon or invokes it.
@ -104,10 +107,10 @@ Multiple events are generated if the group membership information cannot fit in
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field:
- **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field:
| Logon Type | Logon Title | Description |
|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|------------|-------------------|----------------------|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
@ -122,7 +125,8 @@ Multiple events are generated if the group membership information cannot fit in
- **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
> [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
@ -148,7 +152,8 @@ Multiple events are generated if the group membership information cannot fit in
For 4627(S): Group membership information.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
> [!IMPORTANT]
> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Typically this action is reported by the NULL SID account, so we recommend reporting all events with **“Subject\\Security ID”** not equal “**NULL SID**”.

2
windows/security/threat-protection/auditing/event-4648.md
View File

@ -179,7 +179,7 @@ The following table is similar to the table in [Appendix A: Security monitoring
| **High-value accounts**: You might have high value domain or local accounts for which you need to monitor each action.<br>Examples of high value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the high value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the accounts that should never be used. |
| **Account allow list**: You might have a specific allow list of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the allow list. |
| **Account allow list**: You might have a specific allow list of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the allow list. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform the action corresponding to this event. | Monitor for the **“Subject\\Account Domain”** or “**Account Whose Credentials Were Used\\Security ID**” corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that you are concerned about.<br>For example, you might monitor to ensure that “**Account Whose Credentials Were Used\\Security ID**” is not used to log on to a certain computer. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** and “**Account Whose Credentials Were Used\\Security ID**” for names that dont comply with naming conventions. |

2
windows/security/threat-protection/auditing/event-4688.md
View File

@ -193,7 +193,7 @@ For 4688(S): A new process has been created.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "whitelist-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allow list. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** corresponding to accounts from another domain or "external" accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that you are concerned about. |

2
windows/security/threat-protection/auditing/event-4696.md
View File

@ -153,7 +153,7 @@ For 4696(S): A primary token was assigned to process.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allow list. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that you are concerned about. |

2
windows/security/threat-protection/auditing/event-4703.md
View File

@ -195,7 +195,7 @@ Otherwise, see the recommendations in the following table.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Security ID**” that correspond to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. <br>Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. |

2
windows/security/threat-protection/auditing/event-4704.md
View File

@ -153,7 +153,7 @@ For 4704(S): A user right was assigned.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\ Account Name**” that correspond to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. <br>Also check **“Target Account\\ Account Name”** to see whether the change in rights should be made on that computer for that account. |

2
windows/security/threat-protection/auditing/event-4705.md
View File

@ -152,7 +152,7 @@ For 4705(S): A user right was removed.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Account Name**” that correspond to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user rights policies, for example, an allow list of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user rights policies, for example, an allow list of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Target Account\\Account Name”** to see whether the account type is as expected.<br>For example, if some accounts have critical user rights which should never be removed, monitor this event for the **“Target** **Account\\Account Name”** and the appropriate rights.<br>As another example, if non-administrative accounts should never be granted certain user rights (for example, **SeAuditPrivilege**), you might monitor this event, because a right can be removed only after it was previously granted. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Target Account\\Account Name**” to see whether user rights should be removed from that account (or whether that account should have any rights on that computer).<br>For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Removed Right**” should be removed from “**Target** **Account\\Account Name**” in each case. |

2
windows/security/threat-protection/auditing/event-4717.md
View File

@ -127,7 +127,7 @@ For 4717(S): System security access was granted to an account.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.<br>For example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), monitor this event for those accounts and rights. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be granted to that account.<br>For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be granted to “**Account Modified\\Account Name**” in each case. |

2
windows/security/threat-protection/auditing/event-4718.md
View File

@ -127,7 +127,7 @@ For 4718(S): System security access was removed from an account.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.<br>If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.<br>For example, if critical remote network service accounts have user logon rights which should never be removed (for example, **SeNetworkLogonRight**), monitor this event for the **“Account Modified\\Account Name”** and the appropriate rights.<br>As another example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), you might monitor this event, because a right can be removed only after it was previously granted. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be removed from that account.<br>For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be removed from “**Account Modified\\Account Name**” in each case. |

2
windows/security/threat-protection/auditing/event-4732.md
View File

@ -154,7 +154,7 @@ For 4732(S): A member was added to a security-enabled local group.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |

2
windows/security/threat-protection/auditing/event-4733.md
View File

@ -161,7 +161,7 @@ For 4733(S): A member was removed from a security-enabled local group.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |

2
windows/security/threat-protection/auditing/event-4751.md
View File

@ -158,7 +158,7 @@ For 4751(S): A member was added to a security-disabled global group.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |

2
windows/security/threat-protection/auditing/event-4752.md
View File

@ -149,7 +149,7 @@ For 4752(S): A member was removed from a security-disabled global group.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |

2
windows/security/threat-protection/auditing/event-4768.md
View File

@ -305,7 +305,7 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“User ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“User ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“User ID”** that corresponds to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“User ID”** for accounts that are outside the allow list. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“User ID”** for accounts that are outside the allow list. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that dont comply with naming conventions. |

75
windows/security/threat-protection/auditing/event-4771.md
View File

@ -166,13 +166,78 @@ The most common values:
> Table 6. Kerberos ticket flags.
- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event:
- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the error codes for this event as defined in [RFC 4120](https://tools.ietf.org/html/rfc4120#section-7.5.9):
| Code | Code Name | Description | Possible causes |
|------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesnt have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The users password has expired. |
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. |
| 0x0 | KDC\_ERR\_NONE | No error |
| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired |
| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired |
| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported |
| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key |
| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key |
| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database |
| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database |
| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database |
| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key |
| 0xa | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating |
| 0xb | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time |
| 0xc | KDC\_ERR\_POLICY | KDC policy rejects request |
| 0xd | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option |
| 0xe | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type |
| 0xf | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type |
| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesnt have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
| 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type |
| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked |
| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked |
| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked |
| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid; try again later |
| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid; try again later |
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The users password has expired.
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided.
| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required |
| 0x1a | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match |
| 0x1b | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only |
| 0x1c | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path |
| 0x1d | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available |
| 0x1f | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed |
| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | Ticket expired |
| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | Ticket not yet valid |
| 0x22 | KRB\_AP\_ERR\_REPEAT | Request is a replay |
| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket isn't for us |
| 0x24 | KRB\_AP\_ERR\_BADMATCH | Ticket and authenticator don't match |
| 0x25 | KRB\_AP\_ERR\_SKEW | Clock skew too great |
| 0x26 | KRB\_AP\_ERR\_BADADDR | Incorrect net address |
| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version mismatch |
| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Invalid msg type |
| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified |
| 0x2a | KRB\_AP\_ERR\_BADORDER | Message out of order |
| 0x2c | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available |
| 0x2d | KRB\_AP\_ERR\_NOKEY | Service key not available |
| 0x2e | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed |
| 0x2f | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction |
| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required |
| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message |
| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message |
| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Policy rejects transited path |
| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Response too big for UDP; retry with TCP |
| 0x3c | KRB\_ERR\_GENERIC | Generic error (description in e-text) |
| 0x3d | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation |
| 0x3e | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT |
| 0x3f | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT |
| 0x40 | KDC\_ERROR\_INVALID\_SIG | Reserved for PKINIT |
| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | Reserved for PKINIT |
| 0x42 | KDC\_ERR\_CERTIFICATE\_MISMATCH | Reserved for PKINIT |
| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT available to validate USER-TO-USER |
| 0x44 | KDC\_ERR\_WRONG\_REALM | Reserved for future use |
| 0x45 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | Ticket must be for USER-TO-USER |
| 0x46 | KDC\_ERR\_CANT\_VERIFY\_CERTIFICATE | Reserved for PKINIT |
| 0x47 | KDC\_ERR\_INVALID\_CERTIFICATE | Reserved for PKINIT |
| 0x48 | KDC\_ERR\_REVOKED\_CERTIFICATE | Reserved for PKINIT |
| 0x49 | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN | Reserved for PKINIT |
| 0x4a | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT |
| 0x4b | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT |
| 0x4c | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT |
- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)) type that was used in TGT request.
@ -209,7 +274,7 @@ For 4771(F): Kerberos pre-authentication failed.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Security ID”** for accounts that are outside the allow list. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that dont comply with naming conventions. |
- You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.

2
windows/security/threat-protection/auditing/event-4776.md
View File

@ -130,7 +130,7 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.<br>To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Logon Account”** for accounts that are outside the allow list. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list. |
| **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that dont comply with naming conventions. |

2
windows/security/threat-protection/auditing/event-4778.md
View File

@ -127,7 +127,7 @@ For 4778(S): A session was reconnected to a Window Station.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about. |

2
windows/security/threat-protection/auditing/event-4779.md
View File

@ -131,7 +131,7 @@ For 4779(S): A session was disconnected from a Window Station.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the whitelist. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.<br>For example, you might have computers to which connections should not be made from certain accounts or addresses. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about.<br>If you have a target **Computer:** (or other target device) to which connections should not be made from certain accounts or addresses, monitor this event for the corresponding **Client Name** or **Client Address**. |

4
windows/security/threat-protection/intelligence/TOC.yml
View File

@ -18,7 +18,7 @@
- name: Phishing trends and techniques
href: phishing-trends.md
- name: Ransomware
href: ransomware-malware.md
href: /security/compass/human-operated-ransomware
- name: Rootkits
href: rootkits-malware.md
- name: Supply chain attacks
@ -55,6 +55,6 @@
- name: Information for developers
items:
- name: Software developer FAQ
href: developer-faq.md
href: developer-faq.yml
- name: Software developer resources
href: developer-resources.md

2
windows/security/threat-protection/intelligence/criteria.md
View File

@ -62,7 +62,7 @@ Microsoft classifies most malicious software into one of the following categorie
* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md).
* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](/security/compass/human-operated-ransomware).
* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services.

51
windows/security/threat-protection/intelligence/developer-faq.md
View File

@ -1,51 +0,0 @@
---
title: Software developer FAQ
ms.reviewer:
description: This page provides answers to common questions we receive from software developers
keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.technology: mde
---
# Software developer FAQ
This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide.
## Does Microsoft accept files for a known list or false-positive prevention program?
No. We don't accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list. Far less frequently, in will add your digital certificate to a list of trusted publishers.
## How do I dispute the detection of my program?
Submit the file in question as a software developer. Wait until your submission has a final determination.
If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We'll use the information you provide to investigate further if necessary.
We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md).
## Why is Microsoft asking for a copy of my program?
Providing copies can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
## Why does Microsoft classify my installer as a software bundler?
It contains instructions to offer a program classified as unwanted software. You can review the [criteria](criteria.md) we use to check applications for behaviors that are considered unwanted.
## Why is the Windows Defender Firewall blocking my program?
Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
## Why does the Microsoft Defender Windows Defender SmartScreen say my program isn't commonly downloaded?
This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)

60
windows/security/threat-protection/intelligence/developer-faq.yml Normal file
View File

@ -0,0 +1,60 @@
### YamlMime:FAQ
metadata:
title: Software developer FAQ
ms.reviewer:
description: This page provides answers to common questions we receive from software developers
keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.technology: mde
title: Software developer FAQ
summary: This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide.
sections:
- name: Ignored
questions:
- question: |
Does Microsoft accept files for a known list or false-positive prevention program?
answer: |
No. We don't accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list. Far less frequently, in will add your digital certificate to a list of trusted publishers.
- question: |
How do I dispute the detection of my program?
answer: |
Submit the file in question as a software developer. Wait until your submission has a final determination.
If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We'll use the information you provide to investigate further if necessary.
We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md).
- question: |
Why is Microsoft asking for a copy of my program?
answer: |
Providing copies can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
- question: |
Why does Microsoft classify my installer as a software bundler?
answer: |
It contains instructions to offer a program classified as unwanted software. You can review the [criteria](criteria.md) we use to check applications for behaviors that are considered unwanted.
- question: |
Why is the Windows Defender Firewall blocking my program?
answer: |
Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
- question: |
Why does the Microsoft Defender Windows Defender SmartScreen say my program isn't commonly downloaded?
answer: |
This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)

2
windows/security/threat-protection/intelligence/developer-resources.md
View File

@ -37,7 +37,7 @@ To objectively identify malware and unidentified software, Microsoft applies a [
### Developer questions
Find more guidance about the file submission and detection dispute process in our [FAQ for software developers](developer-faq.md).
Find more guidance about the file submission and detection dispute process in our [FAQ for software developers](developer-faq.yml).
### Scan your software

2
windows/security/threat-protection/intelligence/fileless-threats.md
View File

@ -99,7 +99,7 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with
## Defeating fileless malware
At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)

2
windows/security/threat-protection/intelligence/phishing-trends.md
View File

@ -41,7 +41,7 @@ An attacker sends a fraudulent email requesting you to open or download a docume
## Phishing emails that deliver other threats
Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files.
Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](/security/compass/human-operated-ransomware) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files.
We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.

1
windows/security/threat-protection/intelligence/phishing.md
View File

@ -99,4 +99,3 @@ If you feel you've been a victim of a phishing attack:
- [Protect yourself from phishing](https://support.microsoft.com/help/4033787/windows-protect-yourself-from-phishing)
- [Phishing trends](phishing-trends.md)
- [Microsoft e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments.

77
windows/security/threat-protection/intelligence/ransomware-malware.md
View File

@ -1,77 +0,0 @@
---
title: Ransomware
ms.reviewer:
description: Learn how to protect your computer and network from ransomware attacks, which can stop you from accessing your files.
keywords: security, malware, ransomware, encryption, extortion, money, key, infection, prevention, tips, WDSI, MMPC, Microsoft Malware Protection Center, ransomware-as-a-service, ransom, ransomware downloader, protection, prevention, solution, exploit kits, backup, Cerber, Locky, WannaCry, WannaCrypt, Petya, Spora
ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
ms.author: dansimp
author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
ms.technology: mde
---
# Ransomware
Ransomware is a type of malware that encrypts files and folders, preventing access to important files. Ransomware attempts to extort money from victims by asking for money, usually in form of cryptocurrencies, in exchange for the decryption key. But cybercriminals won't always follow through and unlock the files they encrypted.
The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms especially susceptible to ransomware attacks.
## How ransomware works
Most ransomware infections start with:
- Email messages with attachments that try to install ransomware.
- Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware.
Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4.
Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal business model where malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is big business at the expense of individuals and businesses.
### Examples
Sophisticated ransomware like **Spora**, **WannaCrypt** (also known as WannaCry), and **Petya** (also known as NotPetya) spread to other computers via network shares or exploits.
- Spora drops ransomware copies in network shares.
- WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers.
- A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks.
Older ransomware like **Reveton** (nicknamed "Police Trojan" or "Police ransomware") locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they're effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and a fine needs to be paid.
Ransomware like **Cerber** and **Locky** search for and encrypt specific file types, typically document and media files. When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with instructions to pay a ransom to recover files.
**Bad Rabbit** ransomware was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks.
## How to protect against ransomware
Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets because attackers can demand bigger ransoms.
To provide the best protection against ransomware attacks, Microsoft recommends that you:
- Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
- Apply the latest updates to your operating systems and apps.
- Educate your employees so they can identify social engineering and spear-phishing attacks.
- [Implement controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom.
For more general tips, see [prevent malware infection](prevent-malware-infection.md).
## Human-operated ransomware
Unlike auto-spreading ransomware like WannaCry or NotPetya, human-operated ransomware is the result of active and ongoing attacks that target an organization rather than a single device. Cybercriminals use their knowledge of common system and security misconfigurations and vulnerabilities to infiltrate the organization, navigate the enterprise network, adapt to the environment, and exploit its weaknesses as they go.
Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement and can result in deployment of ransomware payloads to high business impact resources that attackers choose. Once deployed, the attackers contact the organization with their ransom demands.
The same primary prevention techniques described in this article should be implemented to prevent human-operated ransomware. For additional preventative measures against human-operated ransomware, see this [article](/security/compass/human-operated-ransomware).
See [this blog post](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) from the Microsoft 365 Defender Threat Intelligence Team for more information and attack chain analysis of actual human-operated ransomware attacks.

2
windows/security/threat-protection/intelligence/understanding-malware.md
View File

@ -32,7 +32,7 @@ There are many types of malware, including:
- [Exploits and exploit kits](exploits-malware.md)
- [Macro malware](macro-malware.md)
- [Phishing](phishing.md)
- [Ransomware](ransomware-malware.md)
- [Ransomware](/security/compass/human-operated-ransomware)
- [Rootkits](rootkits-malware.md)
- [Supply chain attacks](supply-chain-malware.md)
- [Tech support scams](support-scams.md)

18
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
View File

@ -9,7 +9,7 @@ metadata:
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 05/12/2021
ms.date: 06/16/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -37,6 +37,17 @@ sections:
`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
- question: |
My network configuration uses a proxy and Im running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that?
answer: |
The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements.
To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can:
- Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”.
- It must be a FQDN. A simple IP address will not work.
- Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
- question: |
Can employees download documents from the Application Guard Edge session onto host devices?
answer: |
@ -59,6 +70,11 @@ sections:
answer: |
Make sure to enable the extensions policy on your Application Guard configuration.
- question: |
Im trying to watch playback video with HDR, why is the HDR option missing?
answer: |
In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard.
- question: |
How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
answer: |

28
windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 02/11/2020
ms.date: 07/01/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -25,21 +25,23 @@ The threat landscape is continually evolving. While hackers are busy developing
> Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and in VDI environments. Hence, MDAG is currently not officially supported on VMs and in VDI environments. However, for testing and automation purposes on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host.
## Hardware requirements
Your environment needs the following hardware to run Microsoft Defender Application Guard.
|Hardware|Description|
Your environment must have the following hardware to run Microsoft Defender Application Guard.
| Hardware | Description |
|--------|-----------|
|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_<br><br>**-AND-**<br><br>One of the following virtualization extensions for VBS:<br><br>VT-x (Intel)<br><br>**-OR-**<br><br>AMD-V|
|Hardware memory|Microsoft requires a minimum of 8GB RAM|
|Hard disk|5 GB free space, solid state disk (SSD) recommended|
|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
| 64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
| CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_ <p> **AND** <p> One of the following virtualization extensions for VBS:<br/>VT-x (Intel)<br/>**OR**<br/>AMD-V |
| Hardware memory | Microsoft requires a minimum of 8GB RAM |
| Hard disk | 5 GB free space, solid state disk (SSD) recommended |
| Input/Output Memory Management Unit (IOMMU) support| Not required, but strongly recommended |
## Software requirements
Your environment needs the following software to run Microsoft Defender Application Guard.
|Software|Description|
Your environment must have the following software to run Microsoft Defender Application Guard.
| Software | Description |
|--------|-----------|
|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803 or higher<br>Windows 10 Professional for Workstations edition, version 1803 or higher<br>Windows 10 Professional Education edition version 1803 or higher<br>Windows 10 Education edition, version 1903 or higher<br>Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. |
|Browser|Microsoft Edge and Internet Explorer|
|Management system<br> (only for managed devices)|[Microsoft Intune](/intune/)<br><br>**-OR-**<br><br>[Microsoft Endpoint Configuration Manager](/configmgr/)<br><br>**-OR-**<br><br>[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
| Operating system | Windows 10 Enterprise edition, version 1809 or higher <br/> Windows 10 Professional edition, version 1809 or higher <br/> Windows 10 Professional for Workstations edition, version 1809 or higher <br/> Windows 10 Professional Education edition, version 1809 or higher <br/> Windows 10 Education edition, version 1809 or higher <br/> Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. |
| Browser | Microsoft Edge |
| Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Endpoint Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. |

12
windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
View File

@ -20,12 +20,12 @@ ms.technology: mde
This topic provides an overview of some of the software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related types of protection offered by Microsoft, see [Related topics](#related-topics).
| **Section** | **Contents** |
| Section | Contents |
|--------------|-------------------------|
| [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines how Windows 10 is designed to mitigate software exploits and similar threats. |
| [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). |
| [Mitigations that are built in to Windows 10](#mitigations-that-are-built-in-to-windows-10) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. |
| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | Describes how mitigations in the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544) correspond to features built into Windows 10 and how to convert EMET settings into mitigation policies for Windows 10. |
| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | Describes how mitigations in the [Enhanced Mitigation Experience Toolkit (EMET)](https://www.microsoft.com/download/details.aspx?id=48240) correspond to features built into Windows 10 and how to convert EMET settings into mitigation policies for Windows 10. |
<a href="" id="threat-landscape"></a>This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration:
@ -311,9 +311,9 @@ The following table lists EMET features in relation to Windows 10 features.
<table>
<thead>
<tr class="header">
<th><b>Specific EMET features</b></th>
<th><b>How these EMET features map<br />
to Windows 10 features</b></th>
<th>Specific EMET features</th>
<th>How these EMET features map<br />
to Windows 10 features</th>
</tr>
</thead>
<tbody>
@ -435,7 +435,7 @@ Examples:
Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL
```
- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies). This will enable protections on Windows 10 equivalent to EMET's ASR protections.
- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-windows-defender-application-control). This will enable protections on Windows 10 equivalent to EMET's ASR protections.
- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET "Certificate Trust" XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning). For example:

10
windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
View File

@ -14,17 +14,20 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
ms.date: 06/11/2021
ms.technology: mde
---
# Access this computer from the network - security policy setting
**Applies to**
- Windows 10
- Windows 10, Azure Stack HCI, Windows Server 2022, Windows Server 2019, Windows Server 2016
Describes the best practices, location, values, policy management, and security considerations for the **Access this computer from the network** security policy setting.
> [!WARNING]
> If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the **Access this computer from the network** policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service won't have sufficient rights to function or start properly.
## Reference
The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).
@ -43,6 +46,7 @@ Constant: SeNetworkLogonRight
- On desktop devices or member servers, grant this right only to users and administrators.
- On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators.
- On failover clusters, make sure this right is granted to authenticated users.
- This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead.
### Location
@ -104,6 +108,8 @@ from servers in the domain if members of the **Domain Users** group are included
If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network.
If running Windows Server or Azure Stack HCI Failover Clustering, do not remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service will not have sufficient rights to function or start properly.
## Related topics
[User Rights Assignment](user-rights-assignment.md)

6
windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
View File

@ -79,7 +79,7 @@ All auditing capabilities are integrated in Group Policy. You can configure, dep
To audit attempts to access global system objects, you can use one of two security audit policy settings:
- [Audit Kernel Object](../auditing/audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access
- [Audit object access](../auditing/basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy
- [Audit Object Access](../auditing/basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy
If possible, use the Advanced Security Audit Policy option to reduce the number of unrelated audit events that you generate.
@ -92,13 +92,13 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf
| 4661 | A handle to an object was requested. |
| 4663 | An attempt was made to access an object. |
If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is configured, the following events are generated:
If the [Audit Object Access](../auditing/basic-audit-object-access.md) setting is configured, the following events are generated:
| Event ID | Event message |
| - | - |
| 560 | Access was granted to an already existing object. |
| 562 | A handle to an object was closed. |
| 563 | An attempt was made to open an object with the intent to delete it.<br>**Note: **This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() |
| 563 | An attempt was made to open an object with the intent to delete it.<br>**Note:** This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() |
| 564 | A protected object was deleted. |
| 565 | Access was granted to an already existing object type. |
| 567 | A permission associated with a handle was used.<br>**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |

4
windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
ms.date: 07/01/2021
ms.technology: mde
---
@ -92,7 +92,7 @@ Overwriting the administrator's password does not help the attacker access data
Enable the **Network access: Do not allow storage of passwords and credentials for network authentication** setting.
To limit the number of changed domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25.
To limit the number of cached domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25.
When you try to log on to a domain from a Windows-based client device, and a domain controller is unavailable, you do not receive an error message. Therefore, you may not notice that you logged on with cached domain credentials. You can set a notification of logon that uses cached domain credentials with the ReportDC registry entry.

36
windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
View File

@ -28,10 +28,10 @@ Describes the best practices, location, values, and security considerations for
The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements:
1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case-sensitive.
1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks aren't case-sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is fewer than three characters long, this check is skipped.
The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Havens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "havens" as a substring anywhere in the password.
The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped.
The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
2. The password contains characters from three of the following categories:
@ -47,7 +47,7 @@ Complexity requirements are enforced when passwords are changed or created.
The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they cannot be directly modified.
When enabled, the default Passfilt.dll may cause some additional Help Desk calls for locked-out accounts because users aren't used to passwords that contain characters that aren't in the alphabet. But this policy setting is liberal enough that all users should get used to it.
When enabled, the default Passfilt.dll may cause some more Help Desk calls for locked-out accounts, because users are used to passwords that contain only characters that are in the alphabet. But this policy setting is liberal enough that all users should get used to it.
Additional settings that can be included in a custom Passfilt.dll are the use of nonupper-row characters. To type upper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the keyboard (from 1 through 9 and 0).
@ -64,7 +64,7 @@ Additional settings that can be included in a custom Passfilt.dll are the use of
Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible.
The use of ALT key character combinations can greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements can result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that do not add additional complexity to the password.)
The use of ALT key character combinations may greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements might result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that do not add more complexity to the password.)
Passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and meet complexity requirements.
@ -74,16 +74,16 @@ Passwords that contain only alphanumeric characters are easy to compromise by us
### Default values
The following table lists the actual and effective default policy values. Default values are also listed on the policys property page.
The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page.
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
| Default domain policy| Enabled|
| Default domain controller policy| Enabled|
| Stand-alone server default settings | Disabled|
| Domain controller effective default settings | Enabled|
|---|---|
| Default domain policy | Enabled |
| Default domain controller policy | Enabled |
| Stand-alone server default settings | Disabled |
| Domain controller effective default settings | Enabled |
| Member server effective default settings | Enabled|
| Effective GPO default settings on client computers | Disabled|
| Effective GPO default settings on client computers | Disabled |
## Security considerations
@ -91,21 +91,21 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
Passwords that contain only alphanumeric characters are extremely easy to discover with several publicly available tools.
Passwords that contain only alphanumeric characters are easy to discover with several publicly available tools.
### Countermeasure
Configure the **Passwords must meet complexity requirements** policy setting to Enabled and advise users to use a variety of characters in their passwords.
Configure the **Passwords must meet complexity requirements** policy setting to _Enabled_ and advise users to use a variety of characters in their passwords.
When combined with a [Minimum password length](minimum-password-length.md) of 8, this policy setting ensures that the number of different possibilities for a single password is so great that it is difficult (but not impossible) for a brute force attack to succeed. (If the Minimum password length policy setting is increased, the average amount of time necessary for a successful attack also increases.)
When combined with a [Minimum password length](minimum-password-length.md) of 8, this policy setting ensures that the number of different possibilities for a single password is so great that it's difficult (but possible) for a brute force attack to succeed. (If the Minimum password length policy setting is increased, the average amount of time necessary for a successful attack also increases.)
### Potential impact
If the default password complexity configuration is retained, additional Help Desk calls for locked-out accounts could occur because users might not be accustomed to passwords that contain non-alphabetical characters, or they might have problems entering passwords that contain accented characters or symbols on keyboards with different layouts. However, all users should be able to comply with the complexity requirement with minimal difficulty.
If the default configuration for password complexity is kept, more Help Desk calls for locked-out accounts could occur because users might not be used to passwords that contain non-alphabetical characters, or they might have problems entering passwords that contain accented characters or symbols on keyboards with different layouts. However, all users should be able to follow the complexity requirement with minimal difficulty.
If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those that require you to press and hold the SHIFT key and then press any of the keys on the number row of the keyboard, from 1 through 9 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments.
If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper-row symbols. (Upper-row symbols are those symbols that require you to press and hold the SHIFT key and then press any of the keys on the number row of the keyboard, from 1 through 9 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password doesn't contain common dictionary words or fragments.
The use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in additional Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 01280159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.)
The use of ALT key character combinations may greatly enhance the complexity of a password. However, such stringent password requirements might result in more Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 01280159 range. (ALT characters outside of this range can represent standard alphanumeric characters that wouldn't add more complexity to the password.)
## Related articles

4
windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/02/2018
ms.date: 07/01/2021
ms.technology: mde
---
@ -46,7 +46,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum
2. Click the **Services** tab, right-click **AppIDSvc**, and then click **Start Service**.
3. Verify that the status for the Application Identity service is **Running**.
Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Sevices snap-in. Try either of these methods instead:
Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Services snap-in. Try either of these methods instead:
- Open an elevated command prompt or PowerShell session and type:

6
windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
View File

@ -101,7 +101,11 @@ To deploy policies locally using the new multiple policy format, follow these st
### Deploying multiple policies via ApplicationControl CSP
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.<br>
However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
> [!NOTE]
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.

Some files were not shown because too many files have changed in this diff Show More