From 49cedb0a06c9837193c4f06b29c933de594434a2 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 13 Apr 2021 12:16:50 +0500 Subject: [PATCH 01/43] Device Health Monitoring Device health monitoring is also available in Windows 10 Pro version 1903 and later https://docs.microsoft.com/en-us/mem/analytics/troubleshoot#bkmk_2016281112 https://docs.microsoft.com/en-us/mem/intune/configuration/windows-health-monitoring Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9339 --- .../mdm/policy-csp-devicehealthmonitoring.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 60d4832fae..35190895c9 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -51,7 +51,7 @@ manager: dansimp Pro - cross mark + check mark6 Business @@ -115,7 +115,7 @@ The following list shows the supported values: Pro - cross mark + check mark6 Business @@ -178,7 +178,7 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to Pro - cross mark + check mark6 Business From ca3dc27a1b80d596826273116d3749b0d5851647 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 13 Apr 2021 12:21:46 +0500 Subject: [PATCH 02/43] IPv4 is not optional For WIP, IPv4 is not optional, but mandatory to be configured. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9208 --- .../create-wip-policy-using-intune-azure.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c10b2990b3..ca584f750a 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -507,8 +507,6 @@ contoso.internalproxy1.com;contoso.internalproxy2.com ### IPv4 ranges -Starting with Windows 10, version 1703, this field is optional. - Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. Classless Inter-Domain Routing (CIDR) notation isn’t supported. From 9fafb9767beb886fb7b0a0deb612308337d60f02 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 3 May 2021 09:30:34 +0500 Subject: [PATCH 03/43] Update policy-csp-localpoliciessecurityoptions.md --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index a0b1076deb..8d384e1020 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 05/02/2021 ms.reviewer: manager: dansimp --- @@ -1045,9 +1045,7 @@ GP Info: -Valid values: -- 0 - disabled -- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit) +Valid values: from 0 to 599940, where the value is the amount of inactivity time (in seconds), after which the session will be locked. If it is set to zero (0), the setting is disabled. @@ -3467,4 +3465,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + From 4e0b331d0c6b08c0b875d9319a8b0ece7b85f668 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 4 May 2021 16:11:39 +0500 Subject: [PATCH 04/43] Update windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 8d384e1020..8beeba2c2e 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1045,7 +1045,7 @@ GP Info: -Valid values: from 0 to 599940, where the value is the amount of inactivity time (in seconds), after which the session will be locked. If it is set to zero (0), the setting is disabled. +Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it is set to zero (0), the setting is disabled. From 33813715be906532b5f00daea8b0c148288b4955 Mon Sep 17 00:00:00 2001 From: Dan Pandre <54847950+DanPandre@users.noreply.github.com> Date: Wed, 5 May 2021 18:16:11 -0400 Subject: [PATCH 05/43] Document ProxyServers property --- windows/client-management/mdm/surfacehub-csp.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index ff96d2c80a..745f408e3b 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -61,9 +61,9 @@ SurfaceHub --------SleepTimeout --------AllowSessionResume --------AllowAutoProxyAuth +--------ProxyServers --------DisableSigninSuggestions --------DoNotShowMyMeetingsAndFiles -----ProxyServers ----Management --------GroupName --------GroupSid @@ -571,6 +571,11 @@ SurfaceHub

If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.

The data type is boolean. Supported operation is Get and Replace. + +**Properties/ProxyServers** +

Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://). + +

The data type is string. Supported operation is Get and Replace. **Properties/DisableSigninSuggestions**

Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. From 50e97e88a9b9bf5347ffa18cdaceeefd05ac04a5 Mon Sep 17 00:00:00 2001 From: Dan Pandre <54847950+DanPandre@users.noreply.github.com> Date: Fri, 7 May 2021 09:25:49 -0400 Subject: [PATCH 06/43] Removed locale from links --- windows/client-management/mdm/surfacehub-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 745f408e3b..9755457f60 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -573,7 +573,7 @@ SurfaceHub

The data type is boolean. Supported operation is Get and Replace. **Properties/ProxyServers** -

Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://). +

Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://).

The data type is string. Supported operation is Get and Replace. From f8c73443282198524fa19649560e103b2e301e40 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Wed, 19 May 2021 14:01:42 +0530 Subject: [PATCH 07/43] Create bitlocker-deployment-comparison.md created new topic per task 5120578 --- .../bitlocker-deployment-comparison.md | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md new file mode 100644 index 0000000000..9918e7eea1 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -0,0 +1,91 @@ +--- +title: BitLocker deployment comparison (Windows 10) +description: This article for the IT professional explains how +BitLocker features can be used to protect your data through drive +encryption. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: v-lsaldanha +ms.author: lovina-saldanha +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 02/28/2019 +ms.custom: bitlocker +--- + +# Bitlocker deployment comparison + +**Applies to** + +- Windows 10 + +This article for the IT professional explains how BitLocker +features can be used to protect your data through drive encryption. + +## Bitlocker deployment comparison chart + + + +| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* | +|---------|---------|---------|---------| +|**Requirements**|||| +|Minimum client operating system version |Windows 10 | Windows 10 and Windows 8.1 | Windows 7 and later | +|Supported Windows 10 SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise | +|Minimum Windows 10 version |1909** | None | None | +|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | +|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | +|Cloud or on premises | Cloud | On premises | On premises | +|Server components required? | | | | +|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | +|Administrative plane | Microsoft Endpoint Manager +admin center | Configuration Manager console | Group Policy Management Console +and MBAM sites | +|Administrative portal installation required | | | | +|Compliance reporting capabilities | | | | +|Force encryption | | | | +|Encryption for storage cards (mobile) | | | | +|Allow recovery password | | | | +|Manage startup authentication | | | | +|Select cipher strength and algorithms for fixed +drives | | | | +|Select cipher strength and algorithms for +removable drives | | | | +|Select cipher strength and algorithms for operating +environment drives | | | | +|Standard recovery password storage location | Azure AD or +Active Directory | Configuration Manager site database | MBAM database | +|Store recovery password for operating system and +fixed drives to Azure AD or Active Directory | Yes (Active Directory and +Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | +|Customize preboot message and recovery link | | | | +|Allow/deny key file creation | | | | +|Deny Write permission to unprotected drives | | | | +|Can be administered outside company network | | | | +|Support for organization unique IDs | | | | +|Self-service recovery | Yes (through Azure AD or +Company Portal app) | | | +|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | | | +|Wait to complete encryption until recovery information is backed up to Active Directory | | | | +|Allow or deny Data Recovery Agent | | | | +|Unlock a volume using certificate with custom object identifier | | | | +|Prevent memory overwrite on restart | | | | +|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | | +|Manage auto-unlock functionality | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | + From cc7ad8b42c92e4f747d51b9cfb1ba2550762ae6f Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Wed, 19 May 2021 14:04:36 +0530 Subject: [PATCH 08/43] new-img-5120578 Added newly per 5120578 task --- .../bitlocker/images/dot.png | Bin 0 -> 674 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/images/dot.png diff --git a/windows/security/information-protection/bitlocker/images/dot.png b/windows/security/information-protection/bitlocker/images/dot.png new file mode 100644 index 0000000000000000000000000000000000000000..8dc160da790bb40082cb31ae078125c8dd9bcb14 GIT binary patch literal 674 zcmV;T0$u%yP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0yjxSK~z{r?U%c2 zQ(+i~3&o|-O`SyPQlTKIn<%*U4{-J$=q_#54v~7JR1L+DMI0P-P%@>J22p54u|uqB zn>0zyMVqvZxoR$_P2Qe2d<9A0ez$W18S=nyI`F;^-*>)SA9OK2IbC{ky4WJOUETv< zqzvzZMewW^;ajQ#RinYa>Z2`}$k$V0grRRdcqIK3LAdff1}~R$+M>#G^}Pn% zd7o)Dr=+NyxgUZ>b7WOflKWLK;Nr6=DIk+u-ZV6uO;$~ev|KW8z|bRl3RN=Z*^(BN zlEbOIWMRbGGxs^mD)W(&yKVksR1@6{++Br@-5RTYJVLp2$$%4+bQ3GN@hZtW9FI`W z;oByQTMe%E-$jFUp%KbmcoHFt+mWYB{C|%tS1~tFmHkXLH{YaKCmOC?V5>?NwJVpM zQPzouE9Z~@Ba7OV;h7EAiH0lpCDB>Ak=Y3AM8lQC)kGDwE2A&stP>4a4v(4B_twe6 zc4T}$!#dG$^Jxq0HGXCEiQSgft5J@;=^Ak zhpeQlww|w7T`}RPAyRS(UUR5MsySsYuxPfoh$%U3zl5bg>-30U^uP%Z6!0+5i9m07*qo IM6N<$f`#cUv;Y7A literal 0 HcmV?d00001 From 42430085302dd9383967037dedde47ecaffa4fb4 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Wed, 19 May 2021 16:02:43 +0530 Subject: [PATCH 09/43] new-image-5120578 added new image per 5120578 --- .../bitlocker/images/dot1.png | Bin 0 -> 739 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/images/dot1.png diff --git a/windows/security/information-protection/bitlocker/images/dot1.png b/windows/security/information-protection/bitlocker/images/dot1.png new file mode 100644 index 0000000000000000000000000000000000000000..c9ec7c52ab41b4f5c567d7a8db90e7b679d47928 GIT binary patch literal 739 zcmV<90v!E`P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0(eP8K~z{r?Uv1J z6G0e8QliJp_RPmysB2_7-AR-DyPsKk#p<-_>^x&}`lwLfDf_l&vZ-PCE z2r7D052@HHqK87HF-;efY-97WP3nw}r0vY4yPFNY_&~_KbC`W*-kEnsSt4Maaj^e& z#qvrdGK-ju=b+_Fa40}?qZ|7I8{l!9pO-0#XsUp_?~-^lkw!GFv)(dJBGcJgkG@VH zE*#iwSjdn>VX=g3ujX+5wThxa<(5Vl9`rWj)b5R}N6wlOGi1g+qfvbLkz+mP7z+Dw z<4gdGLY7HFMTzez9o_e)F`eX>-VFW6w&K>gpj1SfG@63*W6`PwD7WAK#2xaJA(a>= zdtkz13PcP&o5eRZ&!UwGCF1isM&76_vWEqI30I#dShNzM#Qpb4=p`1|$oMA>F^x~J zP~!2V##;75kGE)SP9jT|;B!KpJ3ENXWLc{WC-GG+7%oUwn40A$$VvPv)L=6#BO@4} zlc4p#mbmC`w+c?8b&H#|YQrwU_?$%3CKq;ioh-7SgH0aRD#J<8`W|lgvdDhI?G3C| zhLfONKI&sFdkK+LoZiDA44&}AX=GzkXi6TE2Z@E3nv||kJ+6=| zU4-;A`-2|b> Date: Wed, 19 May 2021 16:20:57 +0530 Subject: [PATCH 10/43] Update bitlocker-deployment-comparison.md added dot image --- .../bitlocker/bitlocker-deployment-comparison.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 9918e7eea1..ad4b1b82b8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -46,9 +46,9 @@ features can be used to protect your data through drive encryption. admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | |Administrative portal installation required | | | | -|Compliance reporting capabilities | | | | -|Force encryption | | | | -|Encryption for storage cards (mobile) | | | | +|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | +|Force encryption | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | +|Encryption for storage cards (mobile) | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | | |Allow recovery password | | | | |Manage startup authentication | | | | |Select cipher strength and algorithms for fixed From fdad2a91e3dd95bdea16f8528a7b9b96ac3fff7e Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 20 May 2021 11:46:05 +0530 Subject: [PATCH 11/43] Update bitlocker-deployment-comparison.md Created newly for task 5120578 - Bitlocker Comparison Chart --- .../bitlocker-deployment-comparison.md | 79 +++++++------------ 1 file changed, 28 insertions(+), 51 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index ad4b1b82b8..749082dd5f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -1,8 +1,6 @@ --- title: BitLocker deployment comparison (Windows 10) -description: This article for the IT professional explains how -BitLocker features can be used to protect your data through drive -encryption. +description: This article shows the Bitlocker deployment comparison chart. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -14,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 05/20/2021 ms.custom: bitlocker --- @@ -24,13 +22,10 @@ ms.custom: bitlocker - Windows 10 -This article for the IT professional explains how BitLocker -features can be used to protect your data through drive encryption. +This article for the IT professional depicts the BitLocker deployment comparison chart. ## Bitlocker deployment comparison chart - - | |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* | |---------|---------|---------|---------| |**Requirements**|||| @@ -40,52 +35,34 @@ features can be used to protect your data through drive encryption. |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | -|Server components required? | | | | +|Server components required? | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | -|Administrative plane | Microsoft Endpoint Manager -admin center | Configuration Manager console | Group Policy Management Console -and MBAM sites | -|Administrative portal installation required | | | | -|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | -|Force encryption | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | -|Encryption for storage cards (mobile) | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | | -|Allow recovery password | | | | -|Manage startup authentication | | | | -|Select cipher strength and algorithms for fixed -drives | | | | -|Select cipher strength and algorithms for -removable drives | | | | -|Select cipher strength and algorithms for operating -environment drives | | | | +|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | +|Administrative portal installation required | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Force encryption | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Encryption for storage cards (mobile) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | +|Allow recovery password | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Manage startup authentication | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | |Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | -|Customize preboot message and recovery link | | | | -|Allow/deny key file creation | | | | -|Deny Write permission to unprotected drives | | | | -|Can be administered outside company network | | | | -|Support for organization unique IDs | | | | -|Self-service recovery | Yes (through Azure AD or -Company Portal app) | | | -|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | | | -|Wait to complete encryption until recovery information is backed up to Active Directory | | | | -|Allow or deny Data Recovery Agent | | | | -|Unlock a volume using certificate with custom object identifier | | | | -|Prevent memory overwrite on restart | | | | -|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | | -|Manage auto-unlock functionality | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | - +|Customize preboot message and recovery link | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Allow/deny key file creation | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Deny Write permission to unprotected drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Can be administered outside company network | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | +|Support for organization unique IDs | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | | +|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Allow or deny Data Recovery Agent | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Prevent memory overwrite on restart | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Manage auto-unlock functionality | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | From f4006bb298f1047b8b2c162d2ba97caafed7ffac Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 20 May 2021 11:57:10 +0530 Subject: [PATCH 12/43] Update bitlocker-deployment-comparison.md To fix build issues --- .../bitlocker/bitlocker-deployment-comparison.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 749082dd5f..e01dbd312c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -6,8 +6,8 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: v-lsaldanha -ms.author: lovina-saldanha +author: lovina-saldanha +ms.author: v-lsaldanha manager: dansimp audience: ITPro ms.collection: M365-security-compliance From e67a850344a65aa8473a0cf9ee44550c909ec43d Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 20 May 2021 12:19:06 +0530 Subject: [PATCH 13/43] Update bitlocker-deployment-comparison.md updated --- .../bitlocker/bitlocker-deployment-comparison.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index e01dbd312c..6ba03dc4d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -22,7 +22,7 @@ ms.custom: bitlocker - Windows 10 -This article for the IT professional depicts the BitLocker deployment comparison chart. +This article depicts the BitLocker deployment comparison chart. ## Bitlocker deployment comparison chart From 366544ec62a2b665fef59b2330af2d0ca4be9ae7 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 20 May 2021 13:56:05 +0530 Subject: [PATCH 14/43] Update TOC.yml updated toc per task 5120578 --- windows/security/information-protection/TOC.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/information-protection/TOC.yml b/windows/security/information-protection/TOC.yml index 9965f322db..bcaa9d74d7 100644 --- a/windows/security/information-protection/TOC.yml +++ b/windows/security/information-protection/TOC.yml @@ -29,6 +29,8 @@ href: bitlocker\bitlocker-using-with-other-programs-faq.yml - name: "Prepare your organization for BitLocker: Planning and policies" href: bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md + - name: BitLocker deployment comparison + href: bitlocker\bitlocker-deployment-comparison.md - name: BitLocker basic deployment href: bitlocker\bitlocker-basic-deployment.md - name: "BitLocker: How to deploy on Windows Server 2012 and later" From d1f23943124836f6438ab53e6107ca774c4a861d Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Thu, 20 May 2021 17:59:10 +0530 Subject: [PATCH 15/43] New-5120578 New image added --- .../bitlocker/images/dot_new.png | Bin 0 -> 734 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/images/dot_new.png diff --git a/windows/security/information-protection/bitlocker/images/dot_new.png b/windows/security/information-protection/bitlocker/images/dot_new.png new file mode 100644 index 0000000000000000000000000000000000000000..af2bab3c631974672dd255ab793f124a34b980e1 GIT binary patch literal 734 zcmV<40wMj0P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0&_`3K~z{r#g@x! z6G0ruzng3xo7S}5pf<6MidIBL8xSjc>>(hER4-CcK`-i|`VZu)7mq#=JSd6>J(Q{! z&B22RirRpJ6^l|IZPSObZ7`2Esm>%nXr`OZ=CL84OXfFB<}*9bpY)G`24SJ!hR{%X z#nb*LnMGtGiI34V7E)PQBncZ@WCVN)cC2&2W|gR=F=fellkn(YTz?(I)6a1%>-B_md_x2d#i_26~9l@?944v}BA!`RvbVze-Qyshiqh>MZ z8QUwN=hGC46qOG=nZ&P!3`Mnb_2qB88cR^Lf=2#jCXIWMd5X+|uWKkgl@AKg$ZxRY zR1aQ!OW@N~ilRIkIX}ns;_<5ED#+*AjrBFQM3MPKCQ5wy=chx%no4;Dc{)?_ zva6YNR_tGp+beh!s$q5if_#g|My2|&)gwMOf?RdU*w|XX0R((bD&-O6oZz-*Dw$8P zOYB=CKi|_vC36XQo!Hl@P?Sd_?`9dv5%v_CO{jM*B$o9QqLFiM_4#sHiCOgTX+hsk zH$^KHm3!SbJUGz-ogAPdcDFll?WmU`5#8?j#v458&!t4w(#_U6e0CGsbY{^ohvP5N z=||&uH!j}GMqFh1+hvx=x$OGWS623#Vb|i_;W^xV6T|xwgW$__e3u)S4tmhzcTufA zWyuTS$;L2yojycUxmVE2c5wR|p0~53)S Date: Thu, 20 May 2021 19:46:38 +0530 Subject: [PATCH 16/43] Update bitlocker-deployment-comparison.md image correction --- .../bitlocker/bitlocker-deployment-comparison.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 6ba03dc4d8..dd32f174a6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -35,7 +35,7 @@ This article depicts the BitLocker deployment comparison chart. |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | -|Server components required? | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Server components required? | | :::image type="content" source="images/dot_new.png" alt-text="dots"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | |Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | |Administrative portal installation required | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | From 37fbfbcde78be2867fa411c950656bd4b249e49b Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 20 May 2021 21:17:52 +0530 Subject: [PATCH 17/43] added Allow Update Compliance Processing as per user feedback issue #9540, so I added **Allow Update Compliance Processing** policy-related settings in this article, after looking at GPO in windows 10 pre release build 21h1 19043.985. --- .../mdm/policy-csp-system.md | 78 ++++++++++++++++++- 1 file changed, 77 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 3615cb2e3f..a9ccc9b578 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -49,6 +49,9 @@ manager: dansimp

System/AllowTelemetry
+
+ System/AllowUpdateComplianceProcessing +
System/AllowUserToResetPhone
@@ -791,6 +794,77 @@ ADMX Info: +
+ + +**System/AllowUpdateComplianceProcessing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark6
Businesscheck mark6
Enterprisecheck mark6
Educationcheck mark6
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance. + +If you enable this setting, Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. + +If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance. + + + +ADMX Info: +- GP English name: *Allow Update Compliance Processing* +- GP name: *AllowUpdateComplianceProcessing* +- GP element: *AllowUpdateComplianceProcessing* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +The following list shows the supported values: + +- 0 - Disabled. +- 16 - Enabled. + + + +
@@ -1778,5 +1852,7 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. +- 9 - Available in Windows 10, version 20H2. +- 10 - Available in Windows 10, version 21H1. - \ No newline at end of file + From 9a024df7b281dda143f89bd32ad6300ba49d2ce2 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 20 May 2021 22:43:25 +0530 Subject: [PATCH 18/43] Update windows/client-management/mdm/policy-csp-system.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index a9ccc9b578..787fbbbb2a 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -50,7 +50,7 @@ manager: dansimp System/AllowTelemetry
- System/AllowUpdateComplianceProcessing + System/AllowUpdateComplianceProcessing
System/AllowUserToResetPhone From 6c0242ca208802d1ba7b4430892d63942287f0b0 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 21 May 2021 14:16:50 +0530 Subject: [PATCH 19/43] Update windows/client-management/mdm/policy-csp-system.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 787fbbbb2a..828bc97b2a 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -842,7 +842,7 @@ ADMX Info: Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance. -If you enable this setting, Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. +If you enable this setting, it enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance. From 64de74b17d47d461eb6c47200e47bac57946e5b8 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 21 May 2021 14:29:06 +0530 Subject: [PATCH 20/43] made boot to System/BootStartDriverInitialization as per user feedback from @illfated under issue #9554 , so i made sentence **System/BootStartDriverInitialization** to bold. --- windows/client-management/mdm/policy-csp-system.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 3615cb2e3f..3a5f16aba7 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -852,6 +852,7 @@ The following list shows the supported values:
+ **System/BootStartDriverInitialization** @@ -1779,4 +1780,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + From 988b07c78c4ec090e719c80b5f30be474e0c4730 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Mon, 24 May 2021 09:59:45 +0530 Subject: [PATCH 21/43] Update bitlocker-deployment-comparison.md To fix edit issue --- .../bitlocker/bitlocker-deployment-comparison.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index dd32f174a6..2ef7fbf2b9 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -49,9 +49,7 @@ This article depicts the BitLocker deployment comparison chart. |Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | -|Store recovery password for operating system and -fixed drives to Azure AD or Active Directory | Yes (Active Directory and -Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | +|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | |Customize preboot message and recovery link | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Allow/deny key file creation | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Deny Write permission to unprotected drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | From e57ba5b729344902306418ac00a608744c751d70 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 24 May 2021 15:46:24 +0530 Subject: [PATCH 22/43] Changed instances of "Bitlocker" to BitLocker" to keep the terminology consistent --- .../bitlocker/bitlocker-deployment-comparison.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 2ef7fbf2b9..d3e5e2f766 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -16,7 +16,7 @@ ms.date: 05/20/2021 ms.custom: bitlocker --- -# Bitlocker deployment comparison +# BitLocker deployment comparison **Applies to** @@ -24,7 +24,7 @@ ms.custom: bitlocker This article depicts the BitLocker deployment comparison chart. -## Bitlocker deployment comparison chart +## BitLocker deployment comparison chart | |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* | |---------|---------|---------|---------| From 582ad407f366210a6cb504cb3ef6879df9fcd154 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 26 May 2021 14:49:40 +0500 Subject: [PATCH 23/43] Minor correction to remove the confusion I have made a minor addition to the content to clarify the confusion. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9461 --- .../client-management/mdm/policy-csp-admx-windowsexplorer.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 234f5f9d6c..352dd76846 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -4521,7 +4521,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives. -If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. +If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents (open the files in the folders or see the files in the folders). Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list. @@ -5356,4 +5356,4 @@ ADMX Info: > [!NOTE] > These policies are currently only available as part of a Windows Insider release. - \ No newline at end of file + From 0ea039011830844a17359aa17bffc66723a54bbd Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 2 Jun 2021 14:29:53 +0500 Subject: [PATCH 24/43] Update in Changing the PIN Made some update in Changing the PIN Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9475 --- .../virtual-smart-card-use-virtual-smart-cards.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index cb9d870d46..f5d0883f98 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -80,8 +80,12 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf ## Changing the PIN -The PIN for virtual smart card can be changed by pressing Ctrl+Alt+Del, and then selecting the TPM virtual smart card under **Sign in options**. - +The PIN for virtual smart card can be changed by following steps: +- Log on with the old pin or password. +- Press Ctrl+Alt+Del and choose **Change a password**. +- Click ""Sign-in Options**. +- Click the **Virtual smart card icon**. +- Change the pin. ## Resolving issues ### TPM not provisioned @@ -100,4 +104,4 @@ Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter ## See also -For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md). \ No newline at end of file +For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md). From 25357cb87705dcbf13ab85c73d1ea4b63c3ef7a6 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 3 Jun 2021 12:31:32 +0500 Subject: [PATCH 25/43] Update windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../virtual-smart-card-use-virtual-smart-cards.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index f5d0883f98..2f1de3fc17 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -80,7 +80,7 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf ## Changing the PIN -The PIN for virtual smart card can be changed by following steps: +The PIN for a virtual smart card can be changed by following these steps: - Log on with the old pin or password. - Press Ctrl+Alt+Del and choose **Change a password**. - Click ""Sign-in Options**. From 4ef7ceea33e8ba652093dc5811671988f4f1393d Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 3 Jun 2021 12:31:44 +0500 Subject: [PATCH 26/43] Update windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../virtual-smart-card-use-virtual-smart-cards.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index 2f1de3fc17..cceae7c4f2 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -84,7 +84,7 @@ The PIN for a virtual smart card can be changed by following these steps: - Log on with the old pin or password. - Press Ctrl+Alt+Del and choose **Change a password**. - Click ""Sign-in Options**. -- Click the **Virtual smart card icon**. +- Select the virtual smart card icon. - Change the pin. ## Resolving issues From a7784d3a272f98ff0aec9770d5c8a6c66388a544 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 3 Jun 2021 12:31:55 +0500 Subject: [PATCH 27/43] Update windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../virtual-smart-card-use-virtual-smart-cards.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index cceae7c4f2..d277d08df6 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -85,7 +85,7 @@ The PIN for a virtual smart card can be changed by following these steps: - Press Ctrl+Alt+Del and choose **Change a password**. - Click ""Sign-in Options**. - Select the virtual smart card icon. -- Change the pin. +- Enter and confirm the new PIN. ## Resolving issues ### TPM not provisioned From 22efa0b924843377e2dfebfb9938a6517abf6525 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 3 Jun 2021 12:32:04 +0500 Subject: [PATCH 28/43] Update windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../virtual-smart-card-use-virtual-smart-cards.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index d277d08df6..018f2a2982 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -81,7 +81,7 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf ## Changing the PIN The PIN for a virtual smart card can be changed by following these steps: -- Log on with the old pin or password. +- Sign in with the old PIN or password. - Press Ctrl+Alt+Del and choose **Change a password**. - Click ""Sign-in Options**. - Select the virtual smart card icon. From f2b739ce779bf465bd3461d6270df9e580c89a6e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 3 Jun 2021 12:32:11 +0500 Subject: [PATCH 29/43] Update windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../virtual-smart-card-use-virtual-smart-cards.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index 018f2a2982..789da743aa 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -83,7 +83,7 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf The PIN for a virtual smart card can be changed by following these steps: - Sign in with the old PIN or password. - Press Ctrl+Alt+Del and choose **Change a password**. -- Click ""Sign-in Options**. +- Select **Sign-in Options**. - Select the virtual smart card icon. - Enter and confirm the new PIN. ## Resolving issues From eb5fb0cf09ae5feade62a76072c5bc0884d789b0 Mon Sep 17 00:00:00 2001 From: Paul Huijbregts <30799281+pahuijbr@users.noreply.github.com> Date: Mon, 7 Jun 2021 08:45:00 -0700 Subject: [PATCH 30/43] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 2c20894dcf..ff10761a52 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -59,6 +59,9 @@ Defender --------TamperProtection (Added in Windows 10, version 1903) --------EnableFileHashComputation (Added in Windows 10, version 1903) --------SupportLogLocation (Added in the next major release of Windows 10) +--------PlatformUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) +--------EngineUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) +--------DefinitionUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) ----Scan ----UpdateSignature ----OfflineScan (Added in Windows 10 version 1803) @@ -521,6 +524,71 @@ More details: - [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) +**Configuration/PlatformUpdatesChannel** +Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. + +Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + +Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + +Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +• 0: Not configured (Default) +• 1: Beta Channel - Prerelease +• 2: Current Channel (Preview) +• 3: Current Channel (Staged) +• 4: Current Channel (Broad) + +**Configuration/EngineUpdatesChannel** +Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. + +Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + +Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + +Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +• 0: Not configured (Default) +• 1: Beta Channel - Prerelease +• 2: Current Channel (Preview) +• 3: Current Channel (Staged) +• 4: Current Channel (Broad) + +**Configuration/DefinitionUpdatesChannel** +Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. + +Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%) + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. + +The data type is integer. +Supported operations are Add, Delete, Get, Replace. + +Valid Values are: +• 0: Not configured (Default) +• 3: Current Channel (Staged) +• 4: Current Channel (Broad) + **Scan** Node that can be used to start a Windows Defender scan on a device. From baba2c8823d9e23078aff23dd22e34c020748feb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 7 Jun 2021 12:42:30 -0700 Subject: [PATCH 31/43] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index ff10761a52..acc2fed615 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -10,7 +10,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 06/02/2021 +ms.date: 06/07/2021 --- # Defender CSP @@ -521,7 +521,7 @@ When enabled or disabled exists on the client and admin moves the setting to not More details: -- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) +- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) **Configuration/PlatformUpdatesChannel** From 560d09e0e55760ffc4b97bf4242133b7203d0af2 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 7 Jun 2021 15:26:17 -0700 Subject: [PATCH 32/43] Added a section for supplemental policies. --- .../select-types-of-rules-to-create.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index add268e0ee..f5e5b8c109 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -71,6 +71,16 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | +### The following options are valid for supplemental policies. However, number 5 is not implemented as it is reserved for future work, and number 7 is not supported. +| Rule option | Description | +|------------ | ----------- | +| 5 | Enabled: Inherit Default Policy | +| **6** | **Enabled: Unsigned System Integrity Policy** | +| 7 | Allowed: Debug Policy Augmented | +| **13** | **Enabled: Managed Installer** | +| **14** | **Enabled: Intelligent Security Graph Authorization** | +| **18** | **Disabled: Runtime FilePath Rule Protection** | + ## Windows Defender Application Control file rule levels File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary or as general as a CA certificate. You specify file rule levels when using WDAC PowerShell cmdlets to create and modify policies. From bb345aa0690e2344aca3f2b0de66b5e0440f730b Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Tue, 8 Jun 2021 10:18:28 +0530 Subject: [PATCH 33/43] added-for-5120578 new image for 5120578 --- .../bitlocker/images/yes-icon.png | Bin 0 -> 916 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/images/yes-icon.png diff --git a/windows/security/information-protection/bitlocker/images/yes-icon.png b/windows/security/information-protection/bitlocker/images/yes-icon.png new file mode 100644 index 0000000000000000000000000000000000000000..bbae7d30522832e4ebf00c52e1c2af7f11e5e952 GIT binary patch literal 916 zcmeAS@N?(olHy`uVBq!ia0vp^f*{Pn1|+R>-G2co&H|6fVxatW5N34Jm|X!BWH0gb zb!C6TCcvg7pm3r3FIdPmqQtSZBqP6wVdc6r9zY?U5}=SvYH@N=WQ0!XYD{Sc8LDcqU2PDum780 z!<0Ga=jNv7l`woeGi^Umj18nLB(o$Zm0`uZOX>^^O!1yBjv*Gky;EX6L;^*Q|NnmP z=FG_Q@Y}wJ_X%9S)1_4KyW%82OS4@^+@k3shnm(12y1HebXC1r+N8i0T=UVD_tQ!N zXJ$?AGizK`E_j`};*cGkKIiUCOWPL1-9Jm`>HRPMZ-35mPPL@qLCMC|jaN$gD_tLL zIlbjZ+T}Dx&j1&(FDExeRv2l;&f8}wTUa$ic+=;;{MS9_su#6!BuxBpV%ogfa{4c= z7JogLUGuMCNucdFTcy_NObiEde0CfbKJ|LBZd)_cZXd7PWjDht*_&~WqJ-j> z!gWu6YVPg+`TEbwxSPMEdOJf;ONw?b;9}k1Bf)Us?WQCiofF13&%RD&U|6tg0aLSh z`$PYaj0|6POkmc$7OQ8`8pfn?;$GXWMYk)=u5?Mh-EJ)UWZBuGxn1FmMzxxp4W)MG zQKzg7*Y+-c^|H0)&YY8GA9frSirN_x)7>~ru;m*2f2Y(1&;L~4NLl>hU|z<@BR7xh zK6|L=$hp;YPc4V;y2XD}*qbDcc4=Eboch<|#s=}p7jM+(?qYd)NA<<#;6FyfM;9Ki zRw!h(O?TgzS!$QJ&!WBYV?Oseuc;YL!W;Wfb{$|&u9lw&-9kyq~gPwpn zi|1x&o6oXjD4BCDUhG*$Y174`d-V;M_T2ont!S~NN7d1G>8s3tlf8E5aa~VhaNYE_ z_GXo9_RNbW>o-36ukt!9s%%!)ef2|Phm*3C#fnci@q{k&JZEsoGIa0izP7pZ?3>TN WbFAMm`zSE+F?hQAxvXxtI@ literal 0 HcmV?d00001 From 236f5143deb430b86426fb70c329aff141097034 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Tue, 8 Jun 2021 10:31:46 +0530 Subject: [PATCH 34/43] Update bitlocker-deployment-comparison.md Updated the image to yes icon --- .../bitlocker-deployment-comparison.md | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index d3e5e2f766..f4d29550e4 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -35,32 +35,32 @@ This article depicts the BitLocker deployment comparison chart. |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | -|Server components required? | | :::image type="content" source="images/dot_new.png" alt-text="dots"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | |Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | -|Administrative portal installation required | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Force encryption | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Encryption for storage cards (mobile) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | -|Allow recovery password | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Manage startup authentication | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | +|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | |Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | -|Customize preboot message and recovery link | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Allow/deny key file creation | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Deny Write permission to unprotected drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Can be administered outside company network | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | -|Support for organization unique IDs | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | | -|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Allow or deny Data Recovery Agent | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Prevent memory overwrite on restart | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Manage auto-unlock functionality | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | +|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | | +|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | From 2b82513f59cc8d11340fb7074376ac64553d7a5c Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Tue, 8 Jun 2021 11:06:56 +0530 Subject: [PATCH 35/43] delete-irrelevant-images deleted unwanted images that i added earlier for this task --- .../bitlocker/images/dot.png | Bin 674 -> 0 bytes .../bitlocker/images/dot1.png | Bin 739 -> 0 bytes .../bitlocker/images/dot_new.png | Bin 734 -> 0 bytes 3 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/security/information-protection/bitlocker/images/dot.png delete mode 100644 windows/security/information-protection/bitlocker/images/dot1.png delete mode 100644 windows/security/information-protection/bitlocker/images/dot_new.png diff --git a/windows/security/information-protection/bitlocker/images/dot.png b/windows/security/information-protection/bitlocker/images/dot.png deleted file mode 100644 index 8dc160da790bb40082cb31ae078125c8dd9bcb14..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 674 zcmV;T0$u%yP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0yjxSK~z{r?U%c2 zQ(+i~3&o|-O`SyPQlTKIn<%*U4{-J$=q_#54v~7JR1L+DMI0P-P%@>J22p54u|uqB zn>0zyMVqvZxoR$_P2Qe2d<9A0ez$W18S=nyI`F;^-*>)SA9OK2IbC{ky4WJOUETv< zqzvzZMewW^;ajQ#RinYa>Z2`}$k$V0grRRdcqIK3LAdff1}~R$+M>#G^}Pn% zd7o)Dr=+NyxgUZ>b7WOflKWLK;Nr6=DIk+u-ZV6uO;$~ev|KW8z|bRl3RN=Z*^(BN zlEbOIWMRbGGxs^mD)W(&yKVksR1@6{++Br@-5RTYJVLp2$$%4+bQ3GN@hZtW9FI`W z;oByQTMe%E-$jFUp%KbmcoHFt+mWYB{C|%tS1~tFmHkXLH{YaKCmOC?V5>?NwJVpM zQPzouE9Z~@Ba7OV;h7EAiH0lpCDB>Ak=Y3AM8lQC)kGDwE2A&stP>4a4v(4B_twe6 zc4T}$!#dG$^Jxq0HGXCEiQSgft5J@;=^Ak zhpeQlww|w7T`}RPAyRS(UUR5MsySsYuxPfoh$%U3zl5bg>-30U^uP%Z6!0+5i9m07*qo IM6N<$f`#cUv;Y7A diff --git a/windows/security/information-protection/bitlocker/images/dot1.png b/windows/security/information-protection/bitlocker/images/dot1.png deleted file mode 100644 index c9ec7c52ab41b4f5c567d7a8db90e7b679d47928..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 739 zcmV<90v!E`P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0(eP8K~z{r?Uv1J z6G0e8QliJp_RPmysB2_7-AR-DyPsKk#p<-_>^x&}`lwLfDf_l&vZ-PCE z2r7D052@HHqK87HF-;efY-97WP3nw}r0vY4yPFNY_&~_KbC`W*-kEnsSt4Maaj^e& z#qvrdGK-ju=b+_Fa40}?qZ|7I8{l!9pO-0#XsUp_?~-^lkw!GFv)(dJBGcJgkG@VH zE*#iwSjdn>VX=g3ujX+5wThxa<(5Vl9`rWj)b5R}N6wlOGi1g+qfvbLkz+mP7z+Dw z<4gdGLY7HFMTzez9o_e)F`eX>-VFW6w&K>gpj1SfG@63*W6`PwD7WAK#2xaJA(a>= zdtkz13PcP&o5eRZ&!UwGCF1isM&76_vWEqI30I#dShNzM#Qpb4=p`1|$oMA>F^x~J zP~!2V##;75kGE)SP9jT|;B!KpJ3ENXWLc{WC-GG+7%oUwn40A$$VvPv)L=6#BO@4} zlc4p#mbmC`w+c?8b&H#|YQrwU_?$%3CKq;ioh-7SgH0aRD#J<8`W|lgvdDhI?G3C| zhLfONKI&sFdkK+LoZiDA44&}AX=GzkXi6TE2Z@E3nv||kJ+6=| zU4-;A`-2|b>Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0&_`3K~z{r#g@x! z6G0ruzng3xo7S}5pf<6MidIBL8xSjc>>(hER4-CcK`-i|`VZu)7mq#=JSd6>J(Q{! z&B22RirRpJ6^l|IZPSObZ7`2Esm>%nXr`OZ=CL84OXfFB<}*9bpY)G`24SJ!hR{%X z#nb*LnMGtGiI34V7E)PQBncZ@WCVN)cC2&2W|gR=F=fellkn(YTz?(I)6a1%>-B_md_x2d#i_26~9l@?944v}BA!`RvbVze-Qyshiqh>MZ z8QUwN=hGC46qOG=nZ&P!3`Mnb_2qB88cR^Lf=2#jCXIWMd5X+|uWKkgl@AKg$ZxRY zR1aQ!OW@N~ilRIkIX}ns;_<5ED#+*AjrBFQM3MPKCQ5wy=chx%no4;Dc{)?_ zva6YNR_tGp+beh!s$q5if_#g|My2|&)gwMOf?RdU*w|XX0R((bD&-O6oZz-*Dw$8P zOYB=CKi|_vC36XQo!Hl@P?Sd_?`9dv5%v_CO{jM*B$o9QqLFiM_4#sHiCOgTX+hsk zH$^KHm3!SbJUGz-ogAPdcDFll?WmU`5#8?j#v458&!t4w(#_U6e0CGsbY{^ohvP5N z=||&uH!j}GMqFh1+hvx=x$OGWS623#Vb|i_;W^xV6T|xwgW$__e3u)S4tmhzcTufA zWyuTS$;L2yojycUxmVE2c5wR|p0~53)S Date: Tue, 8 Jun 2021 09:38:41 -0700 Subject: [PATCH 36/43] Removed the heading format for the new text and also swapped out "number" for "option." --- .../select-types-of-rules-to-create.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index f5e5b8c109..7a56e31130 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -71,7 +71,8 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | -### The following options are valid for supplemental policies. However, number 5 is not implemented as it is reserved for future work, and number 7 is not supported. +The following options are valid for supplemental policies. However, option 5 is not implemented as it is reserved for future work, and option 7 is not supported. + | Rule option | Description | |------------ | ----------- | | 5 | Enabled: Inherit Default Policy | From d0c4483edec560d839288689bfc3557412a17c7f Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 8 Jun 2021 13:55:32 -0700 Subject: [PATCH 37/43] Acrolinx "Bitlocker" --- .../bitlocker/bitlocker-deployment-comparison.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index f4d29550e4..de76b10cc5 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -1,6 +1,6 @@ --- title: BitLocker deployment comparison (Windows 10) -description: This article shows the Bitlocker deployment comparison chart. +description: This article shows the BitLocker deployment comparison chart. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library From e3aa788ac7f136c183a7480b70ee08247bed97c0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Jun 2021 15:06:15 -0700 Subject: [PATCH 38/43] Update windows/client-management/mdm/defender-csp.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/defender-csp.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index acc2fed615..dbdc03e3aa 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -566,11 +566,11 @@ The data type is integer. Supported operations are Add, Delete, Get, Replace. Valid values are: -• 0: Not configured (Default) -• 1: Beta Channel - Prerelease -• 2: Current Channel (Preview) -• 3: Current Channel (Staged) -• 4: Current Channel (Broad) +- 0 - Not configured (Default) +- 1 - Beta Channel - Prerelease +- 2 - Current Channel (Preview) +- 3 - Current Channel (Staged) +- 4 - Current Channel (Broad) **Configuration/DefinitionUpdatesChannel** Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. From ccb70b243bcf508a3355b1d1194b5577eedb6c00 Mon Sep 17 00:00:00 2001 From: Marysia Kaminska <85372436+marysiakam9889@users.noreply.github.com> Date: Tue, 8 Jun 2021 16:35:35 -0700 Subject: [PATCH 39/43] Update defender-ddf.md adding new csp's for Defender Update controls: DisableGradualRelease, DefinitionUpdatesChannel, EngineUpdatesChannel, and PlatformUpdatesChannel --- windows/client-management/mdm/defender-ddf.md | 180 ++++++++++++++++++ 1 file changed, 180 insertions(+) diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index a63f4dec92..b4c21b747a 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -757,6 +757,186 @@ The XML below is the current version for this CSP. + + DisableGradualRelease + + + + + + + + Enable this policy to disable gradual rollout of Defender updates. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.3 + + + + 1 + Gradual release is disabled + + + 0 + Gradual release is enabled + + + + + + DefinitionUpdatesChannel + + + + + + + + Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 4 + Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + + + + EngineUpdatesChannel + + + + + + + + Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 2 + Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + + + 3 + Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + + + 4 + Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + + + + PlatformUpdatesChannel + + + + + + + + Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 2 + Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + + + 3 + Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + + + 4 + Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + + Scan From cd99516b0029f122bc575c93c7344caa6869ebda Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 8 Jun 2021 16:46:25 -0700 Subject: [PATCH 40/43] fix --- windows/application-management/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index dc786fd289..95053b27f0 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r metadata: title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about managing applications in Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Learn about managing applications in Windows 10. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice From e640603aef1d3eb2aaadcf5db4fbdb6bacc66e20 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 8 Jun 2021 21:14:03 -0700 Subject: [PATCH 41/43] Applied "> [!NOTE]" style --- ...policy-csp-localpoliciessecurityoptions.md | 23 +++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 8beeba2c2e..1d2f90b193 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1241,7 +1241,8 @@ If you click Force Logoff in the Properties dialog box for this policy, the user If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. -Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. +> [!NOTE] +> Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default: This policy is not defined, which means that the system treats it as No action. @@ -2457,7 +2458,8 @@ If you select "Enable auditing for all accounts", the server will log events for This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2535,7 +2537,8 @@ If you select "Deny all accounts," the server will deny NTLM authentication requ This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2613,7 +2616,8 @@ If you select "Deny all," the client computer cannot authenticate identities to This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2897,7 +2901,9 @@ This policy setting controls the behavior of the elevation prompt for administra The options are: -- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. +- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. + > [!NOTE] + > Use this option only in the most constrained environments. - 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. @@ -3172,7 +3178,8 @@ This policy setting controls whether applications that request to run with a Use - …\Windows\system32\ - …\Program Files (x86)\, including subfolders for 64-bit versions of Windows -Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. +> [!NOTE] +> Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. @@ -3240,7 +3247,9 @@ User Account Control: Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: -- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. +- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. + > [!NOTE] + > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. - 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. From 36f4a8e1e005f397d9df19b4738db1131d4270c9 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 8 Jun 2021 21:14:54 -0700 Subject: [PATCH 42/43] =?UTF-8?q?Replaced=20"=C3=A2=E2=82=AC=C2=A6"=20in?= =?UTF-8?q?=20file=20path=20with=20"."?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 1d2f90b193..0d4580ee4b 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -3174,9 +3174,9 @@ User Account Control: Only elevate UIAccess applications that are installed in s This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: -- …\Program Files\, including subfolders -- …\Windows\system32\ -- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows +- .\Program Files\, including subfolders +- .\Windows\system32\ +- .\Program Files (x86)\, including subfolders for 64-bit versions of Windows > [!NOTE] > Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. From 0df3a52c4af3656c945bfb7848ab32d0d1f37a73 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Wed, 9 Jun 2021 09:13:30 +0200 Subject: [PATCH 43/43] Update filter-origin-documentation.md Fixing a typo in the auditpol commands to enable WFP packet drop auditing --- .../windows-firewall/filter-origin-documentation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index c1121baa73..90d5fd2514 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -67,7 +67,7 @@ To enable a specific audit event, run the corresponding command in an administra |**Audit #**|**Enable command**|**Link**| |:-----|:-----|:-----| |**5157**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5157(F): The Windows Filtering Platform has blocked a connection.](../auditing/event-5157.md)| -|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)| +|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Packet Drop" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)| ## Example flow of debugging packet drops with filter origin @@ -168,4 +168,4 @@ For more information on how to debug drops caused by UWP default block filters, **WSH default** -Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected. \ No newline at end of file +Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected.