deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

sv

Browse Source
This commit is contained in:
greg-lindsay 2021-06-09 10:12:51 -07:00
commit 6dd9104c28
15 changed files with 449 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/application-management/index.yml
View File

@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r
metadata:
title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
description: Learn about managing applications in Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice

72
windows/client-management/mdm/defender-csp.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 06/02/2021
ms.date: 06/07/2021
---
# Defender CSP
@ -59,6 +59,9 @@ Defender
--------TamperProtection (Added in Windows 10, version 1903)
--------EnableFileHashComputation (Added in Windows 10, version 1903)
--------SupportLogLocation (Added in the next major release of Windows 10)
--------PlatformUpdatesChannel (Added with the 4.18.2105.4 Defender platform release)
--------EngineUpdatesChannel (Added with the 4.18.2105.4 Defender platform release)
--------DefinitionUpdatesChannel (Added with the 4.18.2105.4 Defender platform release)
----Scan
----UpdateSignature
----OfflineScan (Added in Windows 10 version 1803)
@ -518,9 +521,74 @@ When enabled or disabled exists on the client and admin moves the setting to not
More details:
- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
<a href="" id="configuration-supportloglocation"></a>**Configuration/PlatformUpdatesChannel**
Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
• 0: Not configured (Default)
• 1: Beta Channel - Prerelease
• 2: Current Channel (Preview)
• 3: Current Channel (Staged)
• 4: Current Channel (Broad)
<a href="" id="configuration-supportloglocation"></a>**Configuration/EngineUpdatesChannel**
Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
- 0 - Not configured (Default)
- 1 - Beta Channel - Prerelease
- 2 - Current Channel (Preview)
- 3 - Current Channel (Staged)
- 4 - Current Channel (Broad)
<a href="" id="configuration-supportloglocation"></a>**Configuration/DefinitionUpdatesChannel**
Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.
Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%)
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid Values are:
• 0: Not configured (Default)
• 3: Current Channel (Staged)
• 4: Current Channel (Broad)
<a href="" id="scan"></a>**Scan**
Node that can be used to start a Windows Defender scan on a device.

180
windows/client-management/mdm/defender-ddf.md
View File

@ -757,6 +757,186 @@ The XML below is the current version for this CSP.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DisableGradualRelease</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Enable this policy to disable gradual rollout of Defender updates.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.3</CspVersion>
</Applicability>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>1</Value>
<ValueDescription>Gradual release is disabled</ValueDescription>
</Enum>
<Enum>
<Value>0</Value>
<ValueDescription>Gradual release is enabled</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DefinitionUpdatesChannel</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.3</CspVersion>
</Applicability>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>0</Value>
<ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</ValueDescription>
</Enum>
<Enum>
<Value>4</Value>
<ValueDescription>Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).</ValueDescription>
</Enum>
<Enum>
<Value>5</Value>
<ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>EngineUpdatesChannel</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.3</CspVersion>
</Applicability>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>0</Value>
<ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</ValueDescription>
</Enum>
<Enum>
<Value>2</Value>
<ValueDescription>Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.</ValueDescription>
</Enum>
<Enum>
<Value>3</Value>
<ValueDescription>Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.</ValueDescription>
</Enum>
<Enum>
<Value>4</Value>
<ValueDescription>Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).</ValueDescription>
</Enum>
<Enum>
<Value>5</Value>
<ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PlatformUpdatesChannel</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.3</CspVersion>
</Applicability>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>0</Value>
<ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</ValueDescription>
</Enum>
<Enum>
<Value>2</Value>
<ValueDescription>Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.</ValueDescription>
</Enum>
<Enum>
<Value>3</Value>
<ValueDescription>Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.</ValueDescription>
</Enum>
<Enum>
<Value>4</Value>
<ValueDescription>Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).</ValueDescription>
</Enum>
<Enum>
<Value>5</Value>
<ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</ValueDescription>
</Enum>
</AllowedValues>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Scan</NodeName>

2
windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
View File

@ -4521,7 +4521,7 @@ ADMX Info:
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives.
If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents (open the files in the folders or see the files in the folders). Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list.

6
windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
View File

@ -51,7 +51,7 @@ manager: dansimp
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>
@ -115,7 +115,7 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>
@ -178,7 +178,7 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>

35
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.date: 05/02/2021
ms.reviewer:
manager: dansimp
---
@ -1045,9 +1045,7 @@ GP Info:
<!--/RegistryMapped-->
<!--SupportedValues-->
Valid values:
- 0 - disabled
- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit)
Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it is set to zero (0), the setting is disabled.
<!--/SupportedValues-->
<!--/Policy-->
@ -1243,7 +1241,8 @@ If you click Force Logoff in the Properties dialog box for this policy, the user
If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
> [!NOTE]
> Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
Default: This policy is not defined, which means that the system treats it as No action.
@ -2459,7 +2458,8 @@ If you select "Enable auditing for all accounts", the server will log events for
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
> [!NOTE]
> Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
<!--/Description-->
<!--RegistryMapped-->
@ -2537,7 +2537,8 @@ If you select "Deny all accounts," the server will deny NTLM authentication requ
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
> [!NOTE]
> Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
<!--/Description-->
<!--RegistryMapped-->
@ -2615,7 +2616,8 @@ If you select "Deny all," the client computer cannot authenticate identities to
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
> [!NOTE]
> Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
<!--/Description-->
<!--RegistryMapped-->
@ -2899,7 +2901,9 @@ This policy setting controls the behavior of the elevation prompt for administra
The options are:
- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
> [!NOTE]
> Use this option only in the most constrained environments.
- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
@ -3170,11 +3174,12 @@ User Account Control: Only elevate UIAccess applications that are installed in s
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
- …\Program Files\, including subfolders
- …\Windows\system32\
- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
- .\Program Files\, including subfolders
- .\Windows\system32\
- .\Program Files (x86)\, including subfolders for 64-bit versions of Windows
Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
> [!NOTE]
> Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
The options are:
- 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
@ -3242,7 +3247,9 @@ User Account Control: Turn on Admin Approval Mode
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
The options are:
- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled.
> [!NOTE]
> If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.

77
windows/client-management/mdm/policy-csp-system.md
View File

@ -49,6 +49,9 @@ manager: dansimp
<dd>
<a href="#system-allowtelemetry">System/AllowTelemetry</a>
</dd>
<dd>
<a href="#system-allowUpdateComplianceProcessing">System/AllowUpdateComplianceProcessing</a>
</dd>
<dd>
<a href="#system-allowusertoresetphone">System/AllowUserToResetPhone</a>
</dd>
@ -789,6 +792,77 @@ ADMX Info:
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="system-allowUpdateComplianceProcessing"></a>**System/AllowUpdateComplianceProcessing**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance.
If you enable this setting, it enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service.
If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Update Compliance Processing*
- GP name: *AllowUpdateComplianceProcessing*
- GP element: *AllowUpdateComplianceProcessing*
- GP path: *Data Collection and Preview Builds*
- GP ADMX file name: *DataCollection.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Disabled.
- 16 - Enabled.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
@ -850,6 +924,7 @@ The following list shows the supported values:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="system-bootstartdriverinitialization"></a>**System/BootStartDriverInitialization**
@ -1778,5 +1853,7 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
- 9 - Available in Windows 10, version 20H2.
- 10 - Available in Windows 10, version 21H1.
<!--/Policies-->

7
windows/client-management/mdm/surfacehub-csp.md
View File

@ -61,9 +61,9 @@ SurfaceHub
--------SleepTimeout
--------AllowSessionResume
--------AllowAutoProxyAuth
--------ProxyServers
--------DisableSigninSuggestions
--------DoNotShowMyMeetingsAndFiles
----ProxyServers
----Management
--------GroupName
--------GroupSid
@ -572,6 +572,11 @@ SurfaceHub
<p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
<a href="" id="properties-proxyservers"></a>**Properties/ProxyServers**
<p style="margin-left: 20px">Added in <a href="https://support.microsoft.com/topic/may-28-2019-kb4499162-os-build-15063-1839-ed6780ab-38d6-f590-d789-5ba873b1e142" data-raw-source="[KB4499162](https://support.microsoft.com/topic/may-28-2019-kb4499162-os-build-15063-1839-ed6780ab-38d6-f590-d789-5ba873b1e142)">KB4499162</a> for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://).
<p style="margin-left: 20px">The data type is string. Supported operation is Get and Replace.
<a href="" id="properties-disablesigninsuggestions"></a>**Properties/DisableSigninSuggestions**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.

8
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
View File

@ -80,8 +80,12 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf
## Changing the PIN
The PIN for virtual smart card can be changed by pressing Ctrl+Alt+Del, and then selecting the TPM virtual smart card under **Sign in options**.
The PIN for a virtual smart card can be changed by following these steps:
- Sign in with the old PIN or password.
- Press Ctrl+Alt+Del and choose **Change a password**.
- Select **Sign-in Options**.
- Select the virtual smart card icon.
- Enter and confirm the new PIN.
## Resolving issues
### TPM not provisioned

2
windows/security/information-protection/TOC.yml
View File

@ -29,6 +29,8 @@
href: bitlocker\bitlocker-using-with-other-programs-faq.yml
- name: "Prepare your organization for BitLocker: Planning and policies"
href: bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md
- name: BitLocker deployment comparison
href: bitlocker\bitlocker-deployment-comparison.md
- name: BitLocker basic deployment
href: bitlocker\bitlocker-basic-deployment.md
- name: "BitLocker: How to deploy on Windows Server 2012 and later"

66
windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md Normal file
View File

@ -0,0 +1,66 @@
---
title: BitLocker deployment comparison (Windows 10)
description: This article shows the BitLocker deployment comparison chart.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: lovina-saldanha
ms.author: v-lsaldanha
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/20/2021
ms.custom: bitlocker
---
# BitLocker deployment comparison
**Applies to**
- Windows 10
This article depicts the BitLocker deployment comparison chart.
## BitLocker deployment comparison chart
| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* |
|---------|---------|---------|---------|
|**Requirements**||||
|Minimum client operating system version |Windows 10 | Windows 10 and Windows 8.1 | Windows 7 and later |
|Supported Windows 10 SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
|Minimum Windows 10 version |1909** | None | None |
|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined |
|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
|Cloud or on premises | Cloud | On premises | On premises |
|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client |
|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |
|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Standard recovery password storage location | Azure AD or
Active Directory | Configuration Manager site database | MBAM database |
|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |
|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | |
|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |

BIN
windows/security/information-protection/bitlocker/images/yes-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 916 B

2
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -507,8 +507,6 @@ contoso.internalproxy1.com;contoso.internalproxy2.com
### IPv4 ranges
Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 value range within your intranet.
These addresses, used with your Network domain names, define your corporate network boundaries.
Classless Inter-Domain Routing (CIDR) notation isnt supported.

11
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -71,6 +71,17 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. |
| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. |
The following options are valid for supplemental policies. However, option 5 is not implemented as it is reserved for future work, and option 7 is not supported.
| Rule option | Description |
|------------ | ----------- |
| 5 | Enabled: Inherit Default Policy |
| **6** | **Enabled: Unsigned System Integrity Policy** |
| 7 | Allowed: Debug Policy Augmented |
| **13** | **Enabled: Managed Installer** |
| **14** | **Enabled: Intelligent Security Graph Authorization** |
| **18** | **Disabled: Runtime FilePath Rule Protection** |
## Windows Defender Application Control file rule levels
File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary or as general as a CA certificate. You specify file rule levels when using WDAC PowerShell cmdlets to create and modify policies.

2
windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
View File

@ -67,7 +67,7 @@ To enable a specific audit event, run the corresponding command in an administra
|**Audit #**|**Enable command**|**Link**|
|:-----|:-----|:-----|
|**5157**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5157(F): The Windows Filtering Platform has blocked a connection.](../auditing/event-5157.md)|
|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)|
|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Packet Drop" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)|
## Example flow of debugging packet drops with filter origin