deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 04:43:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into vp-csp-auto2

Browse Source
This commit is contained in:
Vinay Pamnani
2022-12-07 12:59:07 -05:00
parent d9a3e34206 e528d5f2c6
commit 72d79b0f9e
84 changed files with 1672 additions and 1571 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/deployment/do/delivery-optimization-endpoints.md
View File

@ -34,4 +34,4 @@ This article lists the endpoints that need to be allowed through the firewall to
| *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Microsoft Configuration Manager Distribution Point |
| *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Microsoft Configuration Manager Distribution Point |
| *.do.dsp.mp.microsoft.com | HTTP / 80 </br> HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure |
| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com | AMQP / 5671 </br> MQTT / 8883 </br> HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure |
| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com, github.com | AMQP / 5671 </br> MQTT / 8883 </br> HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure |

2
windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md
View File

@ -3,7 +3,7 @@ title: Don't Remove images under do/images/elixir_ux - used by Azure portal Diag
manager: aaroncz
description: Elixir images read me file
keywords: updates, downloads, network, bandwidth
ms.prod: w10
ms.prod: windows-client
ms.mktglfcycl: deploy
audience: itpro
author: nidos

46
windows/deployment/do/mcc-enterprise-appendix.md
View File

@ -2,7 +2,7 @@
title: Appendix
manager: aaroncz
description: Appendix on Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: w10
ms.prod: windows-client
author: amymzhou
ms.author: amyzhou
ms.localizationpriority: medium
@ -12,6 +12,24 @@ ms.topic: article
# Appendix
## Steps to obtain an Azure Subscription ID
<!--Using include file, get-azure-subscription.md, do/mcc-isp.md for shared content-->
[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)]
### Troubleshooting
If you're not able to sign up for a Microsoft Azure subscription with the **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** error, see the following articles:
- [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription).
- [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up).
## Installing on VMWare
We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMWare. To do so, there are a couple of additional configurations to be made:
1. Ensure that you're using ESX. In the VM settings, turn on the option **Expose hardware assisted virtualization to the guest OS**.
1. Using the HyperV Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**.
## Diagnostics Script
If you're having issues with your MCC, we included a diagnostics script. The script collects all your logs and zips them into a single file. You can then send us these logs via email for the MCC team to debug.
@ -33,17 +51,6 @@ To run this script:
1. [Email the MCC team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process.
## Steps to obtain an Azure Subscription ID
<!--Using include file, get-azure-subscription.md, do/mcc-isp.md for shared content-->
[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)]
## Troubleshooting
If you're not able to sign up for a Microsoft Azure subscription with the error: **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** See [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription).
Also see [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up).
## IoT Edge runtime
The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices.
@ -58,14 +65,6 @@ communication operations. The runtime performs several functions:
For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge).
## EFLOW
- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows)
- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge)
- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions)
- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow)
- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers)
## Routing local Windows Clients to an MCC
### Get the IP address of your MCC using ifconfig
@ -115,3 +114,10 @@ To verify that the Delivery Optimization client can download content using MCC,
:::image type="content" source="./images/ent-mcc-delivery-optimization-activity.png" alt-text="Screenshot of the Delivery Optimization Activity Monitor.":::
## EFLOW
- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows)
- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge)
- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions)
- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow)
- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers)

2
windows/deployment/do/mcc-enterprise-deploy.md
View File

@ -2,7 +2,7 @@
title: Deploying your cache node
manager: dougeby
description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node
ms.prod: w10
ms.prod: windows-client
author: amymzhou
ms.localizationpriority: medium
ms.author: amyzhou

5
windows/deployment/do/mcc-enterprise-prerequisites.md
View File

@ -2,7 +2,7 @@
title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Education
manager: dougeby
description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: w10
ms.prod: windows-client
author: amymzhou
ms.localizationpriority: medium
ms.author: amyzhou
@ -26,6 +26,9 @@ ms.topic: article
The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions.
2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
> [!NOTE]
> Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations.
**EFLOW Requires Hyper-V support**
- On Windows client, enable the Hyper-V feature

2
windows/deployment/do/mcc-enterprise-update-uninstall.md
View File

@ -2,7 +2,7 @@
title: Update or uninstall Microsoft Connected Cache for Enterprise and Education
manager: dougeby
description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: w10
ms.prod: windows-client
author: amymzhou
ms.localizationpriority: medium
ms.author: amyzhou

2
windows/deployment/do/mcc-isp-cache-node-configuration.md
View File

@ -3,7 +3,7 @@ title: Cache node configuration
manager: aaroncz
description: Configuring a cache node on Azure portal
keywords: updates, downloads, network, bandwidth
ms.prod: w10
ms.prod: windows-client
ms.mktglfcycl: deploy
audience: itpro
author: amyzhou

7
windows/deployment/do/mcc-isp-create-provision-deploy.md
View File

@ -3,7 +3,7 @@ title: Create, provision, and deploy the cache node in Azure portal
manager: aaroncz
description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal
keywords: updates, downloads, network, bandwidth
ms.prod: w10
ms.prod: windows-client
ms.mktglfcycl: deploy
audience: itpro
author: nidos
@ -98,9 +98,8 @@ There are five IDs that the device provisioning script takes as input in order t
|---|---|
| Customer ID | A unique alphanumeric ID that the cache nodes are associated with. |
| Cache node ID | The unique alphanumeric ID of the cache node being provisioned. |
| Customer Key | The unique alphanumeric ID that provides secure authentication of the cache node to Delivery Optimization services. |
| Cache node name | The name of the cache node. |
| Tenant ID | The unique ID associated with the Azure account. |
| Customer key | The unique alphanumeric ID that provides secure authentication of the cache node to Delivery Optimization services. |
| Registration key | Single use device registration key used by Microsoft Delivery Optimization services. |
:::image type="content" source="images/mcc-isp-deploy-cache-node-numbered.png" alt-text="Screenshot of the server provisioning tab within cache node configuration in Azure portal.":::

3
windows/deployment/do/mcc-isp-faq.yml
View File

@ -8,13 +8,12 @@ metadata:
author: amymzhou
ms.author: amymzhou
manager: aaroncz
audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
ms.topic: faq
ms.date: 09/30/2022
ms.custom: seo-marvel-apr2020
ms.prod: windows-client
title: Microsoft Connected Cache Frequently Asked Questions
summary: |
**Applies to**

12
windows/deployment/do/mcc-isp-signup.md
View File

@ -3,7 +3,7 @@ title: Operator sign up and service onboarding
manager: aaroncz
description: Service onboarding for Microsoft Connected Cache for ISP
keywords: updates, downloads, network, bandwidth
ms.prod: w10
ms.prod: windows-client
ms.mktglfcycl: deploy
audience: itpro
author: nidos
@ -22,9 +22,17 @@ ms.topic: article
This article details the process of signing up for Microsoft Connected Cache for Internet Service Providers (public preview).
## Prerequisites
Before you begin sign up, ensure you have the following components:
- **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You will need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, [visit this page](https://azure.microsoft.com/offers/ms-azr-0003p/).
- **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal.
- **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email.
- **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed Ubuntu 20.04 LTS.
## Resource creation and sign up process
1. Navigate to the [Azure portal](https://www.portal.azure.com). In the top search bar, search for **Microsoft Connected Cache**.
1. Navigate to the [Azure portal](https://www.portal.azure.com). Select **Create a Resource**. Then, search for **Microsoft Connected Cache**.
:::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace.":::

2
windows/deployment/do/mcc-isp-support.md
View File

@ -3,7 +3,7 @@ title: Support and troubleshooting
manager: aaroncz
description: Troubleshooting issues for Microsoft Connected Cache for ISP
keywords: updates, downloads, network, bandwidth
ms.prod: w10
ms.prod: windows-client
audience: itpro
author: nidos
ms.localizationpriority: medium

2
windows/deployment/do/mcc-isp-update.md
View File

@ -3,7 +3,7 @@ title: Update or uninstall your cache node
manager: aaroncz
description: How to update or uninstall your cache node
keywords: updates, downloads, network, bandwidth
ms.prod: w10
ms.prod: windows-client
ms.mktglfcycl: deploy
audience: itpro
author: amyzhou

2
windows/deployment/do/mcc-isp-verify-cache-node.md
View File

@ -3,7 +3,7 @@ title: Verify cache node functionality and monitor health and performance
manager: aaroncz
description: How to verify the functionality of a cache node
keywords: updates, downloads, network, bandwidth
ms.prod: w10
ms.prod: windows-client
ms.mktglfcycl: deploy
audience: itpro
author: amyzhou

2
windows/deployment/do/mcc-isp-vm-performance.md
View File

@ -3,7 +3,7 @@ title: Enhancing VM performance
manager: aaroncz
description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs
keywords: updates, downloads, network, bandwidth
ms.prod: w10
ms.prod: windows-client
ms.mktglfcycl: deploy
audience: itpro
author: amyzhou

2
windows/deployment/do/waas-delivery-optimization-faq.yml
View File

@ -4,7 +4,7 @@ metadata:
description: The following is a list of frequently asked questions for Delivery Optimization.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer: aaroncz
ms.prod: m365-security
ms.prod: windows-client
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security

4
windows/deployment/update/deployment-service-overview.md
View File

@ -35,14 +35,14 @@ The service is privacy focused and backed by leading industry compliance certifi
## How it works
The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Update Compliance](update-compliance-monitor.md).
The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Windows Update for Businesss reports](wufb-reports-overview.md).
:::image type="content" source="media/wufbds-product-large.png" alt-text="Elements in following text.":::
Windows Update for Business comprises three elements:
- Client policy to govern update experiences and timing available through Group Policy and CSPs
- Deployment service APIs to approve and schedule specific updates available through the Microsoft Graph and associated SDKs (including PowerShell)
- Update Compliance to monitor update deployment available through the Azure Marketplace
- Windows Update for Business reports to monitor update deployment
Unlike existing client policy, the deployment service doesn't interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro.

4
windows/deployment/update/includes/wufb-reports-recommend.md
View File

@ -5,10 +5,10 @@ manager: aaroncz
ms.prod: w10
ms.collection: M365-modern-desktop
ms.topic: include
ms.date: 11/04/2022
ms.date: 12/05/2022
ms.localizationpriority: medium
---
<!--This file is shared by all Update Compliance v1 articles. -->
> [!Important]
> If you're using Update Compliance, it's highly recommended that you start transitioning to Windows Update for Business reports. For more information, see [Windows Update for Business reports overview](..\wufb-reports-overview.md).
> Update Compliance is [deprecated](/windows/whats-new/deprecated-features) and is no longer accepting new onboarding requests. Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). If you're currently using Update Compliance, you can continue to use it, but you can't change your `CommercialID`. Support for Update Compliance will end on March 31, 2023 when the service will be [retired](/windows/whats-new/feature-lifecycle#terminology).

2
windows/deployment/update/index.md
View File

@ -33,7 +33,7 @@ Windows as a service provides a new way to think about building, deploying, and
| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows client; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. |
| [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. |
| [Assign devices to servicing branches for Windows client updates](waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the General Availability Channel for feature and quality updates, and how to enroll devices in Windows Insider. |
| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. |
| [Monitor Windows Updates with Windows Update for Business reports](wufb-reports-overview.md) | Explains how to use Windows Update for Business reports to monitor and manage Windows Updates on devices in your organization. |
| [Optimize update delivery](../do/waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
| [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
| [Deploy Windows client updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows client updates. |

6
windows/deployment/update/safeguard-holds.md
View File

@ -31,9 +31,9 @@ IT admins managing updates using the [Windows Update for Business deployment ser
## Am I affected by a safeguard hold?
IT admins can use [Update Compliance](update-compliance-monitor.md) to monitor various update health metrics for devices in their organization. Update Compliance provides a [Safeguard Holds report](/windows/deployment/update/update-compliance-safeguard-holds), as well as [queries in the Feature Update Status report](/windows/deployment/update/update-compliance-feature-update-status), to provide you insight into the safeguard holds that are preventing devices from updating or upgrading.
IT admins can use [Windows Update for Business reports](wufb-reports-overview.md) to monitor various update health metrics for devices in their organization. The reports provide a list of [active Safeguard Holds](wufb-reports-workbook.md#bkmk_update-group-feature) to provide you insight into the safeguard holds that are preventing devices from updating or upgrading.
The Update Compliance reports identify safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find additional details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release.
Windows Update for Business reports identifies safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find additional details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release.
On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
@ -48,4 +48,4 @@ We recommend that you do not attempt to manually update until issues have been r
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out.
With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically.
With that in mind, IT admins who stay informed with [Windows Update for Business reports](wufb-reports-overview.md) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically.

7
windows/deployment/update/update-compliance-get-started.md
View File

@ -50,8 +50,11 @@ Before you begin the process to add Update Compliance to your Azure subscription
Update Compliance is offered as an Azure Marketplace application that is linked to a new or existing [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. For the following steps, you must have either an Owner or Contributor [Azure role](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-roles) as a minimum in order to add the solution.
Use the following steps:
1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You might need to sign in to your Azure subscription to access this page.
> [!IMPORTANT]
> Update Compliance is deprecated and no longer accepting any new onboarding requests. The instructions below are listed for verification and troubleshooting purposes only for existing Updates Compliance users. Update Compliance has been replaced by [Windows Update for Business reports](wufb-reports-overview.md) for monitoring compliance of updates.
1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/). The solution was published by Microsoft and named **WaaSUpdateInsights**.
2. Select **Get it now**.
3. Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a **Compatible Log Analytics region** from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data.
- [Desktop Analytics](/sccm/desktop-analytics/overview) users should use the same workspace for Update Compliance.

6
windows/deployment/update/wufb-reports-configuration-intune.md
View File

@ -9,7 +9,7 @@ ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
ms.date: 11/15/2022
ms.date: 12/05/2022
ms.technology: itpro-updates
---
@ -102,8 +102,12 @@ Create a configuration profile that will set the required policies for Windows U
The [Windows Update for Business reports Configuration Script](wufb-reports-configuration-script.md) is a useful tool for properly enrolling devices in Windows Update for Business reports, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
> [!NOTE]
> Using the script is optional when configuring devices through Intune. The script can be leveraged as a troubleshooting tool to ensure that devices are properly configured for Windows Update for Business reports.
When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in pilot mode to a subset of devices that you can access. After following this guidance, you can deploy the configuration script in deployment mode as a Win32 app to all Windows Update for Business reports devices.
## Next steps
[Use Windows Update for Business reports](wufb-reports-use.md)

4
windows/deployment/update/wufb-reports-help.md
View File

@ -51,8 +51,8 @@ You can open support requests directly from the Azure portal. If the **Help + S
- **Issue type** - ***Technical***
- **Subscription** - Select the subscription used for Windows Update for Business reports
- **Service** - ***My services***
- **Service type** - ***Monitoring and Management***
- **Problem type** - ***Windows Update for Business reports***
- **Service type** - Select ***Windows Update for Business reports*** under ***Monitoring and Management***
1. Based on the information you provided, you'll be shown some **Recommended solutions** you can use to try to resolve the problem.
1. Complete the **Additional details** tab and then create the request on the **Review + create** tab.

4
windows/deployment/usmt/usmt-migrate-user-accounts.md
View File

@ -66,7 +66,7 @@ Links to detailed explanations of commands are available in the [Related article
LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml
```
## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain
## To migrate two domain accounts (User1 and User2) and move both accounts from the Contoso domain to the Fabrikam domain
Links to detailed explanations of commands are available in the [Related articles](#related-articles) section.
@ -83,7 +83,7 @@ Links to detailed explanations of commands are available in the [Related article
4. Enter the following `LoadState.exe ` command line in a command prompt window:
```cmd
LoadState.exe \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml
LoadState.exe \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user1 /mu:contoso\user2:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml
```
## Related articles

4
windows/deployment/wds-boot-support.md
View File

@ -27,9 +27,9 @@ When you PXE-boot from a WDS server that uses the **boot.wim** file from install
## Deployment scenarios affected
The table below provides support details for specific deployment scenarios (Boot Image Version).
The table below provides support details for specific deployment scenarios. Boot.wim is the `boot.wim` file obtained from the Windows source files for each specified version of Windows.
||Windows 10|Windows Server 2016|Windows Server 2019|Windows Server 2022|Windows 11|
|Windows Version being deployed |Boot.wim from Windows 10|Boot.wim from Windows Server 2016|Boot.wim from Windows Server 2019|Boot.wim from Windows Server 2022|Boot.wim from Windows 11|
|--- |--- |--- |--- |--- |--- |
|**Windows 10**|Supported, using a boot image from matching or newer version.|Supported, using a boot image from Windows 10, version 1607 or later.|Supported, using a boot image from Windows 10, version 1809 or later.|Not supported.|Not supported.|
|**Windows Server 2016**|Supported, using a boot image from Windows 10, version 1607 or later.|Supported.|Not supported.|Not supported.|Not supported.|

20
windows/deployment/windows-autopatch/TOC.yml
View File

@ -50,6 +50,19 @@
href: operate/windows-autopatch-wqu-end-user-exp.md
- name: Windows quality update signals
href: operate/windows-autopatch-wqu-signals.md
- name: Windows quality update reports
href: operate/windows-autopatch-wqu-reports-overview.md
items:
- name: Summary dashboard
href: operate/windows-autopatch-wqu-summary-dashboard.md
- name: All devices report
href: operate/windows-autopatch-wqu-all-devices-report.md
- name: All devices report—historical
href: operate/windows-autopatch-wqu-all-devices-historical-report.md
- name: Eligible devices report—historical
href: operate/windows-autopatch-wqu-eligible-devices-historical-report.md
- name: Ineligible devices report—historical
href: operate/windows-autopatch-wqu-ineligible-devices-historical-report.md
- name: Windows feature updates
href: operate/windows-autopatch-fu-overview.md
items:
@ -86,4 +99,9 @@
- name: Privacy
href: references/windows-autopatch-privacy.md
- name: Windows Autopatch preview addendum
href: references/windows-autopatch-preview-addendum.md
href: references/windows-autopatch-preview-addendum.md
- name: What's new
href:
items:
- name: What's new 2022
href: whats-new/windows-autopatch-whats-new-2022.md

2
windows/deployment/windows-autopatch/index.yml
View File

@ -7,12 +7,12 @@ metadata:
title: Windows Autopatch documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. # Required; article description that is displayed in search results. < 160 chars.
keywords: device, app, update, management
ms.service: w11 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.topic: landing-page # Required
author: tiaraquan #Required; your GitHub user alias, with correct capitalization.
ms.author: tiaraquan #Required; microsoft alias of author; optional team alias.
ms.date: 05/30/2022 #Required; mm/dd/yyyy format.
ms.custom: intro-hub-or-landing
ms.prod: windows-client
ms.collection:
- highpri

BIN
windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-historical-report.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 51 KiB

BIN
windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-report.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 114 KiB

BIN
windows/deployment/windows-autopatch/media/windows-autopatch-eligible-devices-historical-report.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/deployment/windows-autopatch/media/windows-autopatch-ineligible-devices-historical-report.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/deployment/windows-autopatch/media/windows-autopatch-summary-dashboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

2
windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
View File

@ -31,7 +31,7 @@ For a device to be eligible for Windows feature updates as a part of Windows Aut
| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). |
| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). |
| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). |
| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) |
| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers) |
## Windows feature update releases

40
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md Normal file
View File

@ -0,0 +1,40 @@
---
title: All devices report—historical
description: Provides a visual representation of the update status trend for all devices over the last 90 days.
ms.date: 12/01/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: adnich
---
# All devices report—historical
The historical All devices report provides a visual representation of the update status trend for all devices over the last 90 days.
**To view the historical All devices report:**
1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
1. Select the **Reports** tab.
1. Select **All devices report—historical**.
:::image type="content" source="../media/windows-autopatch-all-devices-historical-report.png" alt-text="All devices—historical report" lightbox="../media/windows-autopatch-all-devices-historical-report.png":::
> [!NOTE]
> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
## Report options
The following options are available:
| Option | Description |
| ----- | ----- |
| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses).

56
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md Normal file
View File

@ -0,0 +1,56 @@
---
title: All devices report
description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices.
ms.date: 12/01/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: adnich
---
# All devices report
The All devices report provides a per device view of the current update status for all Windows Autopatch enrolled devices.
**To view the All devices report:**
1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
1. Select the **Reports** tab.
1. Select **All devices report**.
:::image type="content" source="../media/windows-autopatch-all-devices-report.png" alt-text="All devices report" lightbox="../media/windows-autopatch-all-devices-report.png":::
> [!NOTE]
> The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page.
## Report information
The following information is available in the All devices report:
| Column name | Description |
| ----- | ----- |
| Device name | The name of the device. |
| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device. |
| Serial number | The current Intune recorded serial number for the device. |
| Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. |
| Update status | The current update status for the device (see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses)). |
| Update sub status | The current update sub status for the device (see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses)) |
| OS version | The current version of Windows installed on the device. |
| OS revision | The current revision of Windows installed on the device. |
| Intune last check in time | The last time the device checked in to Intune. |
## Report options
The following options are available:
| Option | Description |
| ----- | ----- |
| Search | Use to search by device name, Azure AD device ID or serial number |
| Sort | Select the **column headings** to sort the report data in ascending and descending order. |
| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate report**. |

40
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md Normal file
View File

@ -0,0 +1,40 @@
---
title: Eligible devices report—historical
description: Provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days.
ms.date: 12/01/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: adnich
---
# Eligible devices report—historical
The historical Eligible devices report provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days.
**To view the historical Eligible devices report:**
1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
1. Select the **Reports** tab.
1. Select **Eligible devices report—historical**.
:::image type="content" source="../media/windows-autopatch-eligible-devices-historical-report.png" alt-text="Eligible devices—historical report" lightbox="../media/windows-autopatch-eligible-devices-historical-report.png":::
> [!NOTE]
> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
## Report options
The following options are available:
| Option | Description |
| ----- | ----- |
| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses).

43
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Ineligible devices report—historical
description: Provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days.
ms.date: 12/01/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: adnich
---
# Ineligible devices report—historical
The historical Ineligible devices report provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days.
> [!NOTE]
> Devices must have at least six hours of usage, with at least two hours being continuous. You may see an increase in the number of ineligible devices when the widget refreshes every second Tuesday of each month.
**To view the historical Ineligible devices report:**
1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
1. Select the **Reports** tab.
1. Select **Ineligible devices report—historical**.
:::image type="content" source="../media/windows-autopatch-ineligible-devices-historical-report.png" alt-text="Ineligible devices—historical report" lightbox="../media/windows-autopatch-ineligible-devices-historical-report.png":::
> [!NOTE]
> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
## Report options
The following options are available:
| Option | Description |
| ----- | ----- |
| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses).

2
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
View File

@ -31,7 +31,7 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut
| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). |
| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). |
| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). |
| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) |
| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers) |
## Windows quality update releases

110
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md Normal file
View File

@ -0,0 +1,110 @@
---
title: Windows quality update reports
description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch
ms.date: 12/01/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: adnich
---
# Windows quality update reports
The Windows quality update reports provide you information about:
- Quality update device eligibility
- Device update health
- Device update trends
Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch.
The report types are organized into the following focus areas:
| Focus area | Description |
| ----- | ----- |
| Operational detail | <ul><li>[Summary dashboard](windows-autopatch-wqu-summary-dashboard.md): Provides the current update status summary for all devices.</li><li>[All devices report](windows-autopatch-wqu-all-devices-report.md): Provides the current update status of all devices at the device level.</li></ul> |
| Device trends | <ul><li>[All devices report historical](windows-autopatch-wqu-all-devices-historical-report.md): Provides the update status trend of all devices over the last 90 days.</li><li>[Eligible devices report historical](windows-autopatch-wqu-eligible-devices-historical-report.md): Provides the update status trend of all eligible devices to receive quality updates over the last 90 days.</li><li>[Ineligible devices report historical](windows-autopatch-wqu-ineligible-devices-historical-report.md): Provides a trending view of why ineligible devices havent received quality updates over the last 90 days.</li></ul> |
## Who can access the reports?
Users with the following permissions can access the reports:
- Global Administrator
- Intune Service Administrator
- Administrators assigned to an Intune role with read permissions
## About data latency
The data source for these reports is the [Windows diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 24 hours.
## Windows quality update statuses
The following statuses are used throughout the Windows Autopatch reporting suite to describe the quality update status for devices:
- [Healthy devices](#healthy-devices)
- [Not Up to Date (Microsoft Action)](#not-up-to-date-microsoft-action)
- [Ineligible Devices (Customer Action)](#ineligible-devices-customer-action)
Each status has its own set of sub statuses to further describe the status.
### Healthy devices
Healthy devices are devices that meet all of the following prerequisites:
- [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
- [Prerequisites for device registration](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration)
- [Windows quality update device eligibility](../operate/windows-autopatch-wqu-overview.md#device-eligibility)
> [!NOTE]
> Healthy devices will remain with the **In Progress** status for the 21-day service level objective period. Devices which are **Paused** are also considered healthy.
| Sub status | Description |
| ----- | ----- |
| Up to Date | Devices are up to date with the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases). |
| In Progress | Devices are currently installing the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases). |
| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release Management pause. For more information, see [Pausing and resuming a release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). |
### Not Up to Date (Microsoft Action)
Not Up to Date means a device isnt up to date when the:
- Quality update is more than a month out of date, or the device is on last months quality update
- Device is more than 21 days overdue from the last release.
> [!NOTE]
> Microsoft Action refers to the responsibility of the Windows Autopatch Service Engineering Team to carry out the appropriate action to resolve the reported device state. Windows Autopatch aims to keep at least [95% of eligible devices on the latest Windows quality update 21 days after release](../operate/windows-autopatch-wqu-overview.md#service-level-objective).
| Sub status | Description |
| ----- | ----- |
| No Heartbeat | The Windows Update service hasnt been able to connect to this device. The service cant offer the update to that device. |
| Not Offered | The Windows Update service hasnt offered the update to that device. |
| Policy Blocking Update | This device has a policy that is blocking the update, such as a deferral or pause policy. Devices are only in this state after the 21-day threshold. |
| In Progress—Stuck | This device has downloaded the update but is getting stuck in a loop during the install process. The update isnt complete. |
| Other | This device isn't up to date and isnt reporting back data from the client. |
### Ineligible Devices (Customer Action)
Customer Action refers to the responsibility of the designated customer IT administrator to carry out the appropriate action to resolve the reported device sub status.
Within each 24-hour reporting period, devices that are ineligible are updated with one of the following sub statuses.
| Sub status | Description |
| ----- | ----- |
| Insufficient Usage | Devices must have at least six hours of usage, with at least two hours being continuous. |
| Low Connectivity | Devices must have a steady internet connection, and access to [Windows update endpoints](../prepare/windows-autopatch-configure-network.md). |
| Out of Disk Space | Devices must have more than one GB (GigaBytes) of free storage space. |
| Not Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
| Not On Supported on Windows Edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see[prerequisites](../prepare/windows-autopatch-prerequisites.md). |
| Not On Supported Windows Build | Devices must be on a Windows build supported by Windows Autopatch. For more information, see[prerequisites](../prepare/windows-autopatch-prerequisites.md). |
| Intune Sync Older Than 5 Days | Devices must have checked with Intune within the last five days. |
## Data export
Select **Export devices** to export data for each report type.
> [!NOTE]
> You cant export Windows Autopatch report data using Microsoft Graph RESTful web API.

44
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md Normal file
View File

@ -0,0 +1,44 @@
---
title: Summary dashboard
description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
ms.date: 12/01/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: adnich
---
# Summary dashboard
The Summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
**To view the current update status for all your enrolled devices:**
1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
:::image type="content" source="../media/windows-autopatch-summary-dashboard.png" alt-text="Summary dashboard" lightbox="../media/windows-autopatch-summary-dashboard.png":::
> [!NOTE]
> The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page.
## Report information
The following information is available in the Summary dashboard:
| Column name | Description |
| ----- | ----- |
| Windows quality update status | The device update state. For more information, see [Windows quality update status](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). |
| Devices | The number of devices showing as applicable for the state. |
## Report options
The following option is available:
| Option | Description |
| ----- | ----- |
| Refresh | The option to **Refresh** the Summary dashboard is available at the top of the page. This process will ensure that the Summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |

11
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md
View File

@ -1,7 +1,7 @@
---
title: Windows update policies
description: This article explains Windows update policies in Windows Autopatch
ms.date: 07/07/2022
ms.date: 12/02/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
msreviewer: adnich
---
# Windows update policies
@ -109,8 +109,9 @@ Window Autopatch deploys mobile device management (MDM) policies to configure de
| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't reboot.<p><p>Supported values are from zero through to 23, where zero is 1200AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
| [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range.<p><p>This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. |
### Group policy
### Group policy and other policy managers
Group policy takes precedence over mobile device management (MDM) policies. For Windows quality updates, if any group policies are detected which modify the following hive in the registry, the device will be ineligible for management:
Group policy as well as other policy managers can take precedence over mobile device management (MDM) policies. For Windows quality updates, if any policies or configurations are detected which modify the following hives in the registry, the device could become ineligible for management:
`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState`
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState`
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`

2
windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
View File

@ -2,7 +2,7 @@
metadata:
title: Windows Autopatch - Frequently Asked Questions (FAQ)
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: w11
ms.prod: windows-client
ms.topic: faq
ms.date: 08/26/2022
audience: itpro

8
windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
View File

@ -34,7 +34,15 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b
| License | ID | GUID number |
| ----- | ----- | ------|
| [Microsoft 365 E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3 | 05e9a617-0261-4cee-bb44-138d3ef5d965 |
| [Microsoft 365 E3 (500 seats minimum_HUB)](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E3 | 0c21030a-7e60-4ec7-9a0f-0042e0e0211a |
| [Microsoft 365 E3 - Unattended License](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3_RPA1 | c2ac2ee4-9bb1-47e4-8541-d689c7e83371 |
| [Microsoft 365 E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5 | 06ebc4ee-1bb5-47dd-8120-11324bc54e06 |
| [Microsoft 365 E5 (500 seats minimum)_HUB](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E5 | db684ac5-c0e7-4f92-8284-ef9ebde75d33 |
| [Microsoft 365 E5 with calling minutes](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_CALLINGMINUTES | a91fc4e0-65e5-4266-aa76-4037509c1626 |
| [Microsoft 365 E5 without audio conferencing](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_NOPSTNCONF | cd2925a3-5076-4233-8931-638a8c94f773 |
| [Microsoft 365 E5 without audio conferencing (500 seats minimum)_HUB](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E5_without_Audio_Conferencing | 2113661c-6509-4034-98bb-9c47bd28d63c |
| [TEST - Microsoft 365 E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3_TEST | 23a55cbc-971c-4ba2-8bae-04cd13d2f4ad |
| [TEST - Microsoft 365 E5 without audio conferencing](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_NOPSTNCONF_TEST | 1362a0d9-b3c2-4112-bf1a-7a838d181c0f |
| [Windows 10/11 Enterprise E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E3 | 6a0f6da5-0b87-4190-a6ae-9bb5a2b9546a |
| [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 |
| [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 |

22
windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
View File

@ -1,7 +1,7 @@
---
title: Changes made at tenant enrollment
description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch
ms.date: 11/02/2022
ms.date: 12/01/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
@ -60,8 +60,8 @@ Windows Autopatch will create Azure Active Directory groups that are required to
| Policy name | Policy description | Properties | Value |
| ----- | ----- | ----- | ----- |
| Windows Autopatch-SetMDMtoWinOverGPO | Setsmobile device management (MDM)towinoverGPO<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| | |
| Windows Autopatch-DataCollection | AllowsdiagnosticdatafromthisdevicetobeprocessedbyMicrosoftManagedDesktop and TelemetrysettingsforWindows devices. <p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>|<ul><li>[./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry ](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)</li><li>[./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)</li><li>[./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)</li><li>[./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)</li></ul>|<ul><li>Full</li><li>1</li><li>1</li><li>1</li> |
| Windows Autopatch-SetMDMtoWinOverGPO | Setsmobile device management (MDM)towinoverGPO<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| [MDM Wins Over GP](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | The MDM policy is used and the GP policy is blocked |
| Windows Autopatch-DataCollection | AllowsdiagnosticdatafromthisdevicetobeprocessedbyMicrosoftManagedDesktop and TelemetrysettingsforWindows devices.<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>|<ol><li>[Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinchangenotification)</li><li>[Configure Telemetry Opt In Settings Ux](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux)</li><li>[Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)</li><li>[Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)</li><li>[Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)</li><li>[Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)</li></ol>|<ol><li>Enable telemetry change notifications</li><li>Enable Telemetry opt-in Settings</li><li>Full</li><li>Enabled</li><li>Enabled</li><li>Enabled</li></ol> |
| Windows Autopatch-WindowsUpdateDetectionFrequency | SetsWindowsupdatedetectionfrequency<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 |
## Update rings for Windows 10 and later
@ -96,7 +96,7 @@ Windows Autopatch will create Azure Active Directory groups that are required to
## Microsoft Office update policies
- Windows Autopatch - Office Configuration v5
- Windows Autopatch - Office Configuration
- Windows Autopatch - Office Update Configuration [Test]
- Windows Autopatch - Office Update Configuration [First]
- Windows Autopatch - Office Update Configuration [Fast]
@ -104,11 +104,11 @@ Windows Autopatch will create Azure Active Directory groups that are required to
| Policy name | Policy description | Properties | Value |
| ----- | ----- | ----- | ----- |
| Windows Autopatch-OfficeConfigurationv5 | SetsOfficeUpdateChanneltotheMonthlyEnterpriseservicingbranch.<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| | |
| Windows Autopatch-OfficeUpdateConfiguration[Test] | Sets theOfficeupdatedeadline<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li></ul> |<ul><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`</li><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`</li></ul>|<li>Enabled; L_UpdateDeadlineID == 7</li><li>Enabled; L_DeferUpdateDaysID == 0</li>|
| Windows Autopatch-OfficeUpdateConfiguration[First] | Setsthe Officeupdatedeadline<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-First</li></ul> |<ul><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`</li><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`</li></ul> | <li>Enabled; L_UpdateDeadlineID == 7</li><li>Enabled; L_DeferUpdateDaysID == 0</li>|
| Windows Autopatch-OfficeUpdateConfiguration[Fast] | Setsthe Officeupdatedeadline<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Fast</li></ul>|<ul><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`</li><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`</li></ul>| <li>Enabled; L_UpdateDeadlineID == 7</li><li>Enabled; L_DeferUpdateDaysID == 3</li>|
| Windows Autopatch-OfficeUpdateConfiguration[Broad] | Setsthe Officeupdatedeadline<br>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Broad</li>|<ul><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`</li><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`</li></ul>|<li>Enabled; L_UpdateDeadlineID == 7</li><li>Enabled; L_DeferUpdateDaysID == 7</li> |
| Windows Autopatch-OfficeConfiguration | SetsOfficeUpdateChanneltotheMonthlyEnterpriseservicingbranch.<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ol>|<ol><li>Enable Automatic Updates</li><li>Hide option to enable or disable updates</li><li>Update Channel</li><li>Channel Name (Device)</li><li>Hide Update Notifications</li><li>Update Path</li></ol> |<ol><li>Enabled</li><li>Enabled</li><li>Enabled</li><li>Monthly Enterprise Channel</li><li>Disabled</li><li>Enabled</li></ol> |
| Windows Autopatch-OfficeUpdateConfiguration[Test] | Sets theOfficeupdatedeadline<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li></ol> |<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>|<ol><li>Enabled;Days(Device) == 0 days</li></li><li>Enabled;Update Deadline(Device) == 7 days</li></ol>|
| Windows Autopatch-OfficeUpdateConfiguration[First] | Setsthe Officeupdatedeadline<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-First</li></ol> |<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol> | <ol><li>Enabled;Days(Device) == 0 days</li><li>Enabled;Update Deadline(Device) == 7 days</li></ol>|
| Windows Autopatch-OfficeUpdateConfiguration[Fast] | Setsthe Officeupdatedeadline<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-Fast</li></ol>|<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>| <ol><li>Enabled;Days(Device) == 3 days</li><li>Enabled;Update Deadline(Device) == 7 days</li></ol>|
| Windows Autopatch-OfficeUpdateConfiguration[Broad] | Setsthe Officeupdatedeadline<br>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-Broad</li>|<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>| <ol><li>Enabled;Days(Device) == 7 days</li><li>Enabled;Update Deadline(Device) == 7 days</li></ol> |
## Microsoft Edge update policies
@ -117,8 +117,8 @@ Windows Autopatch will create Azure Active Directory groups that are required to
| Policy name | Policy description | Properties | Value |
| ----- | ----- | ----- | ----- |
| Windows Autopatch-EdgeUpdateChannelStable | Deploys updates via the Edge Stable Channel<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled |
| Windows Autopatch - Edge Update Channel Beta | Deploysupdates via the EdgeBetaChannel<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test </li></ul>| `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled |
| Windows Autopatch-EdgeUpdateChannelStable | Deploys updates via the Edge Stable Channel<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><ol><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ol>| <ol><li>Target Channel Override </li><li>Target Channel (Device) </li></ol> | <ol><li>Enabled</li><li>Stable</li></ol>|
| Windows Autopatch - Edge Update Channel Beta | Deploysupdates via the EdgeBetaChannel<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-Test </li></ol>| <ol><li>Target Channel Override</li><li>Target Channel (Device)</li></ol> | <ol><li>Enabled</li><li>Beta</li></ol>|
## PowerShell scripts

4
windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
View File

@ -2,8 +2,8 @@
title: Privacy
description: This article provides details about the data platform and privacy compliance for Autopatch
ms.date: 11/08/2022
ms.prod: w11
ms.technology: windows
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
ms.localizationpriority: medium
author: tiaraquan

101
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md Normal file
View File

@ -0,0 +1,101 @@
---
title: What's new
description: This article lists the new feature releases and any corresponding Message center post numbers.
ms.date: 12/02/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# What's new
This article lists new and updated feature releases, and service releases, with their corresponding Message center post numbers (if applicable).
Minor corrections such as typos, style, or formatting issues aren't listed.
## December 2022
### December feature releases or updates
| Article | Description |
| ----- | ----- |
| [Prerequisites](../prepare/windows-autopatch-prerequisites.md) | Added more licenses to the More about licenses section<ul><li>[MC452168](https://admin.microsoft.com/adminportal/home#/MessageCenter) |
| [Unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md) | Updated to include other policy managers in the Group policy section |
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the Device configuration, Microsoft Office and Edge policies |
| [Windows quality update reports](../operate/windows-autopatch-wqu-reports-overview.md) | Added Windows quality update reports |
## November 2022
### November feature releases or updates
| Article | Description |
| ----- | ----- |
| [Privacy](../references/windows-autopatch-privacy.md) | Updated data center locations<ul><li>[MC448005](https://admin.microsoft.com/adminportal/home#/MessageCenter) |
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated multiple sections because of the OMA-URI to Intune Settings Catalog policy migration<ul><li>[MC443898](https://admin.microsoft.com/adminportal/home#/MessageCenter) |
| [Configure your network](../prepare/windows-autopatch-configure-network.md) | Added information on Delivery Optimization |
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | 32 and 64-bit versions are supported |
### November service release
| Message center post number | Description |
| ----- | ----- |
| [MC470135](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch baseline configuration update |
## October 2022
### October feature releases or updates
| Article | Description |
| ----- | ----- |
| [Maintain the Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md) | New Tenant management blade |
| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Added Azure Virtual Desktop capability |
### October service release
| Message center post number | Description |
| ----- | ----- |
| [MC450491](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch baseline configuration update |
## September 2022
### September feature releases or updates
| Article | Description |
| ----- | ----- |
| [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | Post-device registration readiness checks public preview release<ul><li>[MC409850](https://admin.microsoft.com/adminportal/home#/MessageCenter) |
## August 2022
### August feature releases or updates
| Article | Description |
| ----- | ----- |
| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Windows Autopatch on Windows 365 Enterprise Workloads capability.<ul><li>[MC409850](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |
### August service release
| Message center post number | Description |
| ----- | ----- |
| [MC418962](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch baseline configuration update |
## July 2022
### July feature releases or updates
| Article | Description |
| ----- | ----- |
| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Windows Autopatch on Windows 365 Enterprise Workloads capability |
| Windows Autopatch General Availability | Windows Autopatch General Availability (GA) release |
## May 2022
### May feature release
| Article | Description |
| ----- | ----- |
| Windows Autopatch | Announcing Windows Autopatch; a new feature in Windows E3 and E5 <ul><li>[MC390012](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |

255
windows/security/TOC.yml
View File

@ -45,45 +45,45 @@
href: /windows-hardware/design/device-experiences/oem-highly-secure
- name: Operating system security
items:
- name: Overview
href: operating-system.md
- name: System security
items:
- name: Secure the Windows boot process
href: information-protection/secure-the-windows-10-boot-process.md
- name: Trusted Boot
href: trusted-boot.md
- name: Cryptography and certificate management
href: cryptography-certificate-mgmt.md
- name: The Windows Security app
href: threat-protection/windows-defender-security-center/windows-defender-security-center.md
items:
- name: Virus & threat protection
href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
- name: Account protection
href: threat-protection\windows-defender-security-center\wdsc-account-protection.md
- name: Firewall & network protection
href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
- name: App & browser control
href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
- name: Device security
href: threat-protection\windows-defender-security-center\wdsc-device-security.md
- name: Device performance & health
href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
- name: Family options
href: threat-protection\windows-defender-security-center\wdsc-family-options.md
- name: Security policy settings
href: threat-protection/security-policy-settings/security-policy-settings.md
- name: Security auditing
href: threat-protection/auditing/security-auditing-overview.md
- name: Encryption and data protection
href: encryption-data-protection.md
items:
- name: Encrypted Hard Drive
href: information-protection/encrypted-hard-drive.md
- name: BitLocker
href: information-protection/bitlocker/bitlocker-overview.md
items:
- name: Overview
href: operating-system.md
- name: System security
items:
- name: Secure the Windows boot process
href: information-protection/secure-the-windows-10-boot-process.md
- name: Trusted Boot
href: trusted-boot.md
- name: Cryptography and certificate management
href: cryptography-certificate-mgmt.md
- name: The Windows Security app
href: threat-protection/windows-defender-security-center/windows-defender-security-center.md
items:
- name: Virus & threat protection
href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
- name: Account protection
href: threat-protection\windows-defender-security-center\wdsc-account-protection.md
- name: Firewall & network protection
href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
- name: App & browser control
href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
- name: Device security
href: threat-protection\windows-defender-security-center\wdsc-device-security.md
- name: Device performance & health
href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
- name: Family options
href: threat-protection\windows-defender-security-center\wdsc-family-options.md
- name: Security policy settings
href: threat-protection/security-policy-settings/security-policy-settings.md
- name: Security auditing
href: threat-protection/auditing/security-auditing-overview.md
- name: Encryption and data protection
href: encryption-data-protection.md
items:
- name: Encrypted Hard Drive
href: information-protection/encrypted-hard-drive.md
- name: BitLocker
href: information-protection/bitlocker/bitlocker-overview.md
items:
- name: Overview of BitLocker Device Encryption in Windows
href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
- name: BitLocker frequently asked questions (FAQ)
@ -155,21 +155,21 @@
href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
- name: Decode Measured Boot logs to track PCR changes
href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
- name: Personal Data Encryption (PDE)
items:
- name: Personal Data Encryption (PDE) overview
href: information-protection/personal-data-encryption/overview-pde.md
- name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
href: information-protection/personal-data-encryption/faq-pde.yml
- name: Configure Personal Data Encryption (PDE) in Intune
href: information-protection/personal-data-encryption/configure-pde-in-intune.md
- name: Configure S/MIME for Windows
href: identity-protection/configure-s-mime.md
- name: Network security
items:
- name: VPN technical guide
href: identity-protection/vpn/vpn-guide.md
items:
- name: Personal Data Encryption (PDE)
items:
- name: Personal Data Encryption (PDE) overview
href: information-protection/personal-data-encryption/overview-pde.md
- name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
href: information-protection/personal-data-encryption/faq-pde.yml
- name: Configure Personal Data Encryption (PDE) in Intune
href: information-protection/personal-data-encryption/configure-pde-in-intune.md
- name: Configure S/MIME for Windows
href: identity-protection/configure-s-mime.md
- name: Network security
items:
- name: VPN technical guide
href: identity-protection/vpn/vpn-guide.md
items:
- name: VPN connection types
href: identity-protection/vpn/vpn-connection-type.md
- name: VPN routing decisions
@ -192,17 +192,17 @@
href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
- name: Optimizing Office 365 traffic with the Windows VPN client
href: identity-protection/vpn/vpn-office-365-optimization.md
- name: Windows Defender Firewall
href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
- name: Windows security baselines
href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
items:
- name: Windows Defender Firewall
href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
- name: Windows security baselines
href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
items:
- name: Security Compliance Toolkit
href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
- name: Get support
href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
- name: Virus & threat protection
items:
- name: Virus & threat protection
items:
- name: Overview
href: threat-protection/index.md
- name: Microsoft Defender Antivirus
@ -219,8 +219,8 @@
href: /microsoft-365/security/defender-endpoint/exploit-protection
- name: Microsoft Defender for Endpoint
href: /microsoft-365/security/defender-endpoint
- name: More Windows security
items:
- name: More Windows security
items:
- name: Override Process Mitigation Options to help enforce app-related security policies
href: threat-protection/override-mitigation-options-for-app-related-security-policies.md
- name: Use Windows Event Forwarding to help with intrusion detection
@ -230,9 +230,9 @@
- name: Windows Information Protection (WIP)
href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
items:
- name: Create a WIP policy using Microsoft Intune
href: information-protection/windows-information-protection/overview-create-wip-policy.md
items:
- name: Create a WIP policy using Microsoft Intune
href: information-protection/windows-information-protection/overview-create-wip-policy.md
items:
- name: Create a WIP policy in Microsoft Intune
href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
items:
@ -244,26 +244,26 @@
href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
- name: Determine the enterprise context of an app running in WIP
href: information-protection/windows-information-protection/wip-app-enterprise-context.md
- name: Create a WIP policy using Microsoft Configuration Manager
href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
items:
- name: Create a WIP policy using Microsoft Configuration Manager
href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
items:
- name: Create and deploy a WIP policy in Configuration Manager
href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
- name: Create and verify an EFS Data Recovery Agent (DRA) certificate
href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
- name: Determine the enterprise context of an app running in WIP
href: information-protection/windows-information-protection/wip-app-enterprise-context.md
- name: Mandatory tasks and settings required to turn on WIP
href: information-protection/windows-information-protection/mandatory-settings-for-wip.md
- name: Testing scenarios for WIP
href: information-protection/windows-information-protection/testing-scenarios-for-wip.md
- name: Limitations while using WIP
href: information-protection/windows-information-protection/limitations-with-wip.md
- name: How to collect WIP audit event logs
href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
- name: General guidance and best practices for WIP
href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
items:
- name: Mandatory tasks and settings required to turn on WIP
href: information-protection/windows-information-protection/mandatory-settings-for-wip.md
- name: Testing scenarios for WIP
href: information-protection/windows-information-protection/testing-scenarios-for-wip.md
- name: Limitations while using WIP
href: information-protection/windows-information-protection/limitations-with-wip.md
- name: How to collect WIP audit event logs
href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
- name: General guidance and best practices for WIP
href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
items:
- name: Enlightened apps for use with WIP
href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
- name: Unenlightened and enlightened app behavior while using WIP
@ -272,36 +272,36 @@
href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
- name: Using Outlook Web Access with WIP
href: information-protection/windows-information-protection/using-owa-with-wip.md
- name: Fine-tune WIP Learning
href: information-protection/windows-information-protection/wip-learning.md
- name: Disable WIP
href: information-protection/windows-information-protection/how-to-disable-wip.md
- name: Fine-tune WIP Learning
href: information-protection/windows-information-protection/wip-learning.md
- name: Disable WIP
href: information-protection/windows-information-protection/how-to-disable-wip.md
- name: Application security
items:
- name: Overview
href: apps.md
- name: Windows Defender Application Control and virtualization-based protection of code integrity
href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: Windows Defender Application Control
href: threat-protection\windows-defender-application-control\windows-defender-application-control.md
- name: Microsoft Defender Application Guard
href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
- name: Windows Sandbox
href: threat-protection/windows-sandbox/windows-sandbox-overview.md
items:
- name: Overview
href: apps.md
- name: Windows Defender Application Control and virtualization-based protection of code integrity
href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: Windows Defender Application Control
href: threat-protection\windows-defender-application-control\windows-defender-application-control.md
- name: Microsoft Defender Application Guard
href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
- name: Windows Sandbox
href: threat-protection/windows-sandbox/windows-sandbox-overview.md
items:
- name: Windows Sandbox architecture
href: threat-protection/windows-sandbox/windows-sandbox-architecture.md
- name: Windows Sandbox configuration
href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
- name: Microsoft Defender SmartScreen overview
href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
items:
- name: Microsoft Defender SmartScreen overview
href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
items:
- name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md
- name: Configure S/MIME for Windows
href: identity-protection\configure-s-mime.md
- name: Windows Credential Theft Mitigation Guide Abstract
href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
- name: Configure S/MIME for Windows
href: identity-protection\configure-s-mime.md
- name: Windows Credential Theft Mitigation Guide Abstract
href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
- name: User security and secured identity
items:
- name: Overview
@ -312,12 +312,13 @@
href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md
- name: Enterprise Certificate Pinning
href: identity-protection/enterprise-certificate-pinning.md
- name: Protect derived domain credentials with Credential Guard
href: identity-protection/credential-guard/credential-guard.md
- name: Credential Guard
items:
- name: Protect derived domain credentials with Credential Guard
href: identity-protection/credential-guard/credential-guard.md
- name: How Credential Guard works
href: identity-protection/credential-guard/credential-guard-how-it-works.md
- name: Credential Guard Requirements
- name: Requirements
href: identity-protection/credential-guard/credential-guard-requirements.md
- name: Manage Credential Guard
href: identity-protection/credential-guard/credential-guard-manage.md
@ -327,30 +328,32 @@
href: identity-protection/credential-guard/credential-guard-protection-limits.md
- name: Considerations when using Credential Guard
href: identity-protection/credential-guard/credential-guard-considerations.md
- name: "Credential Guard: Additional mitigations"
- name: Additional mitigations
href: identity-protection/credential-guard/additional-mitigations.md
- name: "Credential Guard: Known issues"
- name: Known issues
href: identity-protection/credential-guard/credential-guard-known-issues.md
- name: Protect Remote Desktop credentials with Remote Credential Guard
- name: Remote Credential Guard
href: identity-protection/remote-credential-guard.md
- name: Configuring LSA Protection
href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json
- name: Technical support policy for lost or forgotten passwords
href: identity-protection/password-support-policy.md
- name: Access Control Overview
href: identity-protection/access-control/access-control.md
- name: Access Control
items:
- name: Overview
href: identity-protection/access-control/access-control.md
- name: Local Accounts
href: identity-protection/access-control/local-accounts.md
- name: User Account Control
- name: User Account Control (UAC)
items:
- name: Overview
href: identity-protection/user-account-control/user-account-control-overview.md
items:
- name: How User Account Control works
href: identity-protection/user-account-control/how-user-account-control-works.md
- name: User Account Control security policy settings
href: identity-protection/user-account-control/user-account-control-security-policy-settings.md
- name: User Account Control Group Policy and registry key settings
href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
- name: How User Account Control works
href: identity-protection/user-account-control/how-user-account-control-works.md
- name: User Account Control security policy settings
href: identity-protection/user-account-control/user-account-control-security-policy-settings.md
- name: User Account Control Group Policy and registry key settings
href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
- name: Smart Cards
href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
items:
@ -396,14 +399,14 @@
href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
- name: Cloud services
items:
- name: Overview
href: cloud.md
- name: Mobile device management
href: /windows/client-management/mdm/
- name: Windows 365 Cloud PCs
href: /windows-365/overview
- name: Azure Virtual Desktop
href: /azure/virtual-desktop/
- name: Overview
href: cloud.md
- name: Mobile device management
href: /windows/client-management/mdm/
- name: Windows 365 Cloud PCs
href: /windows-365/overview
- name: Azure Virtual Desktop
href: /azure/virtual-desktop/
- name: Security foundations
items:
- name: Overview

8
windows/security/docfx.json
View File

@ -65,13 +65,15 @@
},
"fileMetadata": {
"author":{
"identity-protection/hello-for-business/**/*.md": "paolomatarazzo"
"identity-protection/**/*.md": "paolomatarazzo"
},
"ms.author":{
"identity-protection/hello-for-business/**/*.md": "paoloma"
"identity-protection/**/*.md": "paoloma"
},
"ms.reviewer":{
"identity-protection/hello-for-business/**/*.md": "erikdau"
"identity-protection/hello-for-business/*.md": "erikdau",
"identity-protection/credential-guard/*.md": "zwhittington",
"identity-protection/access-control/*.md": "sulahiri"
}
},
"template": [],

104
windows/security/identity-protection/access-control/access-control.md
View File

@ -1,19 +1,12 @@
---
title: Access Control Overview (Windows 10)
description: Access Control Overview
title: Access Control Overview
description: Description of the access controls in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/18/2017
ms.date: 11/22/2022
appliesto:
-<b>Windows 10</b>
-<b>Windows Server 2016</b>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.technology: itpro-security
---
@ -21,89 +14,66 @@ ms.technology: itpro-security
This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.
## <a href="" id="bkmk-over"></a>Feature description
## Feature description
Computers that are running a supported version of Windows can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. After a user is authenticated, the Windows operating system uses built-in authorization and access control technologies to implement the second phase of protecting resources: determining if an authenticated user has the correct permissions to access a resource.
Shared resources are available to users and groups other than the resources owner, and they need to be protected from unauthorized use. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They are assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it.
Shared resources are available to users and groups other than the resource's owner, and they need to be protected from unauthorized use. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They are assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it.
Security principals perform actions (which include Read, Write, Modify, or Full control) on objects. Objects include files, folders, printers, registry keys, and Active Directory Domain Services (AD DS) objects. Shared resources use access control lists (ACLs) to assign permissions. This enables resource managers to enforce access control in the following ways:
- Deny access to unauthorized users and groups
- Set well-defined limits on the access that is provided to authorized users and groups
- Deny access to unauthorized users and groups
- Set well-defined limits on the access that is provided to authorized users and groups
Object owners generally grant permissions to security groups rather than to individual users. Users and computers that are added to existing groups assume the permissions of that group. If an object (such as a folder) can hold other objects (such as subfolders and files), it is called a container. In a hierarchy of objects, the relationship between a container and its content is expressed by referring to the container as the parent. An object in the container is referred to as the child, and the child inherits the access control settings of the parent. Object owners often define permissions for container objects, rather than individual child objects, to ease access control management.
This content set contains:
- [Dynamic Access Control Overview](dynamic-access-control.md)
- [Security identifiers](security-identifiers.md)
- [Security Principals](security-principals.md)
- [Local Accounts](local-accounts.md)
- [Active Directory Accounts](active-directory-accounts.md)
- [Microsoft Accounts](microsoft-accounts.md)
- [Service Accounts](service-accounts.md)
- [Active Directory Security Groups](active-directory-security-groups.md)
## <a href="" id="bkmk-app"></a>Practical applications
- [Dynamic Access Control Overview](dynamic-access-control.md)
- [Security identifiers](security-identifiers.md)
- [Security Principals](security-principals.md)
- [Local Accounts](local-accounts.md)
- [Active Directory Accounts](active-directory-accounts.md)
- [Microsoft Accounts](microsoft-accounts.md)
- [Service Accounts](service-accounts.md)
- [Active Directory Security Groups](active-directory-security-groups.md)
## Practical applications
Administrators who use the supported version of Windows can refine the application and management of access control to objects and subjects to provide the following security:
- Protect a greater number and variety of network resources from misuse.
- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs.
- Enable users to access resources from a variety of devices in numerous locations.
- Update users ability to access resources on a regular basis as an organizations policies change or as users jobs change.
- Account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones).
- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs.
- Protect a greater number and variety of network resources from misuse.
- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs.
- Enable users to access resources from a variety of devices in numerous locations.
- Update users' ability to access resources on a regular basis as an organization's policies change or as users' jobs change.
- Account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones).
- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs.
## Permissions
Permissions define the type of access that is granted to a user or group for an object or object property. For example, the Finance group can be granted Read and Write permissions for a file named Payroll.dat.
By using the access control user interface, you can set NTFS permissions for objects such as files, Active Directory objects, registry objects, or system objects such as processes. Permissions can be granted to any user, group, or computer. It is a good practice to assign permissions to groups because it improves system performance when verifying access to an object.
For any object, you can grant permissions to:
- Groups, users, and other objects with security identifiers in the domain.
- Groups and users in that domain and any trusted domains.
- Local groups and users on the computer where the object resides.
- Groups, users, and other objects with security identifiers in the domain.
- Groups and users in that domain and any trusted domains.
- Local groups and users on the computer where the object resides.
The permissions attached to an object depend on the type of object. For example, the permissions that can be attached to a file are different from those that can be attached to a registry key. Some permissions, however, are common to most types of objects. These common permissions are:
- Read
- Modify
- Change owner
- Delete
- Read
- Modify
- Change owner
- Delete
When you set permissions, you specify the level of access for groups and users. For example, you can let one user read the contents of a file, let another user make changes to the file, and prevent all other users from accessing the file. You can set similar permissions on printers so that certain users can configure the printer and other users can only print.
When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and click **Properties**. On the **Security** tab, you can change permissions on the file. For more information, see [Managing Permissions](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770962(v=ws.11)).
**Note**  
Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754178(v=ws.11)).
> [!NOTE]
> Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754178(v=ws.11)).
### Ownership of objects
@ -115,7 +85,6 @@ Inheritance allows administrators to easily assign and manage permissions. This
## User rights
User rights grant specific privileges and sign-in rights to users and groups in your computing environment. Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories.
User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
@ -124,15 +93,10 @@ For more information about user rights, see [User Rights Assignment](/windows/de
## Object auditing
With administrator's rights, you can audit users' successful or failed access to objects. You can select which object access to audit by using the access control user interface, but first you must enable the audit policy by selecting **Audit object access** under **Local Policies** in **Local Security Settings**. You can then view these security-related events in the Security log in Event Viewer.
For more information about auditing, see [Security Auditing Overview](../../threat-protection/auditing/security-auditing-overview.md).
## See also
- For more information about access control and authorization, see [Access Control and Authorization Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/jj134043(v=ws.11)).
- For more information about access control and authorization, see [Access Control and Authorization Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/jj134043(v=ws.11)).

338
windows/security/identity-protection/access-control/local-accounts.md
View File

@ -1,85 +1,51 @@
---
title: Local Accounts (Windows 10)
title: Local Accounts
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: sulahiri
manager: aaroncz
ms.date: 12/05/2022
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 06/17/2022
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.technology: itpro-security
---
# Local Accounts
This reference article for IT professionals describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server.
This article describes the default local user accounts for Windows operating systems, and how to manage the built-in accounts.
## <a href="" id="about-local-user-accounts-"></a>About local user accounts
## About local user accounts
Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users.
Local user accounts are stored locally on the device. These accounts can be assigned rights and permissions on a particular device, but on that device only. Local user accounts are security principals that are used to secure and manage access to the resources on a device, for services or users.
This article describes the following:
## Default local user accounts
- [Default local user accounts](#sec-default-accounts)
The *default local user accounts* are built-in accounts that are created automatically when the operating system is installed. The default local user accounts can't be removed or deleted and don't provide access to network resources.
- [Administrator account](#sec-administrator)
Default local user accounts are used to manage access to the local device's resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the *Users* folder. The Users folder is located in the Local Users and Groups folder in the local *Computer Management* Microsoft Management Console (MMC). *Computer Management* is a collection of administrative tools that you can use to manage a local or remote device.
- [Guest Account](#sec-guest)
Default local user accounts are described in the following sections. Expand each section for more information.
- [HelpAssistant account (installed by using a Remote Assistance session)](#sec-helpassistant)
<br>
<details>
<summary><b>Administrator</b></summary>
- [DefaultAccount](#defaultaccount)
The default local Administrator account is a user account for system administration. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation.
- [Default local system accounts](#sec-localsystem)
- [How to manage local accounts](#sec-manage-accounts)
- [Restrict and protect local accounts with administrative rights](#sec-restrict-protect-accounts)
- [Enforce local account restrictions for remote access](#sec-enforce-account-restrictions)
- [Deny network logon to all local Administrator accounts](#sec-deny-network-logon)
- [Create unique passwords for local accounts with administrative rights](#sec-create-unique-passwords)
For information about security principals, see [Security Principals](security-principals.md).
## <a href="" id="sec-default-accounts"></a>Default local user accounts
The default local user accounts are built-in accounts that are created automatically when you install Windows.
After Windows is installed, the default local user accounts can't be removed or deleted. In addition, default local user accounts don't provide access to network resources.
Default local user accounts are used to manage access to the local servers resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you can use to manage a single local or remote computer. For more information, see [How to manage local accounts](#sec-manage-accounts) later in this article.
Default local user accounts are described in the following sections.
### <a href="" id="sec-administrator"></a>Administrator account
The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation.
The Administrator account has full control of the files, directories, services, and other resources on the local computer. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time simply by changing the user rights and permissions.
The Administrator account has full control of the files, directories, services, and other resources on the local device. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time by changing the user rights and permissions.
The default Administrator account can't be deleted or locked out, but it can be renamed or disabled.
From Windows 10, Windows 11 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation.
Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group.
Members of the Administrators groups can run apps with elevated permissions without using the *Run as Administrator* option. Fast User Switching is more secure than using `runas` or different-user elevation.
**Account group membership**
By default, the Administrator account is installed as a member of the Administrators group on the server. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group on a local server have Full Control permissions on that computer.
By default, the Administrator account is a member of the Administrators group. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group have Full Control permissions on the device.
The Administrator account can't be deleted or removed from the Administrators group, but it can be renamed.
The Administrator account can't be removed from the Administrators group.
**Security considerations**
@ -89,9 +55,7 @@ You can rename the Administrator account. However, a renamed Administrator accou
As a security best practice, use your local (non-Administrator) account to sign in and then use **Run as administrator** to accomplish tasks that require a higher level of rights than a standard user account. Don't use the Administrator account to sign in to your computer unless it's entirely necessary. For more information, see [Run a program with administrative credentials](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732200(v=ws.11)).
In comparison, on the Windows client operating system, a user with a local user account that has Administrator rights is considered the system administrator of the client computer. The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers.
In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)).
Group Policy can be used to control the use of the local Administrators group automatically. For more information about Group Policy, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)).
> [!IMPORTANT]
>
@ -99,13 +63,16 @@ In this case, Group Policy can be used to enable secure settings that can contro
>
> - Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled.
### <a href="" id="sec-guest"></a>Guest account
</details>
<br>
<details>
<summary><b>Guest</b></summary>
The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it's a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is entirely necessary.
The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account is disabled and has a blank password. Since the Guest account can provide anonymous access, it's considered a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is necessary.
**Account group membership**
By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers.
By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a device.
**Security considerations**
@ -113,8 +80,11 @@ When enabling the Guest account, only grant limited rights and permissions. For
In addition, the guest user in the Guest account shouldn't be able to view the event logs. After the Guest account is enabled, it's a best practice to monitor the Guest account frequently to ensure that other users can't use services and other resources. This includes resources that were unintentionally left available by a previous user.
## <a href="" id="sec-helpassistant"></a>HelpAssistant account (installed with a Remote Assistance session)
</details>
<br>
<details>
<summary><b>HelpAssistant</b></summary>
The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
@ -124,9 +94,9 @@ HelpAssistant is the primary account that is used to establish a Remote Assistan
The SIDs that pertain to the default HelpAssistant account include:
- SID: S-1-5-&lt;domain&gt;-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services.
- SID: `S-1-5-<domain>-13`, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services.
- SID: S-1-5-&lt;domain&gt;-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
- SID: `S-1-5-<domain>-14`, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
For the Windows Server operating system, Remote Assistance is an optional component that isn't installed by default. You must install Remote Assistance before it can be used.
@ -138,23 +108,26 @@ For details about the HelpAssistant account attributes, see the following table.
|--- |--- |
|Well-Known SID/RID|`S-1-5-<domain>-13 (Terminal Server User), S-1-5-<domain>-14 (Remote Interactive Logon)`|
|Type|User|
|Default container|`CN=Users, DC=<domain>, DC=`|
|Default container|`CN=Users, DC=<domain>`|
|Default members|None|
|Default member of|Domain Guests<br/><br/>Guests|
|Protected by ADMINSDHOLDER?|No|
|Safe to move out of default container?|Can be moved out, but we don't recommend it.|
|Safe to delegate management of this group to non-Service admins?|No|
### DefaultAccount
</details>
The DefaultAccount, also known as the Default System Managed Account (DSMA), is a built-in account introduced in Windows 10 version 1607 and Windows Server 2016.
The DSMA is a well-known user account type.
It's a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic.
The DSMA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop.
<br>
<details>
<summary><b>DefaultAccount</b></summary>
The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-1-5-21-\<ComputerIdentifier>-503
The DefaultAccount account, also known as the Default System Managed Account (DSMA), is a well-known user account type. DefaultAccount can be used to run processes that are either multi-user aware or user-agnostic.
The DSMA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of S-1-5-32-581.
The DSMA is disabled by default on the desktop SKUs and on the Server operating systems with the desktop experience.
The DSMA has a well-known RID of `503`. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: `S-1-5-21-\<ComputerIdentifier>-503`.
The DSMA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of `S-1-5-32-581`.
The DSMA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM).
@ -169,10 +142,10 @@ Today, Xbox automatically signs in as Guest account and all apps run in this con
All the apps are multi-user-aware and respond to events fired by user manager.
The apps run as the Guest account.
Similarly, Phone auto logs in as a DefApps account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account.
Similarly, Phone auto logs in as a *DefApps* account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account.
In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users.
For this purpose, the system creates DSMA.
For this purpose, the system creates DSMA.
#### How the DefaultAccount gets created on domain controllers
@ -182,25 +155,37 @@ If the domain was created with domain controllers running an earlier version of
#### Recommendations for managing the Default Account (DSMA)
Microsoft doesn't recommend changing the default configuration, where the account is disabled. There's no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account.
</details>
## <a href="" id="sec-localsystem"></a>Default local system accounts
## Default local system accounts
### SYSTEM
The SYSTEM account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM accounts user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups.
<br>
<details>
<summary><b>SYSTEM</b></summary>
The *SYSTEM* account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account's user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups.
On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account.
> [!NOTE]
> To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them.
### NETWORK SERVICE
</details>
<br>
<details>
<summary><b>NETWORK SERVICE </b></summary>
The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account).
</details>
<br>
<details>
<summary><b>LOCAL SERVICE</b></summary>
### LOCAL SERVICE
The LOCAL SERVICE account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](/windows/desktop/services/localservice-account).
</details>
## <a href="" id="sec-manage-accounts"></a>How to manage local user accounts
## How to manage local user accounts
The default local user accounts, and the local user accounts you create, are located in the Users folder. The Users folder is located in Local Users and Groups. For more information about creating and managing local user accounts, see [Manage Local Users](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731899(v=ws.11)).
@ -209,11 +194,11 @@ You can use Local Users and Groups to assign rights and permissions on only the
You can't use Local Users and Groups on a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that aren't domain controllers on the network.
> [!NOTE]
> You use Active Directory Users and Computers to manage users and groups in Active Directory.
> You use Active Directory Users and Computers to manage users and groups in Active Directory.
You can also manage local users by using NET.EXE USER and manage local groups by using NET.EXE LOCALGROUP, or by using various PowerShell cmdlets and other scripting technologies.
### <a href="" id="sec-restrict-protect-accounts"></a>Restrict and protect local accounts with administrative rights
### Restrict and protect local accounts with administrative rights
An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called "lateral movement".
@ -221,22 +206,20 @@ The simplest approach is to sign in to your computer with a standard user accoun
The other approaches that can be used to restrict and protect user accounts with administrative rights include:
- Enforce local account restrictions for remote access.
- Enforce local account restrictions for remote access.
- Deny network logon to all local Administrator accounts.
- Deny network logon to all local Administrator accounts.
- Create unique passwords for local accounts with administrative rights.
- Create unique passwords for local accounts with administrative rights.
Each of these approaches is described in the following sections.
> [!NOTE]
> These approaches do not apply if all administrative local accounts are disabled.
### Enforce local account restrictions for remote access
### <a href="" id="sec-enforce-account-restrictions"></a>Enforce local account restrictions for remote access
The User Account Control (UAC) is a security feature in Windows that has been in use in Windows Server 2008 and in Windows Vista, and the operating systems to which the **Applies To** list refers. UAC enables you to stay in control of your computer by informing you when a program makes a change that requires administrator-level permission. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change how often UAC notifies you.
User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you.
UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the **Run as** command.
@ -268,79 +251,45 @@ The following table shows the Group Policy and registry settings that are used t
#### To enforce local account restrictions for remote access
1. Start the **Group Policy Management** Console (GPMC).
1. Start the **Group Policy Management** Console (GPMC)
1. In the console tree, expand &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO)
1. In the console tree, right-click **Group Policy Objects > New**
1. In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and &gt; **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer
1. In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**
1. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps:
2. In the console tree, expand &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO).
- Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and &gt; **Security Options**
- Double-click **User Account Control: Run all administrators in Admin Approval Mode** &gt; **Enabled** &gt; **OK**
- Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** &gt; **Enabled** &gt; **OK**
3. In the console tree, right-click **Group Policy Objects**, and &gt; **New**.
1. Ensure that the local account restrictions are applied to network interfaces by following these steps:
![local accounts 1.](images/localaccounts-proc1-sample1.png)
- Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry**
- Right-click **Registry**, and &gt; **New** &gt; **Registry Item**
- In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**
- Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE**
- Select (**…**), browse to the following location for **Key Path** &gt; **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`
- In the **Value name** area, type `LocalAccountTokenFilterPolicy`
- In the **Value type** box, from the drop-down list, select **REG_DWORD** to change the value
- In the **Value data** box, ensure that the value is set to **0**
- Verify this configuration, and &gt; **OK**
4. In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and &gt; **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer.
1. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
![local accounts 2.](images/localaccounts-proc1-sample2.png)
- Navigate to the `*Forest*\<Domains>\*Domain*\*OU*` path
- Right-click the **Workstations > Link an existing GPO**
- Select the GPO that you created, and &gt; **OK**
5. In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**.
![local accounts 3.](images/localaccounts-proc1-sample3.png)
6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps:
1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and &gt; **Security Options**.
2. Double-click **User Account Control: Run all administrators in Admin Approval Mode** &gt; **Enabled** &gt; **OK**.
3. Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** &gt; **Enabled** &gt; **OK**.
7. Ensure that the local account restrictions are applied to network interfaces by following these steps:
1. Navigate to Computer Configuration\\Preferences and Windows Settings, and &gt; **Registry**.
2. Right-click **Registry**, and &gt; **New** &gt; **Registry Item**.
![local accounts 4.](images/localaccounts-proc1-sample4.png)
3. In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**.
4. Ensure that the **Hive** box is set to **HKEY\_LOCAL\_MACHINE**.
5. Select (**…**), browse to the following location for **Key Path** &gt; **Select** for: **SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**.
6. In the **Value name** area, type **LocalAccountTokenFilterPolicy**.
7. In the **Value type** box, from the drop-down list, select **REG\_DWORD** to change the value.
8. In the **Value data** box, ensure that the value is set to **0**.
9. Verify this configuration, and &gt; **OK**.
![local accounts 5.](images/localaccounts-proc1-sample5.png)
8. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
1. Navigate to the &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;\\OU path.
2. Right-click the **Workstations** OU, and &gt; **Link an existing GPO**.
![local accounts 6.](images/localaccounts-proc1-sample6.png)
3. Select the GPO that you created, and &gt; **OK**.
9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy.
10. Create links to all other OUs that contain workstations.
11. Create links to all other OUs that contain servers.
### <a href="" id="sec-deny-network-logon"></a>Deny network logon to all local Administrator accounts
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
1. Create links to all other OUs that contain workstations
1. Create links to all other OUs that contain servers
### Deny network logon to all local Administrator accounts
Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials.
> [!NOTE]
> To perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group.
The following table shows the Group Policy settings that are used to deny network logon for all local Administrator accounts.
|No.|Setting|Detailed Description|
@ -354,55 +303,33 @@ The following table shows the Group Policy settings that are used to deny networ
#### To deny network logon to all local administrator accounts
1. Start the **Group Policy Management** Console (GPMC).
1. Start the **Group Policy Management** Console (GPMC)
1. In the console tree, expand &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO)
1. In the console tree, right-click **Group Policy Objects**, and &gt; **New**
1. In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and then &gt; **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer
1. In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**
1. Configure the user rights to deny network logons for administrative local accounts as follows:
1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and &gt; **User Rights Assignment**
1. Double-click **Deny access to this computer from the network**
1. Select **Add User or Group**, type **Local account and member of Administrators group**, and &gt; **OK**
1. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows:
1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then select **User Rights Assignment**
1. Double-click **Deny log on through Remote Desktop Services**
1. Select **Add User or Group**, type **Local account and member of Administrators group**, and &gt; **OK**
1. Link the GPO to the first **Workstations** OU as follows:
2. In the console tree, expand &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO).
- Navigate to the &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;\\OU path
- Right-click the **Workstations** OU, and &gt; **Link an existing GPO**
- Select the GPO that you created, and &gt; **OK**
3. In the console tree, right-click **Group Policy Objects**, and &gt; **New**.
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
1. Create links to all other OUs that contain workstations
1. Create links to all other OUs that contain servers
4. In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and then &gt; **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer.
> [!NOTE]
> You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers.
![local accounts 7.](images/localaccounts-proc2-sample1.png)
5. In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**.
![local accounts 8.](images/localaccounts-proc2-sample2.png)
6. Configure the user rights to deny network logons for administrative local accounts as follows:
1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and &gt; **User Rights Assignment**.
2. Double-click **Deny access to this computer from the network**.
3. Select **Add User or Group**, type **Local account and member of Administrators group**, and &gt; **OK**.
7. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows:
1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then select **User Rights Assignment**.
2. Double-click **Deny log on through Remote Desktop Services**.
3. Select **Add User or Group**, type **Local account and member of Administrators group**, and &gt; **OK**.
8. Link the GPO to the first **Workstations** OU as follows:
1. Navigate to the &lt;*Forest*&gt;\\Domains\\&lt;*Domain*&gt;\\OU path.
2. Right-click the **Workstations** OU, and &gt; **Link an existing GPO**.
3. Select the GPO that you created, and &gt; **OK**.
9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy.
10. Create links to all other OUs that contain workstations.
11. Create links to all other OUs that contain servers.
> [!NOTE]
> You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers.
### <a href="" id="sec-create-unique-passwords"></a>Create unique passwords for local accounts with administrative rights
### Create unique passwords for local accounts with administrative rights
Passwords should be unique per individual account. While it's true for individual user accounts, many enterprises have identical passwords for common local accounts, such as the default Administrator account. This also occurs when the same passwords are used for local accounts during operating system deployments.
@ -410,19 +337,6 @@ Passwords that are left unchanged or changed synchronously to keep them identica
Passwords can be randomized by:
- Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools.
- Configuring [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) to accomplish this task.
- Creating and implementing a custom script or solution to randomize local account passwords.
## <a href="" id="dhcp-references"></a>See also
The following resources provide additional information about technologies that are related to local accounts.
- [Security Principals](security-principals.md)
- [Security Identifiers](security-identifiers.md)
- [Access Control Overview](access-control.md)
- Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools
- Configuring [Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) to accomplish this task
- Creating and implementing a custom script or solution to randomize local account passwords

89
windows/security/identity-protection/credential-guard/additional-mitigations.md
View File

@ -1,16 +1,11 @@
---
title: Additional mitigations
description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard.
ms.prod: windows-client
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
ms.technology: itpro-security
ms.topic: article
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# Additional mitigations
@ -27,21 +22,21 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
- Users need to be in domains that are running Windows Server 2012 R2 or higher
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
- Users need to be in domains that are running Windows Server 2012 R2 or higher
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
### Protecting domain-joined device secrets
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
Domain-joined device certificate authentication has the following requirements:
- Devices' accounts are in Windows Server 2012 domain functional level or higher.
- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
- KDC EKU present
- DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
- Windows devices have the CA issuing the domain controller certificates in the enterprise store.
- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
- Devices' accounts are in Windows Server 2012 domain functional level or higher.
- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
- KDC EKU present
- DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
- Windows devices have the CA issuing the domain controller certificates in the enterprise store.
- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
#### Deploying domain-joined device certificates
@ -74,54 +69,54 @@ CertReq -EnrollCredGuardCert MachineAuthentication
> [!NOTE]
> You must restart the device after enrolling the machine authentication certificate.
 
#### How a certificate issuance policy can be used for access control
Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10)) on TechNet.
**To see the issuance policies available**
- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
From a Windows PowerShell command prompt, run the following command:
- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.\
From a Windows PowerShell command prompt, run the following command:
```powershell
.\get-IssuancePolicy.ps1 LinkedToGroup:All
```
```powershell
.\get-IssuancePolicy.ps1 -LinkedToGroup:All
```
**To link an issuance policy to a universal security group**
- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
From a Windows PowerShell command prompt, run the following command:
- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.\
From a Windows PowerShell command prompt, run the following command:
```powershell
.\set-IssuancePolicyToGroupLink.ps1 IssuancePolicyName:"<name of issuance policy>" groupOU:"<Name of OU to create>" groupName:<name of Universal security group to create>"
```
```powershell
.\set-IssuancePolicyToGroupLink.ps1 -IssuancePolicyName:"<name of issuance policy>" -groupOU:"<Name of OU to create>" -groupName:"<name of Universal security group to create>"
```
### Restricting user sign-on
So we now have completed the following:
- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
- Mapped that policy to a universal security group or claim
- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
- Mapped that policy to a universal security group or claim
- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
Authentication policies have the following requirements:
- User accounts are in a Windows Server 2012 domain functional level or higher domain.
- User accounts are in a Windows Server 2012 domain functional level or higher domain.
**Creating an authentication policy restricting users to the specific universal security group**
1. Open Active Directory Administrative Center.
2. Click **Authentication**, click **New**, and then click **Authentication Policy**.
3. In the **Display name** box, enter a name for this authentication policy.
4. Under the **Accounts** heading, click **Add**.
5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**.
6. Under the **User Sign On** heading, click the **Edit** button.
7. Click **Add a condition**.
8. In the **Edit Access Control Conditions** box, ensure that it reads **User** &gt; **Group** &gt; **Member of each** &gt; **Value**, and then click **Add items**.
9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
10. Click **OK** to close the **Edit Access Control Conditions** box.
11. Click **OK** to create the authentication policy.
12. Close Active Directory Administrative Center.
1. Open Active Directory Administrative Center.
1. Click **Authentication**, click **New**, and then click **Authentication Policy**.
1. In the **Display name** box, enter a name for this authentication policy.
1. Under the **Accounts** heading, click **Add**.
1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**.
1. Under the **User Sign On** heading, click the **Edit** button.
1. Click **Add a condition**.
1. In the **Edit Access Control Conditions** box, ensure that it reads **User** &gt; **Group** &gt; **Member of each** &gt; **Value**, and then click **Add items**.
1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
1. Click **OK** to close the **Edit Access Control Conditions** box.
1. Click **OK** to create the authentication policy.
1. Close Active Directory Administrative Center.
> [!NOTE]
> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
@ -326,7 +321,7 @@ write-host "There are no issuance policies which are not mapped to groups"
```
> [!NOTE]
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
 
### <a href="" id="bkmk-setscript"></a>Link an issuance policy to a group
Save the script file as set-IssuancePolicyToGroupLink.ps1.
@ -607,4 +602,4 @@ write-host $tmp -Foreground Red
```
> [!NOTE]
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.

19
windows/security/identity-protection/credential-guard/credential-guard-considerations.md
View File

@ -1,22 +1,11 @@
---
title: Advice while using Windows Defender Credential Guard (Windows)
description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows.
ms.prod: windows-client
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/31/2017
ms.topic: article
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
ms.technology: itpro-security
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# Considerations when using Windows Defender Credential Guard
@ -97,4 +86,4 @@ When data protected with user DPAPI is unusable, then the user loses access to a
**Related videos**
[What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security)
[What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security)

17
windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
View File

@ -1,22 +1,11 @@
---
title: How Windows Defender Credential Guard works
description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
ms.prod: windows-client
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
ms.topic: conceptual
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
ms.technology: itpro-security
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# How Windows Defender Credential Guard works

134
windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
View File

@ -1,66 +1,68 @@
---
title: Windows Defender Credential Guard - Known issues (Windows)
title: Windows Defender Credential Guard - Known issues
description: Windows Defender Credential Guard - Known issues in Windows Enterprise
ms.prod: windows-client
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 01/26/2022
ms.date: 11/28/2022
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
ms.technology: itpro-security
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# Windows Defender Credential Guard: Known issues
Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements).
The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4):
## Known Issue: Single Sign-On (SSO) for Network services breaks after upgrading to **Windows 11, version 22H2**
- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
### Symptoms of the issue:
Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication will be unable to use SSO to log in and will be forced to manually re-authenticate in every new Windows session when Windows Defender Credential Guard is running.
```console
Task Scheduler failed to log on '\Test'.
Failure occurred in 'LogonUserExEx'.
User Action: Ensure the credentials for the task are correctly specified.
Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect).
```
### Affected devices:
Any device that enables Windows Defender Credential Guard may encounter this issue. As part of the Windows 11, version 22H2 update, eligible devices which had not previously explicitly disabled Windows Defender Credential Guard had it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements).
\* All Pro devices which previously ran Windows Defender Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements), will receive default enablement.
- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example:
> [!TIP]
> To determine if your Pro device will receive default enablement when upgraded to **Windows 11, version 22H2**, do the following **before** upgrading:
> Check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. If it is present, the device will have Windows Defender Credential Guard enabled after upgrading. Note that Windows Defender Credential Guard can be disabled after upgrade by following the [disablement instructions](credential-guard-manage.md#disable-windows-defender-credential-guard).
```console
Log Name: Microsoft-Windows-NTLM/Operational
Source: Microsoft-Windows-Security-Netlogon
Event ID: 8004
Task Category: Auditing NTLM
Level: Information
Description:
Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: <Secure Channel Name>
User name:
@@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
Domain name: NULL
```
### Why this is happening:
Applications and services are affected by this issue when they rely on insecure protocols that use password-based authentication. Windows Defender Credential Guard blocks the use of these insecure protocols by design. These protocols are considered insecure because they can lead to password disclosure on the client and the server, which is in direct contradiction to the goals of Windows Defender Credential Guard. Affected procols include:
- Kerberos unconstrained delegation (both SSO and supplied credentials are blocked)
- Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked)
- MS-CHAP (only SSO is blocked)
- WDigest (only SSO is blocked)
- NTLM v1 (only SSO is blocked)
Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.
- This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled.
- The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute.
- As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
> [!NOTE]
> MS-CHAP and NTLMv1 are particularly relevant to the observed SSO breakage after the Windows 11, version 22H2 update. To confirm whether Windows Defender Credential Guard is blocking either of these protocols, check the NTLM event logs in Event Viewer at `Application and Services Logs\Microsoft\Windows\NTLM\Operational` for the following warning and/or error:
>
> **Event ID 4013** (Warning)
> ```
> <string
> id="NTLMv1BlockedByCredGuard"
> value="Attempt to use NTLMv1 failed.
> Target server: %1%nSupplied user: %2%nSupplied domain: %3%nPID of client process: %4%nName of client process: %5%nLUID of client process: %6%nUser identity of client process: %7%nDomain name of user identity of client process: %8%nMechanism OID: %9%n%nThis device does not support NTLMv1. For more information, see https://go.microsoft.com/fwlink/?linkid=856826."
> />
> ```
>
> **Event ID 4014** (Error)
> ```
> <string
> id="NTLMGetCredentialKeyBlockedByCredGuard"
> value="Attempt to get credential key by call package blocked by Credential Guard.%n%nCalling Process Name: %1%nService Host Tag: %2"
> />
> ```
The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
### Options to fix the issue:
- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722)
Microsoft recommends that organizations move away from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. Windows Defender Credential Guard will not block certificate-based authentication.
This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles:
For a more immediate but less secure fix, [disable Windows Defender Credential Guard](credential-guard-manage.md#disable-windows-defender-credential-guard). Note that Windows Defender Credential Guard does not have per-protocol or per-application policies, and must either be completely on or off. Disabling Windows Defender Credential Guard will leave some stored domain credentials vulnerable to theft. Windows Defender Credential Guard can be disabled after it has already been enabled, or it can be explicitly disabled prior to updating to Windows 11, version 22H2, which will prevent default enablement from occurring.
- [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657)
- [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6)
> [!TIP]
> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage.md#disabling-windows-defender-credential-guard-using-group-policy) before updating to Windows 11, version 22H2. If the GPO value is not configured (which is the default state), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. This process can also be done via Mobile Device Management (MDM) policy rather than Group Policy if the devices are currently being managed by MDM.
## Known issues involving third-party applications
@ -112,3 +114,45 @@ Windows Defender Credential Guard isn't supported by the following products, pro
This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard.
Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
## Previous known issues that have been fixed
The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4):
- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
```console
Task Scheduler failed to log on '\Test'.
Failure occurred in 'LogonUserExEx'.
User Action: Ensure the credentials for the task are correctly specified.
Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect).
```
- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example:
```console
Log Name: Microsoft-Windows-NTLM/Operational
Source: Microsoft-Windows-Security-Netlogon
Event ID: 8004
Task Category: Auditing NTLM
Level: Information
Description:
Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: <Secure Channel Name>
User name:
@@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
Domain name: NULL
```
- This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled.
- The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute.
- As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722)
This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles:
- [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657)
- [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6)

26
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -1,32 +1,22 @@
---
title: Manage Windows Defender Credential Guard (Windows)
description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
ms.prod: windows-client
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: zwhittington
manager: aaroncz
ms.collection:
- M365-identity-device-management
ms.date: 11/23/2022
ms.collection:
- highpri
ms.topic: article
ms.custom:
- CI 120967
- CSSTroubleshooting
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
ms.technology: itpro-security
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# Manage Windows Defender Credential Guard
## Default Enablement
Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This feature changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.
Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This feature changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.
Known issues arising from default enablement are documented in [Windows Defender Credential Guard: Known issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2).
### Requirements for automatic enablement

95
windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
View File

@ -1,22 +1,11 @@
---
title: Windows Defender Credential Guard protection limits & mitigations (Windows)
description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use.
ms.prod: windows-client
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
ms.technology: itpro-security
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# Windows Defender Credential Guard protection limits and mitigations
@ -26,16 +15,16 @@ in the Deep Dive into Windows Defender Credential Guard video series.
Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
- Software that manages credentials outside of Windows feature protection
- Local accounts and Microsoft Accounts
- Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
- Key loggers
- Physical attacks
- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
- Third-party security packages
- Digest and CredSSP credentials
- When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
- Software that manages credentials outside of Windows feature protection
- Local accounts and Microsoft Accounts
- Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
- Key loggers
- Physical attacks
- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
- Third-party security packages
- Digest and CredSSP credentials
- When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
- Windows logon cached password verifiers (commonly called "cached credentials")
do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
@ -54,21 +43,21 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
- Users need to be in domains that are running Windows Server 2012 R2 or higher
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
- Users need to be in domains that are running Windows Server 2012 R2 or higher
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
#### Protecting domain-joined device secrets
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
Domain-joined device certificate authentication has the following requirements:
- Devices' accounts are in Windows Server 2012 domain functional level or higher.
- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
- KDC EKU present
- DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
- Devices' accounts are in Windows Server 2012 domain functional level or higher.
- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
- KDC EKU present
- DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
##### Deploying domain-joined device certificates
@ -78,17 +67,17 @@ For example, let's say you wanted to use the High Assurance policy only on these
**Creating a new certificate template**
1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
2. Right-click **Workstation Authentication**, and then click **Duplicate Template**.
3. Right-click the new template, and then click **Properties**.
4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
5. Click **Client Authentication**, and then click **Remove**.
6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
- Name: Kerberos Client Auth
- Object Identifier: 1.3.6.1.5.2.3.4
7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
8. Under **Issuance Policies**, click**High Assurance**.
9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
1. Right-click **Workstation Authentication**, and then click **Duplicate Template**.
1. Right-click the new template, and then click **Properties**.
1. On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
1. Click **Client Authentication**, and then click **Remove**.
1. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
- Name: Kerberos Client Auth
- Object Identifier: 1.3.6.1.5.2.3.4
1. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
1. Under **Issuance Policies**, click**High Assurance**.
1. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created.
@ -101,15 +90,15 @@ CertReq -EnrollCredGuardCert MachineAuthentication
> [!NOTE]
> You must restart the device after enrolling the machine authentication certificate.
 
##### How a certificate issuance policy can be used for access control
Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10)) on TechNet.
**To see the issuance policies available**
- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
From a Windows PowerShell command prompt, run the following command:
- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.\
From a Windows PowerShell command prompt, run the following command:
```powershell
.\get-IssuancePolicy.ps1 LinkedToGroup:All
@ -117,7 +106,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
**To link an issuance policy to a universal security group**
- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
From a Windows PowerShell command prompt, run the following command:
```powershell
@ -128,12 +117,12 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
So we now have completed the following:
- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
- Mapped that policy to a universal security group or claim
- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
- Mapped that policy to a universal security group or claim
- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
Authentication policies have the following requirements:
- User accounts are in a Windows Server 2012 domain functional level or higher domain.
- User accounts are in a Windows Server 2012 domain functional level or higher domain.
**Creating an authentication policy restricting users to the specific universal security group**
@ -357,7 +346,7 @@ write-host "There are no issuance policies which are not mapped to groups"
```
> [!NOTE]
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
 
#### <a href="" id="bkmk-setscript"></a>Link an issuance policy to a group
Save the script file as set-IssuancePolicyToGroupLink.ps1.
@ -644,4 +633,4 @@ write-host $tmp -Foreground Red
**Deep Dive into Windows Defender Credential Guard: Related videos**
[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)

45
windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
View File

@ -1,41 +1,30 @@
---
title: Windows Defender Credential Guard protection limits (Windows)
description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
ms.prod: windows-client
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
ms.topic: article
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
ms.technology: itpro-security
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# Windows Defender Credential Guard protection limits
Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
- Software that manages credentials outside of Windows feature protection
- Local accounts and Microsoft Accounts
- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server 2016 domain controllers. It also doesn't protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
- Key loggers
- Physical attacks
- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
- Third-party security packages
- Digest and CredSSP credentials
- When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.-
- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is.
- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host.
- Windows logon cached password verifiers (commonly called "cached credentials")
don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These cached logons, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available.
- Software that manages credentials outside of Windows feature protection
- Local accounts and Microsoft Accounts
- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS.
- Key loggers
- Physical attacks
- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
- Third-party security packages
- Digest and CredSSP credentials
- When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.-
- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is.
- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host.
- Windows logon cached password verifiers (commonly called "cached credentials")
don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available.
## See also

22
windows/security/identity-protection/credential-guard/credential-guard-requirements.md
View File

@ -1,26 +1,14 @@
---
title: Windows Defender Credential Guard Requirements (Windows)
title: Windows Defender Credential Guard requirements
description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
ms.prod: windows-client
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: zwhittington
manager: aaroncz
ms.collection:
- M365-identity-device-management
ms.topic: article
ms.date: 12/27/2021
ms.topic: article
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
ms.technology: itpro-security
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# Windows Defender Credential Guard: Requirements
# Windows Defender Credential Guard requirements
For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).

33
windows/security/identity-protection/credential-guard/credential-guard-scripts.md
View File

@ -1,23 +1,20 @@
---
title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows)
description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows.
ms.prod: windows-client
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
ms.technology: itpro-security
ms.date: 11/22/2022
ms.topic: reference
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# Windows Defender Credential Guard: Scripts for Certificate Authority Issuance Policies
# Windows Defender Credential Guard: scripts for certificate authority issuance policies
Here is a list of scripts mentioned in this topic.
Expand each section to see the PowerShell scripts:
## <a href="" id="bkmk-getscript"></a>Get the available issuance policies on the certificate authority
<br>
<details>
<summary><b>Get the available issuance policies on the certificate authority</b></summary>
Save this script file as get-IssuancePolicy.ps1.
@ -207,8 +204,12 @@ write-host "There are no issuance policies which are not mapped to groups"
```
> [!NOTE]
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
 
## <a href="" id="bkmk-setscript"></a>Link an issuance policy to a group
</details>
<br>
<details>
<summary><b>Link an issuance policy to a group</b></summary>
Save the script file as set-IssuancePolicyToGroupLink.ps1.
@ -489,3 +490,5 @@ write-host $tmp -Foreground Red
> [!NOTE]
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
</details>

31
windows/security/identity-protection/credential-guard/credential-guard.md
View File

@ -1,24 +1,13 @@
---
title: Protect derived domain credentials with Windows Defender Credential Guard (Windows)
description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
ms.prod: windows-client
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.date: 11/22/2022
ms.topic: article
ms.date: 03/10/2022
ms.collection:
- highpri
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
ms.technology: itpro-security
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# Protect derived domain credentials with Windows Defender Credential Guard
@ -27,11 +16,13 @@ Windows Defender Credential Guard uses virtualization-based security to isolate
By enabling Windows Defender Credential Guard, the following features and solutions are provided:
- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures.
- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures.
> [!NOTE]
> As of Windows 11, version 22H2, Windows Defender Credential Guard has been enabled by default on all devices which meet the minimum requirements as specified in the [Default Enablement](credential-guard-manage.md#default-enablement) section. For information about known issues related to default enablement, see [Credential Guard: Known Issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2).
 
## Related topics
- [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)

20
windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -1,21 +1,11 @@
---
title: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script
ms.prod: windows-client
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
ms.technology: itpro-security
ms.date: 11/22/2022
ms.topic: reference
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool

2
windows/security/identity-protection/hello-for-business/passwordless-strategy.md
View File

@ -341,4 +341,4 @@ In this configuration, passwords for SCRIL-configured users expire based on Acti
## The road ahead
The information presented here is just the beginning. We'll update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in a password-less future, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback).
The information presented here is just the beginning. We'll update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in a password-less future, we would love to hear from you. Your feedback is important. Send us an email at [pwdlessQA@microsoft.com](mailto:pwdlessQA@microsoft.com?subject=Passwordless%20Feedback).

70
windows/security/identity-protection/user-account-control/how-user-account-control-works.md
View File

@ -1,24 +1,14 @@
---
title: How User Account Control works (Windows)
description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/23/2021
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
ms.technology: itpro-security
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# How User Account Control works
@ -27,7 +17,7 @@ User Account Control (UAC) is a fundamental component of Microsoft's overall sec
## UAC process and interactions
Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
To better understand how this process happens, let's look at the Windows logon process.
@ -41,17 +31,17 @@ By default, standard users and administrators access resources and run apps in t
When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token.
A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 or Windows 11 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
### The UAC User Experience
When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 or Windows 11 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows, is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt.
**The consent and credential prompts**
With UAC enabled, Windows 10 or Windows 11 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
With UAC enabled, Windows prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
**The consent prompt**
@ -69,18 +59,18 @@ The following is an example of the UAC credential prompt.
**UAC elevation prompts**
The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 or Windows 11 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10 or Windows 11, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows determines which color elevation prompt to present to the user.
The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10 or Windows 11, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows determines which color elevation prompt to present to the user.
The elevation prompt color-coding is as follows:
- Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked.
- Blue background with a blue and gold shield icon: The application is a Windows 10 and Windows 11 administrative app, such as a Control Panel item.
- Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer.
- Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer.
- Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked.
- Blue background with a blue and gold shield icon: The application is a Windows 10 and Windows 11 administrative app, such as a Control Panel item.
- Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer.
- Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer.
**Shield icon**
Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item.
Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screenshot of the **Date and Time Properties** Control Panel item.
:::image type="content" source="images/uacshieldicon.png" alt-text="UAC Shield Icon in Date and Time Properties":::
@ -88,7 +78,7 @@ The shield icon on the **Change date and time** button indicates that the proces
**Securing the elevation prompt**
The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10 and Windows 11. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10 and Windows 11. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user clicks **Yes** or **No**, the desktop switches back to the user desktop.
@ -134,9 +124,9 @@ To better understand each component, review the table below:
The slider will never turn UAC completely off. If you set it to **Never notify**, it will:
- Keep the UAC service running.
- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
- Automatically deny all elevation requests for standard users.
- Keep the UAC service running.
- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
- Automatically deny all elevation requests for standard users.
> [!IMPORTANT]
> In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
@ -148,17 +138,17 @@ The slider will never turn UAC completely off. If you set it to **Never notify**
Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on.
Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative app that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
Virtualization is not an option in the following scenarios:
- Virtualization does not apply to apps that are elevated and run with a full administrative access token.
- Virtualization does not apply to apps that are elevated and run with a full administrative access token.
- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations.
- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations.
- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute.
- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute.
### Request execution levels
@ -168,22 +158,22 @@ All UAC-compliant apps should have a requested execution level added to the appl
### Installer detection technology
Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
Installer detection only applies to:
- 32-bit executable files.
- Applications without a requested execution level attribute.
- Interactive processes running as a standard user with UAC enabled.
- 32-bit executable files.
- Applications without a requested execution level attribute.
- Interactive processes running as a standard user with UAC enabled.
Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer:
- The file name includes keywords such as "install," "setup," or "update."
- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
- Keywords in the side-by-side manifest are embedded in the executable file.
- Keywords in specific StringTable entries are linked in the executable file.
- Key attributes in the resource script data are linked in the executable file.
- There are targeted sequences of bytes within the executable file.
- The file name includes keywords such as "install," "setup," or "update."
- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
- Keywords in the side-by-side manifest are embedded in the executable file.
- Keywords in specific StringTable entries are linked in the executable file.
- Key attributes in the resource script data are linked in the executable file.
- There are targeted sequences of bytes within the executable file.
> [!NOTE]
> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.

15
windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
View File

@ -1,24 +1,13 @@
---
title: User Account Control Group Policy and registry key settings (Windows)
description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
ms.technology: itpro-security
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# User Account Control Group Policy and registry key settings

15
windows/security/identity-protection/user-account-control/user-account-control-overview.md
View File

@ -1,24 +1,13 @@
---
title: User Account Control (Windows)
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
ms.prod: windows-client
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.date: 09/24/2011
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
ms.technology: itpro-security
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# User Account Control

16
windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
View File

@ -1,23 +1,11 @@
---
title: User Account Control security policy settings (Windows)
description: You can use security policies to configure how User Account Control works in your organization.
ms.prod: windows-client
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
-<b>Windows Server 2016</b>
-<b>Windows Server 2019</b>
-<b>Windows Server 2022</b>
ms.technology: itpro-security
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-<a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
---
# User Account Control security policy settings

2
windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
View File

@ -2,7 +2,7 @@
metadata:
title: Advanced security auditing FAQ (Windows 10)
description: This article lists common questions and answers about understanding, deploying, and managing security audit policies.
ms.prod: m365-security
ms.prod: windows-client
ms.technology: mde
ms.localizationpriority: none
author: dansimp

14
windows/security/threat-protection/windows-defender-application-control/TOC.yml
View File

@ -87,17 +87,17 @@
href: merge-windows-defender-application-control-policies.md
- name: Enforce WDAC policies
href: enforce-windows-defender-application-control-policies.md
- name: Use code signing to simplify application control for classic Windows applications
- name: Use code signing for added control and protection with WDAC
href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
items:
- name: "Optional: Use the WDAC Signing Portal in the Microsoft Store for Business"
- name: Deploy catalog files to support WDAC
href: deploy-catalog-files-to-support-windows-defender-application-control.md
- name: Use signed policies to protect Windows Defender Application Control against tampering
href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
- name: "Optional: Use the Device Guard Signing Service v2"
href: use-device-guard-signing-portal-in-microsoft-store-for-business.md
- name: "Optional: Create a code signing cert for WDAC"
href: create-code-signing-cert-for-windows-defender-application-control.md
- name: Deploy catalog files to support WDAC
href: deploy-catalog-files-to-support-windows-defender-application-control.md
- name: Use signed policies to protect Windows Defender Application Control against tampering
href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
- name: Disable WDAC policies
href: disable-windows-defender-application-control-policies.md
- name: LOB Win32 Apps on S Mode
@ -115,7 +115,7 @@
href: operations/known-issues.md
- name: Managed installer and ISG technical reference and troubleshooting guide
href: configure-wdac-managed-installer.md
- name: Managing WDAC Policies with CI Tool
- name: CITool.exe technical reference
href: operations/citool-commands.md
- name: WDAC AppId Tagging guide
href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md

24
windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
View File

@ -9,12 +9,13 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.topic: conceptual
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
ms.date: 02/28/2018
ms.date: 12/01/2022
ms.technology: itpro-security
---
@ -29,18 +30,17 @@ ms.technology: itpro-security
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signature, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
If you have an internal CA, complete these steps to create a code signing certificate.
> [!WARNING]
> Boot failure (blue screen) may occur if your signing certificate does not follow these rules:
> When creating signing certificates for WDAC policy signing, Boot failure (blue screen) may occur if your signing certificate does not follow these rules:
>
> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
> - Use RSA SHA-256 only. ECDSA isn't supported.
> - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported.
> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256.
> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
> - Keys must be less than or equal to 4K key size
>
1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.
@ -86,7 +86,7 @@ When this certificate template has been created, you must publish it to the CA p
2. Select the WDAC Catalog signing certificate, and then select **OK**.
Now that the template is available to be issued, you must request one from the computer running Windows 10 and Windows 11 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps:
Now that the template is available to be issued, you must request one from the computer running Windows 10 or Windows 11 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps:
1. In MMC, from the **File** menu, select **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**.
@ -100,7 +100,7 @@ Now that the template is available to be issued, you must request one from the c
Figure 4. Get more information for your code signing certificate
5. In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, select **ContosoDGSigningCert**, and then select **Add**. When added, select **OK.**
5. In the **Certificate Properties** dialog box, for **Type**, select **Common name**. For **Value**, specify a meaningful name for your certificate (in this example, we select **$ContosoSigningCert**), and then select **Add**. When added, select **OK.**
6. Enroll and finish.
@ -118,9 +118,3 @@ This certificate must be installed in the user's personal store on the computer
4. Set a password, select an export path, and then select **WDACCatSigningCert.pfx** as the file name.
When the certificate has been exported, import it into the personal store for the user who will be signing the catalog files or code integrity policies on the specific computer that will be signing them.
## Related topics
- [Windows Defender Application Control](windows-defender-application-control.md)
- [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md)

333
windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
View File

@ -9,12 +9,13 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.topic: conceptual
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: jgeurten
ms.author: vinpa
manager: aaroncz
ms.date: 02/28/2018
ms.date: 11/30/2022
ms.technology: itpro-security
---
@ -22,62 +23,62 @@ ms.technology: itpro-security
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Catalog files can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create WDAC policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by WDAC in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.
*Catalog files* can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. You can also use catalog files to add your own signature to apps you get from independent software vendors (ISV) when you don't want to trust all code signed by that ISV. In this way, catalog files provide a convenient way for you to "bless" apps for use in your WDAC-managed environment. And, you can create catalog files for existing apps without requiring access to the original source code or needing any expensive repackaging.
## Create catalog files
You'll need to [obtain a code signing certificate for your own use](/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications#obtain-code-signing-certificates-for-your-own-use) and use it to sign the catalog file. Then, distribute the signed catalog file using your preferred content deployment mechanism.
The creation of a catalog file simplifies the steps to run unsigned applications in the presence of a Windows Defender Application Control policy.
Finally, add a signer rule to your WDAC policy for your signing certificate. Then, any apps covered by your signed catalog files will be able to run, even if the apps were previously unsigned. With this foundation, you can more easily build a WDAC policy that blocks all unsigned code (most malware is unsigned).
To create a catalog file, you use a tool called **Package Inspector**. You must also have a WDAC policy deployed in audit mode on the computer on which you run Package Inspector, so that Package Inspector can include any temporary installation files that are added and then removed from the computer during the installation process.
## Create catalog files using Package Inspector
> [!NOTE]
> When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, *\*-Contoso.cat* is used as the example naming convention.
To create a catalog file for an existing app, you can use a tool called **Package Inspector** that comes with Windows.
1. Be sure that a Windows Defender Application Control policy is currently deployed in audit mode on the computer on which you'll run Package Inspector.
Package Inspector doesn't always detect temporary installation files that are added and then removed from the computer during the installation process. To ensure that these binaries are also included in your catalog file, deploy a WDAC policy in audit mode.
1. Apply a WDAC policy in **audit mode** to the computer where you'll run Package Inspector. Package Inspector will use audit events to include hashes in the catalog file for any temporary installation files that are added and then removed from the computer during the installation process. The audit mode policy should **not** allow the app's binaries or you may miss some critical files that are needed in the catalog file.
> [!NOTE]
> This process should **not** be performed on a system with an enforced Windows Defender Application Control policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application unless the policy already allows it.
> You won't be able to complete this process if it's done on a system with an enforced WDAC policy, unless the enforced policy already allows the app to run.
2. Start Package Inspector, and then start scanning a local drive, for example, drive C:
You can use this PowerShell sample to make a copy of the DefaultWindows_Audit.xml template:
```powershell
Copy-Item -Path $env:windir\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml -Destination $env:USERPROFILE\Desktop\
$PolicyId = Set-CIPolicyIdInfo -FilePath $env:USERPROFILE\Desktop\DefaultWindows_Audit.xml -PolicyName "Package Inspector Audit Policy" -ResetPolicyID
$PolicyBinary = $env:USERPROFILE+"\Desktop\"+$PolicyId.substring(11)+".cip"
```
Then apply the policy as described in [Deploy WDAC policies with script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script).
2. Start Package Inspector to monitor file creation on a **local drive** where you'll install the app, for example, drive C:
```powershell
PackageInspector.exe Start C:
```
> [!NOTE]
> Package inspector can monitor installations on any local drive. Specify the appropriate drive on the local computer.
3. Copy the installation media to the local drive (typically drive C).
By copying the installation media to the local drive, you ensure that Package Inspector detects and catalogs the actual installer. If you skip this step, the future WDAC policy may allow the application to run but not to be installed.
4. Install the application. Install it to the same drive that the application installer is located on (the drive you're scanning). Also, while Package Inspector is running, don't run any installations or updates that you don't want to capture in the catalog.
> [!IMPORTANT]
> Every binary that is run while Package Inspector is running will be captured in the catalog. Ensure that only trusted applications are run during this time.
> Every file that is written to the drive you are watching with Package Inspector will be included in the catalog that is created. Be aware of any other processes that may be running and creating files on the drive.
5. Start the application.
3. Copy the installation media to the drive you're watching with Package Inspector, so that the actual installer is included in the final catalog file. If you skip this step, you may allow the *app* to run, but not actually be able to install it.
6. Ensure that product updates are installed, and downloadable content associated with the application is downloaded.
4. Install the app.
7. Close and reopen the application.
5. Start the app to ensure that files created on initial launch are included in your catalog file.
This step is necessary to ensure that the scan has captured all binaries.
8. As appropriate, with Package Inspector still running, repeat the process for another application that you want in the catalog. Copy the installation media to the local drive, install the application, ensure it's updated, and then close and reopen the application.
6. Use the app as you would normally, so that files created during normal use are included in your catalog file. For example, some apps may download more files on first use of a feature within the app. Be sure to also check for app updates if the app has that capability.
9. When you've confirmed that the previous steps are complete, use the following commands to generate the catalog and definition files on your computer's desktop. The filenames used in these example commands are **LOBApp-Contoso.cat** (catalog file) and **LOBApp.cdf** (definition file)—substitute different filenames as appropriate.
7. Close and reopen the application to ensure that the scan has captured all binaries.
For the last command, which stops Package Inspector, be sure to type the drive letter of the drive you have been scanning, for example, C:.
8. As appropriate, with Package Inspector still running, repeat the steps above for any other apps that you want to include in the catalog.
9. When you've confirmed that the previous steps are complete, use the following commands to stop Package Inspector. A catalog file and catalog definition file will be created in the specified location. Use a naming convention for your catalog files to make it easier to manage your deployed catalog files over time. The filenames used in this example are **LOBApp-Contoso.cat** (catalog file) and **LOBApp.cdf** (definition file).
For the last command, which stops Package Inspector, be sure to specify the same local drive you've been watching with Package Inspector, for example, C:.
```powershell
$ExamplePath=$env:userprofile+"\Desktop"
@ -87,42 +88,33 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
```
>[!NOTE]
>Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values.
>Package Inspector catalogs the hash values for each discovered file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values.
When finished, the files will be saved to your desktop. You can double-click the \*.cat file to see its contents, and you can view the \*.cdf file with a text editor.
When finished, the files will be saved to your desktop. You can view the \*.cdf file with a text editor and see what files were included by Package Inspector. You can also double-click the \*.cat file to see its contents and check for a specific file hash.
To trust the contents of the catalog file within a WDAC policy, the catalog must first be signed. Then, the signing certificate can be added to the WDAC policy, and the catalog file can be distributed to the individual client computers.
## Sign your Catalog file
### Resolving package failures
Now that you've created a catalog file for your app, you're ready to sign it.
Packages can fail for the following reasons:
### Catalog signing with Device Guard Signing Service v2 (DGSS)
- Package is too large for default USN Journal or Event Log sizes
- To diagnose whether USN journal size is the issue, after running through Package Inspector, click Start > install app > PackageInspector stop
- Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this USN was the most recent one when you ran PackageInspector start)
- `fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt`
- ReadJournal command should throw an error if the older USNs don't exist anymore due to overflow
- For USN Journal, log size can be expanded using: `fsutil usn createjournal` command with a new size and alloc delta. `Fsutil usn queryjournal` will give the current size and allocation delta, so using a multiple of that may help
- To diagnose whether Eventlog size is the issue, look at the Microsoft/Windows/CodeIntegrity/Operational log under Applications and Services logs in Event Viewer and ensure that there are entries present from when you began Package Inspector (You can use write time as a justification; if you started the install 2 hours ago and there are only entries from 30 minutes prior, the log is definitely too small)
- To increase Eventlog size, in Event Viewer you can right click the operational log, click properties, and then set new values (some multiple of what it was previously)
- Package files that change hash each time the package is installed
- Package Inspector is incompatible if files in the package (temporary or otherwise) change hash each time the package is installed. You can diagnose this hash-change by looking at the hash field in the 3077 block events when the package is failing in enforcement. If each time you attempt to run the package you get a new block event with a different hash, the package won't work with Package Inspector
- Files with an invalid signature blob or otherwise "unhashable" files
- This issue arises when a file that has been signed is modified post signing in a way that invalidates the PE header and renders the file unable to be hashed by the Authenticode Spec.
- Windows Defender Application Control uses Authenticode Hashes to validate files when they're running. If the file is unhashable via the authenticode SIP, there's no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can't be allowed by hash due to authenticode hashing algorithm rejecting it)
- Recent versions of InstallShield packages that use custom actions can hit this condition. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state and renders the file unable to be allowed by Windows Defender (regardless of if you try to allow directly by policy or resign with Package Inspector)
If you have an existing Microsoft Store for Business and Education account, you can use the DGSS to sign your catalog files. See [Submit-SigningJob](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#submit-signingjob).
## Catalog signing with SignTool.exe
### Catalog signing with SignTool.exe
To sign a catalog file you generated by using PackageInspector.exe, you need:
If you purchased a code signing certificate or issued one from your own public key infrastructure (PKI), you can use SignTool.exe to sign your catalog files.
- SignTool.exe, found in the Windows software development kit (SDK—Windows 7 or later)
<br>
<details>
<summary>Expand this section for detailed instructions on signing catalog files with signtool.exe.</summary>
- The catalog file that you generated previously
You need:
- An internal certification authority (CA) code signing certificate or purchased code signing certificate
- SignTool.exe, found in the [Windows software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)
- The catalog file that you created earlier
- A code signing certificate issued from an internal certificate authority (CA) or a purchased code signing certificate
To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session.
Import the code signing certificate that will be used to sign the catalog file into the signing user's personal store. Then, sign the existing catalog file by copying each of the following commands into an elevated Windows PowerShell session.
1. Initialize the variables that will be used. Replace the *$ExamplePath* and *$CatFileName* variables as needed:
@ -131,74 +123,59 @@ To sign the existing catalog file, copy each of the following commands into an e
$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"
```
2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user's personal store.
3. Sign the catalog file with Signtool.exe:
2. Sign the catalog file with Signtool.exe:
```powershell
<path to signtool.exe> sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName
<path to signtool.exe> sign /n "ContosoSigningCert" /fd sha256 /v $CatFileName
```
>[!NOTE]
>The *&lt;Path to signtool.exe&gt;* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file.
>
>The *&lt;Path to signtool.exe&gt;* variable should be the full path to the Signtool.exe utility. *ContosoSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file.
>
>For additional information about Signtool.exe and all additional switches, visit the [Sign Tool page](/dotnet/framework/tools/signtool-exe).
4. Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1.
3. Verify the catalog file's digital signature. Right-click the catalog file, and then select **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1.
![Digital Signature list in file Properties.](images/dg-fig12-verifysigning.png)
Figure 1. Verify that the signing certificate exists
5. Copy the catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}.
</details>
For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as Microsoft Configuration Manager, which also simplifies the management of catalog versions.
## Deploy the catalog file to your managed endpoints
## Add a catalog signing certificate to a Windows Defender Application Control policy
Catalog files in Windows are stored under ***%windir%\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}***.
After the catalog file is signed, add the signing certificate to a WDAC policy, as described in the following steps.
For testing purposes, you can manually copy signed catalog files to the folder above. For large-scale deployment of signed catalog files, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as Microsoft Configuration Manager.
1. If you haven't already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect.
### Deploy catalog files with Group Policy
2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a Windows Defender Application Control policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder** by scanning the system and allowlisting by signer and original filename:
To simplify the management of catalog files, you can use Group Policy preferences to deploy catalog files to the appropriate computers in your organization.
```powershell
New-CIPolicy -Level FilePublisher -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml UserPEs -MultiplePolicyFormat -Fallback SignedVersion,Publisher,Hash
```
<br>
<details>
<summary>Expand this section for detailed instructions on deploying catalog files using Group Policy.</summary>
> [!NOTE]
> Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity.
3. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `<policypath>` and `<certificate_path>`:
```powershell
Add-SignerRule -FilePath <policypath> -CertificatePath <certificate_path> -User
```
If you used step 2 to create a new WDAC policy, and want information about merging policies together, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).
## Deploy catalog files with Group Policy
To simplify the management of catalog files, you can use Group Policy preferences to deploy catalog files to the appropriate computers in your organization. The following process walks you through the deployment of a signed catalog file called **LOBApp-Contoso.cat** to a test OU called DG Enabled PCs with a GPO called **Contoso DG Catalog File GPO Test**.
The following process walks you through the deployment of a signed catalog file called **LOBApp-Contoso.cat** to a test OU called WDAC Enabled PCs with a GPO called **Contoso Catalog File GPO Test**.
**To deploy a catalog file with Group Policy:**
1. From either a domain controller or a client computer that has Remote Server Administration Tools (RSAT) installed, open the Group Policy Management Console (GPMC) by running **GPMC.MSC** or by searching for Group Policy Management.
2. Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 2.
2. Create a new GPO: right-click an OU, for example, the **WDAC Enabled PCs OU**, and then select **Create a GPO in this domain, and Link it here**, as shown in Figure 2.
> [!NOTE]
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate).
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies.
![Group Policy Management, create a GPO.](images/dg-fig13-createnewgpo.png)
Figure 2. Create a new GPO
3. Give the new GPO a name, for example, **Contoso DG Catalog File GPO Test**, or any name you prefer.
3. Give the new GPO a name, for example, **Contoso Catalog File GPO Test**, or any name you prefer.
4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
4. Open the Group Policy Management Editor: right-click the new GPO, and then select **Edit**.
5. Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then click **File**, as shown in Figure 3.
5. Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then select **File**, as shown in Figure 3.
![Group Policy Management Editor, New File.](images/dg-fig14-createnewfile.png)
@ -224,144 +201,200 @@ To simplify the management of catalog files, you can use Group Policy preference
10. On the **Common** tab of the **New File Properties** dialog box, select the **Remove this item when it is no longer applied** option. Enabling this option ensures that the catalog file is removed from every system, in case you ever need to stop trusting this application.
11. Click **OK** to complete file creation.
11. Select **OK** to complete file creation.
12. Close the Group Policy Management Editor, and then update the policy on the test computer running Windows 10, by running GPUpdate.exe. When the policy has been updated, verify that the catalog file exists in C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} on the computer running Windows 10.
12. Close the Group Policy Management Editor, and then update the policy on the test computer running Windows 10 or Windows 11, by running GPUpdate.exe. When the policy has been updated, verify that the catalog file exists in C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} on the computer running Windows 10.
Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy.
</details>
## Deploy catalog files with Microsoft Configuration Manager
### Deploy catalog files with Microsoft Configuration Manager
As an alternative to Group Policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files and provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
As an alternative to Group Policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files and provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes.
<br>
<details>
<summary>Expand this section for detailed instructions on deploying catalog files using Configuration Manager.</summary>
Complete the following steps to create a new deployment package for catalog files:
>[!NOTE]
>The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
>The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection-specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
1. Open the Configuration Manager console, and select the Software Library workspace.
1. Open the Configuration Manager console, and select the Software Library workspace.
2. Navigate to Overview\\Application Management, right-click **Packages**, and then click **Create Package**.
2. Navigate to Overview\\Application Management, right-click **Packages**, and then select **Create Package**.
3. Name the package, set your organization as the manufacturer, and select an appropriate version number.
3. Name the package, set your organization as the manufacturer, and select an appropriate version number.
![Create Package and Program Wizard.](images/dg-fig16-specifyinfo.png)
Figure 5. Specify information about the new package
4. Click **Next**, and then select **Standard program** as the program type.
4. Select **Next**, and then select **Standard program** as the program type.
5. On the **Standard Program** page, select a name, and then set the **Command Line** property to **XCopy \\\\Shares\\CatalogShare C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} /H /K /E /Y**.
5. On the **Standard Program** page, select a name, and then set the **Command Line** property to **XCopy \\\\Shares\\CatalogShare C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} /H /K /E /Y**.
6. On the **Standard Program** page, select the following options (Figure 6):
6. On the **Standard Program** page, select the following options (Figure 6):
- In **Name**, type a name such as **Contoso Catalog File Copy Program**.
- In **Command line**, browse to the program location.
- In **Startup folder**, type **C:\\Windows\\System32**.
- From the **Run** list, select **Hidden**.
- From the **Program can run** list, select **Whether or not a user is logged on**.
- From the **Drive mode** list, select **Runs with UNC name**.
- In **Name**, type a name such as **Contoso Catalog File Copy Program**.
- In **Command line**, browse to the program location.
- In **Startup folder**, type **C:\\Windows\\System32**.
- From the **Run** list, select **Hidden**.
- From the **Program can run** list, select **Whether or not a user is logged on**.
- From the **Drive mode** list, select **Runs with UNC name**.
![Standard Program page of wizard.](images/dg-fig17-specifyinfo.png)
Figure 6. Specify information about the standard program
7. Accept the defaults for the rest of the wizard, and then close the wizard.
7. Accept the defaults for the rest of the wizard, and then close the wizard.
After you create the deployment package, deploy it to a collection so that the clients will receive the catalog files. In this example, you deploy the package you created to a test collection:
1. In the Software Library workspace, navigate to Overview\\Application Management\\Packages, right-click the catalog file package, and then click **Deploy**.
1. In the Software Library workspace, navigate to Overview\\Application Management\\Packages, right-click the catalog file package, and then select **Deploy**.
2. On the **General** page, select the test collection to which the catalog files will be deployed, and then click **Next**.
2. On the **General** page, select the test collection to which the catalog files will be deployed, and then select **Next**.
3. On the **Content** page, click **Add** to select the distribution point that will serve content to the selected collection, and then click **Next**.
3. On the **Content** page, select **Add** to select the distribution point that will serve content to the selected collection, and then select **Next**.
4. On the **Deployment Settings** page, select **Required** in the **Purpose** box.
4. On the **Deployment Settings** page, select **Required** in the **Purpose** box.
5. On the **Scheduling** page, click **New**.
5. On the **Scheduling** page, select **New**.
6. In the **Assignment Schedule** dialog box, select **Assign immediately after this event**, set the value to **As soon as possible**, and then click **OK**.
6. In the **Assignment Schedule** dialog box, select **Assign immediately after this event**, set the value to **As soon as possible**, and then select **OK**.
7. On the **Scheduling** page, click **Next**.
7. On the **Scheduling** page, select **Next**.
8. On the **User Experience** page (Figure 7), set the following options, and then click **Next**:
8. On the **User Experience** page (Figure 7), set the following options, and then select **Next**:
- Select the **Software installation** check box.
- Select the **Software installation** check box.
- Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box.
- Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box.
![Deploy Software Wizard, User Experience page.](images/dg-fig18-specifyux.png)
Figure 7. Specify the user experience
9. On the **Distribution Points** page, in the **Deployment options** box, select **Run program from distribution point**, and then click **Next**.
9. On the **Distribution Points** page, in the **Deployment options** box, select **Run program from distribution point**, and then select **Next**.
10. On the **Summary** page, review the selections, and then click **Next**.
10. On the **Summary** page, review the selections, and then select **Next**.
11. Close the wizard.
Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy,.
</details>
## Inventory catalog files with Microsoft Configuration Manager
#### Inventory catalog files with Microsoft Configuration Manager
When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Configuration Manager, you can inventory them with the software inventory feature of Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Configuration Manager, you can inventory them with the software inventory feature of Configuration Manager.
<br>
<details>
<summary>Expand this section for detailed instructions on inventorying catalog files using Configuration Manager.</summary>
You can configure software inventory to find catalog files on your managed systems by creating and deploying a new client settings policy.
>[!NOTE]
>A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names.
1. Open the Configuration Manager console, and select the Administration workspace.
1. Open the Configuration Manager console, and select the Administration workspace.
2. Navigate to **Overview\\Client Settings**, right-click **Client Settings**, and then click **Create Custom Client Device Settings**.
2. Navigate to **Overview\\Client Settings**, right-click **Client Settings**, and then select **Create Custom Client Device Settings**.
3. Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8.
3. Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8.
![Create Custom Client Device Settings.](images/dg-fig19-customsettings.png)
Figure 8. Select custom settings
4. In the navigation pane, click **Software Inventory**, and then click **Set Types**, as shown in Figure 9.
4. In the navigation pane, select **Software Inventory**, and then select **Set Types**, as shown in Figure 9.
![Software Inventory settings for devices.](images/dg-fig20-setsoftwareinv.png)
Figure 9. Set the software inventory
5. In the **Configure Client Setting** dialog box, click the **Start** button to open the **Inventories File Properties** dialog box.
5. In the **Configure Client Setting** dialog box, select the **Start** button to open the **Inventories File Properties** dialog box.
6. In the **Name** box, type a name such as **\*Contoso.cat**, and then click **Set**.
6. In the **Name** box, type a name such as **\*Contoso.cat**, and then select **Set**.
>[!NOTE]
>When typing the name, follow your naming convention for catalog files.
7. In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 10.
7. In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 10.
![Path Properties, specifying a path.](images/dg-fig21-pathproperties.png)
Figure 10. Set the path properties
8. Click **OK**.
8. Select **OK**.
9. Now that you've created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files.
9. Now that you've created the client settings policy, right-click the new policy, select **Deploy**, and then choose the collection on which you would like to inventory the catalog files.
At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you'll be able to view the inventoried files in the built-in Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
1. Open the Configuration Manager console, and select the Assets and Compliance workspace.
1. Open the Configuration Manager console, and select the Assets and Compliance workspace.
2. Navigate to Overview\\Devices, and search for the device on which you want to view the inventoried files.
2. Navigate to Overview\\Devices, and search for the device on which you want to view the inventoried files.
3. Right-click the computer, point to **Start**, and then click **Resource Explorer**.
3. Right-click the computer, point to **Start**, and then select **Resource Explorer**.
4. In Resource Explorer, navigate to Software\\File Details to view the inventoried catalog files.
4. In Resource Explorer, navigate to Software\\File Details to view the inventoried catalog files.
>[!NOTE]
>If nothing is displayed in this view, navigate to Software\\Last Software Scan in Resource Explorer to verify that the client has recently completed a software inventory scan.
## Related topics
</details>
- [Windows Defender Application Control](windows-defender-application-control.md)
## Allow apps signed by your catalog signing certificate in your WDAC policy
- [Windows Defender Application Control Design Guide](windows-defender-application-control-design-guide.md)
Now that you have your signed catalog file, you can add a signer rule to your WDAC policy that will allow anything signed with that certificate. If you haven't yet created a WDAC policy, see [WDAC Design Guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide).
- [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md)
<br>
<details>
<summary>Expand this section for detailed instructions on creating a signer rule for your catalog signer.</summary>
On a computer where the signed catalog file has been deployed, you can use [New-CiPolicyRule](/powershell/module/configci/new-cipolicyrule) to create a signer rule from any file included in that catalog. Then use [Merge-CiPolicy](/powershell/module/configci/merge-cipolicy) to add the rule to your policy XML. Be sure to replace the path values in the sample below.
```powershell
$Rules = New-CIPolicyRule -DriverFilePath <path to the file covered by the signed catalog> -Level Publisher
Merge-CIPolicy -OutputFilePath <path to your WDAC policy XML> -PolicyPaths <path to your WDAC policy XML> -Rules $Rules
```
Alternatively, you can use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add a signer rule to your WDAC policy from the certificate file (.cer). You can easily save the .cer file from your signed catalog file.
1. Right-click the catalog file, and then select **Properties**.
2. On the **Digital Signatures** tab, select the signature from the list and then select **Details**.
3. Select **View Certificate** to view the properties of the leaf certificate.
4. Select the **Details** tab and select **Copy to File** which will run the Certificate Export Wizard.
5. Complete the wizard using the default option for **Export File Format** and specifying a location and file name to save the .cer file.
> [!NOTE]
> The steps listed above will select the lowest level of the certificate chain (the "leaf" certificate). Instead, you can choose to use the certificate's intermediate or root issuer certificate. To use a different certificate in the chain, switch to the **Certification Path** tab after step 3 above, then select the certificate level you want to use and select **View Certificate**. Then complete the remaining steps.
The following example uses the .cer file to add a signer rule to both the user and kernel mode signing scenarios. Be sure to replace the path values in the sample below.
```powershell
Add-SignerRule -FilePath <path to your WDAC policy XML> -CertificatePath <path to your certificate .cer file> -User -Kernel
```
</details>
## Known issues using Package Inspector
Some of the known issues using Package Inspector to build a catalog file are:
- **USN journal size is too small to track all files created by the installer**
- To diagnose whether USN journal size is the issue, after running through Package Inspector:
- Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this USN was the most recent one when you ran PackageInspector start). Then use fsutil.exe to read that starting location. Replace "RegKeyValue" in the following command with the value from the reg key:<br>
`fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt`
- The above command should return an error if the older USNs don't exist anymore due to overflow
- You can expand the USN Journal size using: `fsutil usn createjournal` with a new size and allocation delta. `Fsutil usn queryjournal` will show the current size and allocation delta, so using a multiple of that may help
- **CodeIntegrity - Operational event log is too small to track all files created by the installer**
- To diagnose whether Eventlog size is the issue, after running through Package Inspector:
- Open Event Viewer and expand the **Application and Services//Microsoft//Windows//CodeIntegrity//Operational**. Check for a 3076 audit block event for the initial installer launch.
- To increase the Event log size, in Event Viewer right-click the operational log, select Properties, and then set new values
- **Installer or app files that change hash each time the app is installed or run**
- Some apps generate files at run time whose hash value is different every time. You can diagnose this issue by reviewing the hash values in the 3076 audit block events (or 3077 enforcement events) that are generated. If each time you attempt to run the file you observe a new block event with a different hash, the package won't work with Package Inspector.
- **Files with an invalid signature blob or otherwise "unhashable" files**
- This issue arises when a signed file was modified in a way that invalidates the file's PE header. A file modified in this way is unable to be hashed according to the Authenticode spec.
- Although these "unhashable" files can't be included in the catalog file created by PackageInspector, you should be able to allow them by adding a hash ALLOW rule to your WDAC policy that uses the file's flat file hash.
- This issue affects some versions of InstallShield packages that use signed DLL files in custom actions. InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state.

25
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
View File

@ -10,7 +10,7 @@ ms.reviewer: aaroncz
ms.author: jogeurte
ms.manager: jsuther
manager: aaroncz
ms.date: 10/06/2022
ms.date: 12/03/2022
ms.technology: itpro-security
ms.topic: article
ms.localizationpriority: medium
@ -29,13 +29,22 @@ ms.localizationpriority: medium
This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host.
> [!NOTE]
> To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool.
## Deploying policies for Windows 10 version 1903 and above
You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
## Deploying policies for Windows 11 22H2 and above
You can use [citool.exe](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **&lt;Path to policy binary file to deploy&gt;** in the example below with the actual path to your WDAC policy binary file.
```powershell
# Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = <PolicyId> from the Policy XML)
$PolicyBinary = "<Path to policy binary file to deploy>"
citool.exe --update-policy $PolicyBinary --json
```
## Deploying policies for Windows 11, Windows 10 version 1903 and above, and Windows Server 2022 and above
To use this procedure, download and distribute the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool.
1. Initialize the variables to be used by the script.
```powershell
@ -58,7 +67,9 @@ You should now have one or more WDAC policies converted into binary form. If not
& $RefreshPolicyTool
```
## Deploying policies for Windows 10 versions earlier than 1903
## Deploying policies for all other versions of Windows and Windows Server
Use WMI to apply policies on all other versions of Windows and Windows Server.
1. Initialize the variables to be used by the script.

BIN
windows/security/threat-protection/windows-defender-application-control/images/dg-fig31-getmoreinfo.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 19 KiB

13
windows/security/threat-protection/windows-defender-application-control/index.yml
View File

@ -4,14 +4,11 @@ title: Application Control for Windows
metadata:
title: Application Control for Windows
description: Landing page for Windows Defender Application Control
# services: service
# ms.service: microsoft-WDAC-AppLocker
# ms.subservice: Application-Control
# ms.topic: landing-page
# author: Kim Klein
# ms.author: Jordan Geurten
# manager: Jeffrey Sutherland
# ms.update: 04/30/2021
ms.topic: landing-page
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.date: 12/07/2022
# linkListType: overview | how-to-guide | tutorial | video
landingContent:
# Cards and links should be based on top customer tasks or top subjects

10
windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md
View File

@ -3,15 +3,15 @@ title: Managing CI Policies and Tokens with CiTool
description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool
author: valemieux
ms.author: jogeurte
ms.reviewer: jogeurte
ms.reviewer: jsuther1974
ms.topic: how-to
ms.date: 08/07/2022
ms.date: 12/03/2022
ms.custom: template-how-to
ms.prod: windows-client
ms.technology: itpro-security
---
# Manage Windows Defender Application Control (WDAC) Policies with CI Tool
# CITool.exe technical reference
CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins. CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. This article describes how to use CI Tool to update and manage policies. CI Tool is currently included in Windows 11, version 22H2.
@ -21,7 +21,7 @@ CI Tool makes Windows Defender Application Control (WDAC) policy management easi
|--------|---------|---------|
| --update-policy `</Path/To/Policy/File>` | Add or update a policy on the current system | -up |
| --remove-policy `<PolicyGUID>` | Remove a policy indicated by PolicyGUID from the system | -rp |
| --list-policies | Dump information about all policies on the system, whether they are active or not | -lp |
| --list-policies | Dump information about all policies on the system, whether they're active or not | -lp |
## Token Commands
@ -32,7 +32,7 @@ CI Tool makes Windows Defender Application Control (WDAC) policy management easi
| --list-tokens | Dump information about all tokens on the system | -lt |
> [!NOTE]
> Regarding --add-token, if `<ID>` is specified, a pre-existing token with `<ID>` should not exist.
> Regarding `--add-token`, if `<ID>` is specified, a pre-existing token with `<ID>` should not exist.
## Miscellaneous Commands

60
windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
View File

@ -1,6 +1,6 @@
---
title: Use code signing to simplify application control for classic Windows applications (Windows)
description: With embedded signing, your WDAC policies typically don't have to be updated when an app is updated. To set up this embedded signing, you can choose from various methods.
title: Use code signing for added control and protection with WDAC
description: Code signing can be used to better control win32 app authorization and add protection for your WDAC policies.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: windows-client
@ -9,16 +9,17 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.topic: conceptual
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
ms.date: 05/03/2018
ms.date: 11/29/2022
ms.technology: itpro-security
---
# Use code signing to simplify application control for classic Windows applications
# Use code signing for added control and protection with WDAC
**Applies to:**
@ -29,45 +30,34 @@ ms.technology: itpro-security
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This topic covers guidelines for using code signing control classic Windows apps.
## What is code signing and why is it important?
## Reviewing your applications: application signing and catalog files
Code signing provides some important benefits to application security features like Windows Defender Application Control (WDAC). First, it allows the system to cryptographically verify that a file hasn't been tampered with since it was signed and before any code is allowed to run. Second, it associates the file with a real-world identity, such as a company or an individual developer. This identity can make your WDAC policy trust decisions easier and allows for real-world consequences when code signing is abused or used maliciously. Although Windows doesn't require software developers to digitally sign their code, most major independent software vendors (ISV) do use code signing for much of their code. And metadata that a developer includes in a file's resource header (.RSRC), such as OriginalFileName or ProductName, can be combined with the file's signing certificate to limit the scope of trust decisions. For example, instead of allowing everything signed by Microsoft, you can choose to allow only files signed by Microsoft where ProductName is "Microsoft Teams". Then use other rules to authorize any other files that need to run.
Typically, Windows Defender Application Control (WDAC) policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This purpose means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
Wherever possible, you should require all app binaries and scripts are code signed as part of your app acceptance criteria. And, you should ensure that internal line-of-business (LOB) app developers have access to code signing certificates controlled by your organization.
Catalog files can be useful for unsigned LOB applications that can't easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your Windows Defender Application Control policies typically don't have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing).
## Catalog signing
To obtain signed applications or embed signatures in your in-house applications, you can choose from various methods:
App binaries and scripts are typically either embed-signed or catalog-signed. Embedded signatures become part of the file itself and are carried with the file wherever it's copied or moved. Catalog signatures, on the other hand, are detached from the individual file(s). Instead, a separate "catalog file" is created that contains hash values for one or more files to be signed. This catalog file is then digitally signed and applied to any computer where you want the signature to exist. Any file whose hash value is included in the signed catalog inherits the signature from the catalog file. A file may have multiple signatures, including a mix of embedded and catalog signatures.
- Using the Microsoft Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll up to our certificate authority (CA) or to your own.
- Using your own digital certificate or public key infrastructure (PKI). ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers.
- Using a non-Microsoft signing authority. ISV's and enterprises can use a trusted non-Microsoft signing authority to sign all of their own Classic Windows applications.
To use catalog signing, you can choose from the following options:
- Use the Windows Defender signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications.
- Create your own catalog files, which are described in the next section.
### Catalog files
Catalog files (which you can create in Windows 10 and Windows 11 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you don't want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by Windows Defender Application Control in the same way as any other signed application.
Catalog files are Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also.
After you've created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files.
You can use catalog files to easily add a signature to an existing application without needing access to the original source files and without any expensive repackaging. You can even use catalog files to add your own signature to an ISV app when you don't want to trust everything the ISV signs directly, themselves. Then you just deploy the signed catalog along with the app to all your managed endpoints.
> [!NOTE]
> Package Inspector only works on operating systems that support Windows Defender, such as Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, Windows 2016 Server, or Windows Enterprise IoT.
> Since catalogs identify the files they sign by hash, any change to the file may invalidate its signature. You will need to deploy updated catalog signatures any time the application is updated. Integrating code signing with your app development or app deployment processes is generally the best approach. Be aware of self-updating apps, as their app binaries may change without your knowledge.
For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
To learn how to create and manage catalog files for existing apps, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
## Windows Defender Application Control policy formats and signing
## Signed WDAC policies
When you generate a Windows Defender Application Control policy, you're generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 and Windows 11 Enterprise, along with restrictions on Windows 10 and Windows 11 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **&lt;Rules&gt;** section of the file.
While a WDAC policy begins as an XML document, it's then converted into a binary-encoded file before deployment. This binary version of your WDAC policy can be code signed like any other application binary, offering many of the same benefits as described above for signed code. Additionally, signed policies are treated specially by WDAC and help protect against tampering or removal of a WDAC policy even by an admin user.
We recommend that you keep the original XML file for use when you need to merge the WDAC policy with another policy or update its rule options. For deployment purposes, the file is converted to a binary format, which can be done using a simple Windows PowerShell command.
For more information on using signed WDAC policies, see [Use signed policies to protect WDAC against tampering](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering)
When the Windows Defender Application Control policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add more protection against administrative users changing or removing the policy.
## Obtain code signing certificates for your own use
Some ways to obtain code signing certificates for your own use, include:
- Purchase a code signing certificate from one of the [Microsoft Trusted Root Program participants](/security/trusted-root/participants-list).
- To use your own digital certificate or public key infrastructure (PKI) to issue code signing certificates, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
- Customers with existing Microsoft Store for Business and Education accounts can continue to use the ["Device Guard signing service v2"](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business).
- Use Microsoft's [Azure Code Signing (ACS) service](https://aka.ms/AzureCodeSigning).

176
windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
View File

@ -1,6 +1,6 @@
---
title: Use the Device Guard Signing Portal in the Microsoft Store for Business (Windows)
description: You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed.
title: Use the Device Guard Signing Service v2 (Windows)
description: You can sign catalog files and WDAC policies with the Device Guard signing service.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.author: vinpa
@ -10,15 +10,16 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.topic: conceptual
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.reviewer: jogeurte
manager: aaroncz
ms.date: 02/19/2019
ms.date: 11/30/2022
ms.technology: itpro-security
---
# Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business
# Optional: Use the Device Guard Signing Service v2
**Applies to:**
@ -27,27 +28,162 @@ ms.technology: itpro-security
- Windows Server 2016 and above
> [!IMPORTANT]
> The existing web-based mechanism for the Device Guard Signing Service v1 will be retired on June 9, 2021. Please transition to the PowerShell based version of the service [(DGSS v2)](/microsoft-store/device-guard-signing-portal). For more details, see [Sign an MSIX package with Device Guard signing](/windows/msix/package/signing-package-device-guard-signing) and [Device Guard signing](/microsoft-store/device-guard-signing-portal).
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
>
> You can continue to use the current Device Guard Signing Service v2 (DGSS) capabilities until that time. DGSS will be replaced by the [Azure Code Signing service (ACS)](https://aka.ms/AzureCodeSigning) and will support your Windows Defender Application Control (WDAC) policy and catalog file signing needs.
The Device Guard Signing Service v2 (DGSS) is a code signing service that comes with your existing Microsoft Store for Business and Education tenant account. You can use the DGSS to sign catalog files and Windows Defender Application Control (WDAC) policies.
## Set up permissions for DGSS signing in the Microsoft Store for Business and Education
To use DGSS, you need to assign yourself a role with the right permissions. The least privileged role with DGSS signing privilege is the **Device Guard signer** role. **Global Administrator** and **Billing account owner** can also sign with the DGSS.
## Install the DGSS client NuGet package
Download and install the [DGSS client utilities and PowerShell cmdlets NuGet package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/).
1. Download the [latest recommended version of nuget.exe](https://dist.nuget.org/win-x86-commandline/latest/nuget.exe).
2. From an elevated PowerShell or command window, run the following command:
```powershell
nuget.exe install Microsoft.Acs.Dgss.Client
```
3. Import the DGSS PowerShell module from the location where the Microsoft.Acs.Dgss.Client was installed in the previous step.
```powershell
# Update the path to the Microsoft.Acs.Dgss.Client.dll if needed
Import-Module $env:USERPROFILE\Downloads\Microsoft.Acs.Dgss.Client.1.0.11\PowerShell\Microsoft.Acs.Dgss.Client.dll
```
## DGSS PowerShell Commands
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
> &lt;DGSSCommonParameters&gt; are parameters common across all commands and are documented below the command definitions.
You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed.
### Get-DefaultPolicy
## Sign your code integrity policy
Before you get started, be sure to review these best practices:
Gets the default .xml policy file associated with the current tenant.
**Best practices**
**Usage:**
- Test your code integrity policies on a pilot group of devices before deploying them to production.
- Use rule options 9 and 10 during testing. For more information, see the section Code integrity policy rules in the [Deploy Windows Defender Application Control policy rules and file rules](./select-types-of-rules-to-create.md).
```powershell
Get-DefaultPolicy -OutFile filename [-PassThru] [<DGSSCommonParameters>]
```
**To sign a code integrity policy**
**Parameters:**
1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, click **Store settings**, and then click **Device Guard**.
3. Click **Upload** to upload your code integrity policy.
4. After the files are uploaded, click **Sign** to sign the code integrity policy.
5. Click **Download** to download the signed code integrity policy.
- **OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten. NOTE: The destination folder must already exist.
- **PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file.
When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then sign the policy again.
**Command running time:** The average running time is under 20 seconds but may be up to 3 minutes.
### Get-RootCertificate
Gets the root certificate for the current tenant. All Authenticode and policy signing certificates will eventually chain up to this root certificate.
**Usage:**
```powershell
Get-RootCertificate -OutFile filename [-PassThru] [<DGSSCommonParameters>]
```
**Parameters:**
- **OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten. NOTE: The destination folder must already exist.
- **PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default policy file.
**Command running time:** The average running time is under 20 seconds but may be up to 3 minutes.
### Get-SigningHistory
Gets information for the latest 100 files signed by the current tenant. Results are returned as a collection with elements in reverse chronological order (most recent to least recent).
**Usage:**
```powershell
Get-SigningHistory -OutFile filename [-PassThru] [<DGSSCommonParameters>]
```
**Parameters:**
- **OutFile** - string, mandatory - The filename where the signing history file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten. NOTE: The destination folder must already exist.
- **PassThru** - switch, optional - If present, returns XML objects returning the XML file.
**Command running time:** The average running time is under 10 seconds.
### Submit-SigningJob
Submits a file to the service for signing and timestamping. The module supports valid file type for Authenticode signing is Catalog file (.cat). Valid file type for policy signing is binary policy files with the extension (.bin) that have been created via the ConvertFrom-CiPolicy cmdlet. Otherwise, binary policy file may not be deployed properly.
**Usage:**
```powershell
Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [<DGSSCommonParameters>]
```
**Parameters:**
- **InFile** - string, mandatory - The file to be signed, which must be a valid catalog file (.cat) or WDAC policy file with binary extension (.bin).
- **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. NOTE: The destination folder must already exist.
- **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl is present, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl aren't present, the signing operation will skip timestamping the output file, and it will be signed only.
- **TimeStamperUrl** - string, optional - If this value is an invalid URL (and NoTimestamp not present), the module will throw an exception. To understand more about timestamping, see [Timestamping](/windows/msix/package/signing-package-overview#timestamping).
- **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process, you may want the process to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
### Submit-SigningV1MigrationPolicy
Submits a file to the service for signing and timestamping. The only valid file type for policy signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for DGSS V1 migration.
**Usage:**
```powershell
Submit-SigningV1MigrationPolicy -InFile filename -OutFile filename [-NoTimestamp][-TimeStamperUrl "timestamper url"] [-JobDescription "description"] [<DGSSCommonParameters>]
```
**Parameters:**
- **InFile** - string, mandatory - The file to be signed, which must be a WDAC policy file with binary extension (.bin).
- **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. NOTE: The destination folder must already exist.
- **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl is present, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl aren't present, the signing operation will skip timestamping the output file, and it will be signed only.
- **TimeStamperUrl** - string, optional - If this value is an invalid URL (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, see [Timestamping](/windows/msix/package/signing-package-overview#timestamping).
- **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process, you may want the process to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
**Command running time:** The average running time is under 20 seconds but may be up to 3 minutes.
### Common parameters &lt;DGSSCommonParameters&gt;
In addition to cmdlet-specific parameters, each cmdlet understands the following common parameters.
**Usage:**
```powershell
... [-NoPrompt] [-Credential $creds] [-AppId AppId] [-Verbose]
```
**Parameters:**
- **NoPrompt** - switch, optional - If present, indicates that the script is running in a headless environment and that all UI should be suppressed. If UI must be displayed (for example, for authentication) when the switch is set, the operation will instead fail.
- **Credential + AppId** - PSCredential - A sign-in credential (username and password) and AppId.
## File and size limits
When you're uploading files for DGSS signing, there are a few limits for files and file size:
| Description | Limit |
|-------------------------------------------------------|----------|
| Maximum size for a policy or catalog file | 3.5 MB |
| Maximum size for multiple files (uploaded in a group) | 4 MB |
| Maximum number of files per upload | 15 files |
## File types
Catalog and policy files submitted to DGSS for signing must use specific file extensions:
| File | Required file extension |
|---------------|--------------------|
| catalog files | .cat |
| policy files | .bin |
## DGSS signing certificates
All certificates generated by the DGSS are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline.

185
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
ms.topic: conceptual
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
@ -29,89 +30,117 @@ ms.technology: itpro-security
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of malware protection available in Windows—must be signed with [PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652). In addition to their enforced policy rules, signed policies can't be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this idea of the policies in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of protection available in Windows. These policies are designed to detect administrative tampering of the policy, such as by malware running as admin, and will result in a boot failure (blue screen). With this goal in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to provide this protection for signed WDAC policies.
If you don't currently have a code signing certificate you can use to sign your WDAC policies, see [Obtain code signing certificates for your own use](/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications#obtain-code-signing-certificates-for-your-own-use).
> [!WARNING]
> Boot failure (blue screen) may occur if your signing certificate does not follow these rules:
> Boot failure (blue screen) may occur if your signing certificate doesn't follow these rules:
>
> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
> - Use RSA SHA-256 only. ECDSA isn't supported.
> - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported.
> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256.
> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
> - Keys must be less than or equal to 4K key size
>
Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
If you don't currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA.
Before PKCS #7-signing WDAC policies for the first time, ensure you enable rule options **Enabled:Advanced Boot Options Menu** and **10 Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
To sign a Windows Defender Application Control policy with SignTool.exe, you need the following components:
- SignTool.exe, found in the [Windows SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/) (Windows 7 or later)
- The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you've created
- An internal CA code signing certificate or a purchased code signing certificate
If you don't have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or Windows Defender Application Control (WDAC) policy, ensure you update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
1. Initialize the variables that will be used:
```powershell
$CIPolicyPath=$env:userprofile+"\Desktop\"
$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"
```
> [!NOTE]
> This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** variable with the correct information.
2. Import the .pfx code signing certificate. Import the code signing certificate that you'll use to sign the WDAC policy into the users personal store on the computer where the signing happens. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
4. Navigate to your desktop as the working directory:
```powershell
cd $env:USERPROFILE\Desktop
```
5. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy:
```powershell
Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User Update
```
> [!NOTE]
> *&lt;Path to exported .cer certificate&gt;* should be the full path to the certificate that you exported in step 3.
Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Remove WDAC policies](disable-windows-defender-application-control-policies.md).
6. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
```powershell
Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete
```
7. Reset the policy ID and use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format:
```powershell
$PolicyID= Set-CIPolicyIdInfo -FilePath $InitialCIPolicy -ResetPolicyID
$PolicyID = $PolicyID.Substring(11)
$CIPolicyBin = $env:userprofile + "\Desktop\" + $PolicyID + ".cip"
ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
```
8. Sign ([PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652)) the WDAC policy by using SignTool.exe:
```powershell
<Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin
```
> [!NOTE]
> The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md).
Before you attempt to deploy signed WDAC policy, you should first deploy an unsigned version of the policy to uncover any issues with the policy rules. We also recommend you enable rule options **9 - Enabled:Advanced Boot Options Menu** and **10 - Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
> [!NOTE]
> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
> When signing a Base policy that has existing Supplemental policies, you must also switch to signed policy for all of the Supplementals. Authorize the signed supplemental policies by adding a **&lt;SupplementalPolicySigner&gt;** rule to the Base policy.
## Prepare your WDAC policy for signing
<br>
<details>
<summary>Expand this section for detailed instructions on preparing your WDAC policy files for signing.</summary>
1. Open an elevated Windows PowerShell session and initialize the variables that will be used:
```powershell
$PolicyPath=$env:userprofile+"\Desktop\"
$PolicyName="FixedWorkloadPolicy_Enforced"
$LamnaServerPolicy=$PolicyPath+$PolicyName+".xml"
```
> [!NOTE]
> This example uses an enforced version of the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) article. If you are signing another policy, be sure to update the **$PolicyPath** and **$PolicyName** variables with the correct information.
2. Navigate to your desktop as the working directory:
```powershell
cd $PolicyPath
```
3. If your WDAC policy doesn't already include an **&lt;UpdatePolicySigner&gt;** rule for your policy signing certificate, you must add it. At least one **&lt;UpdatePolicySigner&gt;** rule must exist to convert your WDAC policy XML with [ConvertFrom-CiPolicy](/powershell/module/configci/convertfrom-cipolicy). If you're using the Device Guard Signing Service v2 (DGSS) to sign your policy, you can find the policy signer rule in your tenant's default policy, which you can download from [Get-DefaultPolicy](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#get-defaultpolicy).
Otherwise, use [Add-SignerRule](/powershell/module/configci/add-signerrule) and create an **&lt;UpdatePolicySigner&gt;** rule from your certificate file (.cer). DGSS users can download the root certificate file from [Get-RootCertificate](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#get-rootcertificate). If you purchased a code signing certificate or issued one from your own public key infrastructure (PKI), you can export the certificate file.
NOTE: If your policy doesn't allow Supplemental policies, you should omit the **-Supplemental** switch from the following command:
```powershell
Add-SignerRule -FilePath $LamnaServerPolicy -CertificatePath <Path to exported .cer certificate> Update -Supplemental
```
> [!IMPORTANT]
> Failing to perform this step will leave you unable to modify or disable this policy and will lead to boot failure. For more information about how to disable signed WDAC policies causing boot failure, see [Remove WDAC policies causing boot stop failures](/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies#remove-wdac-policies-causing-boot-stop-failures).
4. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
```powershell
Set-RuleOption -FilePath $LamnaServerPolicy -Option 6 -Delete
```
5. (Optional) Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to reset the policy ID and change the policy name.
6. (Optional) Use [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion) to change the policy VersionEx.
> [!IMPORTANT]
> When updating a signed policy, the VersionEx of the updated policy must be greater than or equal to the current policy. Replacing a signed policy with a lower version will lead to boot failure.
7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format:
```powershell
$PolicyID= Set-CIPolicyIdInfo -FilePath $LamnaServerPolicy -ResetPolicyID
$PolicyID = $PolicyID.Substring(11)
$CIPolicyBin = $env:userprofile + "\Desktop\" + $PolicyID + ".cip"
ConvertFrom-CIPolicy $LamnaServerPolicy $CIPolicyBin
```
</details>
## Sign your WDAC policy
### Policy signing with Device Guard Signing Service v2 (DGSS)
If you have an existing Microsoft Store for Business and Education account, you can use the DGSS to sign your WDAC policy. For more information, see [Submit-SigningJob](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#submit-signingjob).
### Policy signing with signtool.exe
If you purchased a code signing certificate or issued one from your own PKI, you can use [SignTool.exe](/windows/win32/seccrypto/signtool) to sign your WDAC policy files:
1. Import the .pfx code signing certificate into the users personal store on the computer where the signing will happen. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
2. Sign the WDAC policy by using SignTool.exe:
```powershell
<Path to signtool.exe> sign -v -n "ContosoSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin
```
> [!NOTE]
> The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
When complete, the commands should output a signed policy file with a .p7 extension. You must rename the file to *{GUID}*.cip where "{GUID}" is the &lt;PolicyId&gt; from your original WDAC policy XML.
## Verify and deploy the signed policy
You can use certutil.exe to verify the signed file. Review the output to confirm the signature algorithm and encoding for certificate fields, like 'subject common name' and 'issuer common name' as described in the Warning at the top of this article.
```powershell
certutil.exe -asn <path to signed policy file>
```
Thoroughly test the signed policy on a representative set of computers before proceeding with deployment. Be sure to reboot the test computers at least twice after applying the signed WDAC policy to ensure you don't encounter a boot failure.
Once you've verified the signed policy, deploy it using your preferred deployment method. For information about deploying WDAC policies, see [Deploying WDAC policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
> [!NOTE]
> Anti-tampering protection for signed WDAC policies takes effect after the first reboot once the signed WDAC policy is applied to a computer. This protection only applies to computers with UEFI Secure Boot enabled.

2
windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
View File

@ -40,7 +40,7 @@ You can only use Group Policy to change these settings.
## Use Group Policy to hide non-critical notifications
You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Update Compliance or Microsoft Configuration Manager reporting).
You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Windows Update for Business reports or Microsoft Configuration Manager reporting).
These notifications can be hidden only by using Group Policy.

2
windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
View File

@ -53,7 +53,7 @@ By default, in new installations, Windows Defender Firewall with Advanced Securi
If you turn off the Windows Defender Firewall service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting.
Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This approach is the recommended one for third-party firewalls to coexist with the Windows Defender Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft. 
Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This approach is the recommended one for third-party firewalls to coexist with the Windows Defender Firewall; third-party firewalls that comply with this recommendation have the certified logo from Microsoft.
An organization typically uses this design as a first step toward a more comprehensive Windows Defender Firewall design that adds server isolation and domain isolation.

3
windows/whats-new/deprecated-features.md
View File

@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11.
ms.date: 10/28/2022
ms.date: 12/05/2022
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
@ -34,6 +34,7 @@ The features in this article are no longer being actively developed, and might b
|Feature | Details and mitigation | Deprecation announced |
| ----------- | --------------------- | ---- |
| Update Compliance <!--7260188-->| [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|
| Windows Information Protection <!-- 6010051 --> | [Windows Information Protection](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).<br> <br>For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 |
| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**<br>Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows client.<br>The following items might not be available in a future release of Windows client:<br>- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**<br>- Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv)<br>- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**<br>- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |