diff --git a/bcs/index.md b/bcs/index.md index 50a9709c7e..01f7f2e27b 100644 --- a/bcs/index.md +++ b/bcs/index.md @@ -13,7 +13,7 @@ description: Learn about the product documentation and resources available for M
+ +[AppLocker CSP](applocker-csp.md) +

Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Whitelist examples](applocker-csp.md#whitelist-examples).

+ + +[DeviceManageability CSP](devicemanageability-csp.md) +

Added the following settings in Windows 10, version 1709:

+ + [Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1709:

diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index f3da2fb6fe..01bd1dd68e 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -60,6 +60,7 @@ This policy setting allows you to enable or disable Microsoft Application Virtua ADMX Info: - GP english name: *Enable App-V Client* - GP name: *EnableAppV* +- GP path: *Administrative Templates/System/App-V* - GP ADMX file name: *appv.admx* @@ -105,6 +106,7 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj ADMX Info: - GP english name: *Enable Dynamic Virtualization* - GP name: *Virtualization_JITVEnable* +- GP path: *Administrative Templates/System/App-V/Virtualization* - GP ADMX file name: *appv.admx* @@ -150,6 +152,7 @@ Enables automatic cleanup of appv packages that were added after Windows10 anniv ADMX Info: - GP english name: *Enable automatic cleanup of unused appv packages* - GP name: *PackageManagement_AutoCleanupEnable* +- GP path: *Administrative Templates/System/App-V/PackageManagement* - GP ADMX file name: *appv.admx* @@ -195,6 +198,7 @@ Enables scripts defined in the package manifest of configuration files that shou ADMX Info: - GP english name: *Enable Package Scripts* - GP name: *Scripting_Enable_Package_Scripts* +- GP path: *Administrative Templates/System/App-V/Scripting* - GP ADMX file name: *appv.admx* @@ -240,6 +244,7 @@ Enables a UX to display to the user when a publishing refresh is performed on th ADMX Info: - GP english name: *Enable Publishing Refresh UX* - GP name: *Enable_Publishing_Refresh_UX* +- GP path: *Administrative Templates/System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -295,6 +300,7 @@ Data Block Size: This value specifies the maximum size in bytes to transmit to t ADMX Info: - GP english name: *Reporting Server* - GP name: *Reporting_Server_Policy* +- GP path: *Administrative Templates/System/App-V/Reporting* - GP ADMX file name: *appv.admx* @@ -340,6 +346,7 @@ Specifies the file paths relative to %userprofile% that do not roam with a user' ADMX Info: - GP english name: *Roaming File Exclusions* - GP name: *Integration_Roaming_File_Exclusions* +- GP path: *Administrative Templates/System/App-V/Integration* - GP ADMX file name: *appv.admx* @@ -385,6 +392,7 @@ Specifies the registry paths that do not roam with a user profile. Example usage ADMX Info: - GP english name: *Roaming Registry Exclusions* - GP name: *Integration_Roaming_Registry_Exclusions* +- GP path: *Administrative Templates/System/App-V/Integration* - GP ADMX file name: *appv.admx* @@ -430,6 +438,7 @@ Specifies how new packages should be loaded automatically by App-V on a specific ADMX Info: - GP english name: *Specify what to load in background (aka AutoLoad)* - GP name: *Steaming_Autoload* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -475,6 +484,7 @@ Migration mode allows the App-V client to modify shortcuts and FTA's for package ADMX Info: - GP english name: *Enable Migration Mode* - GP name: *Client_Coexistence_Enable_Migration_mode* +- GP path: *Administrative Templates/System/App-V/Client Coexistence* - GP ADMX file name: *appv.admx* @@ -520,6 +530,7 @@ Specifies the location where symbolic links are created to the current version o ADMX Info: - GP english name: *Integration Root User* - GP name: *Integration_Root_User* +- GP path: *Administrative Templates/System/App-V/Integration* - GP ADMX file name: *appv.admx* @@ -565,6 +576,7 @@ Specifies the location where symbolic links are created to the current version o ADMX Info: - GP english name: *Integration Root Global* - GP name: *Integration_Root_Global* +- GP path: *Administrative Templates/System/App-V/Integration* - GP ADMX file name: *appv.admx* @@ -628,6 +640,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: - GP english name: *Publishing Server 1 Settings* - GP name: *Publishing_Server1_Policy* +- GP path: *Administrative Templates/System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -689,8 +702,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: -- GP english name: *Publishing Server 2 Settings* +- GP English name: *Publishing Server 2 Settings* - GP name: *Publishing_Server2_Policy* +- GP path: *Administrative Templates/System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -754,6 +768,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: - GP english name: *Publishing Server 3 Settings* - GP name: *Publishing_Server3_Policy* +- GP path: *Administrative Templates/System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -817,6 +832,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: - GP english name: *Publishing Server 4 Settings* - GP name: *Publishing_Server4_Policy* +- GP path: *Administrative Templates/System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -880,6 +896,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: - GP english name: *Publishing Server 5 Settings* - GP name: *Publishing_Server5_Policy* +- GP path: *Administrative Templates/System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -925,6 +942,7 @@ Specifies the path to a valid certificate in the certificate store. ADMX Info: - GP english name: *Certificate Filter For Client SSL* - GP name: *Streaming_Certificate_Filter_For_Client_SSL* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -970,6 +988,7 @@ This setting controls whether virtualized applications are launched on Windows 8 ADMX Info: - GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection* - GP name: *Streaming_Allow_High_Cost_Launch* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1015,6 +1034,7 @@ Specifies the CLSID for a compatible implementation of the IAppvPackageLocationP ADMX Info: - GP english name: *Location Provider* - GP name: *Streaming_Location_Provider* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1060,6 +1080,7 @@ Specifies directory where all new applications and updates will be installed. ADMX Info: - GP english name: *Package Installation Root* - GP name: *Streaming_Package_Installation_Root* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1105,6 +1126,7 @@ Overrides source location for downloading package content. ADMX Info: - GP english name: *Package Source Root* - GP name: *Streaming_Package_Source_Root* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1150,6 +1172,7 @@ Specifies the number of seconds between attempts to reestablish a dropped sessio ADMX Info: - GP english name: *Reestablishment Interval* - GP name: *Streaming_Reestablishment_Interval* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1195,6 +1218,7 @@ Specifies the number of times to retry a dropped session. ADMX Info: - GP english name: *Reestablishment Retries* - GP name: *Streaming_Reestablishment_Retries* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1240,6 +1264,7 @@ Specifies that streamed package contents will be not be saved to the local hard ADMX Info: - GP english name: *Shared Content Store (SCS) mode* - GP name: *Streaming_Shared_Content_Store_Mode* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1285,6 +1310,7 @@ If enabled, the App-V client will support BrancheCache compatible HTTP streaming ADMX Info: - GP english name: *Enable Support for BranchCache* - GP name: *Streaming_Support_Branch_Cache* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1330,6 +1356,7 @@ Verifies Server certificate revocation status before streaming using HTTPS. ADMX Info: - GP english name: *Verify certificate revocation list* - GP name: *Streaming_Verify_Certificate_Revocation_List* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1375,6 +1402,7 @@ Specifies a list of process paths (may contain wildcards) which are candidates f ADMX Info: - GP english name: *Virtual Component Process Allow List* - GP name: *Virtualization_JITVAllowList* +- GP path: *Administrative Templates/System/App-V/Virtualization* - GP ADMX file name: *appv.admx* diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index f4b6271552..a1cd701480 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -97,7 +97,7 @@ Appv.admx file: ## ADMX-backed policy examples -The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use the [Coder’s Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii) online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ### Enabling a policy @@ -119,7 +119,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b **Request SyncML** ```XML - + 2 @@ -169,7 +169,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b **Request SyncML** ```XML - + 2 @@ -209,7 +209,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b **Request SyncML** ``` - + 1 @@ -292,7 +292,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit ```XML - + $CmdId$ @@ -333,7 +333,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and ```XML - + 2 @@ -377,7 +377,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar #### Corresponding SyncML: ```XML - + 2 @@ -409,7 +409,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar #### Corresponding SyncML: ```XML - + 2 @@ -466,7 +466,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar #### Corresponding SyncML: ```XML - + 2 @@ -503,7 +503,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar #### Corresponding SyncML: ```XML - + 2 @@ -552,7 +552,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ```XML - + 2 diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 4954192798..8d3a787f3c 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -12,11 +12,7 @@ author: greg-lindsay # Configure VDA for Windows 10 Subscription Activation -<<<<<<< HEAD -This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based license. -======= This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. ->>>>>>> 9cfade7b4735548209a42a177179689a7e522ec6 ## Requirements diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md index 6030e8a054..cb46edf710 100644 --- a/windows/device-security/change-history-for-device-security.md +++ b/windows/device-security/change-history-for-device-security.md @@ -14,14 +14,14 @@ This topic lists new and updated topics in the [Device security](index.md) docum ## August 2017 |New or changed topic |Description | |---------------------|------------| - | [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. | - +| [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. | +| [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) | Revised description | ## July 2017 |New or changed topic |Description | |---------------------|------------| - | [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. | +| [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. | ## May 2017 diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 6b3f009321..390575abd4 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -46,6 +46,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - mshta.exe - ntsd.exe - rcsi.exe +- SyncAppVPublishingServer.exe - system.management.automation.dll - windbg.exe @@ -64,6 +65,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you |Matt Nelson | @enigma0x3| |Oddvar Moe |@Oddvarmoe| |Alex Ionescu | @aionescu| +|Nick Landers | @monoxgas|
@@ -116,6 +118,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + @@ -184,6 +187,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + diff --git a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md index fcd0f46670..f5754dfb28 100644 --- a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md +++ b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md @@ -10,7 +10,7 @@ author: mdsakibMSFT # Deploy Managed Installer for Device Guard -Creating and maintaining application execution control policies has always been challenging and options for addressing this has been a frequently cited request for customers of AppLocker and Device Guard’s [configurable code integrity (CI)](device-guard-deployment-guide.md). +Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Device Guard [configurable code integrity (CI)](device-guard-deployment-guide.md). This is especially true for enterprises with large, ever changing software catalogs. Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager. diff --git a/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md index cc479c5bc2..b2a0c2025c 100644 --- a/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md @@ -18,11 +18,13 @@ Describes the best practices, location, values, management, and security conside ## Reference -This policy setting prevents users from adding new Microsoft accounts on a device. +This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. -If you click the **Users can’t add Microsoft accounts** setting option, users will not be able to switch a local account to a Microsoft account, or connect a domain account to a Microsoft account to drive sync, roaming, or other background services. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. Users will still be able to add app-specific Microsoft accounts for use with consumer apps. To block this use, turn off the ability to install consumer apps or the Store. +There are two options if this setting is enabled: -If you click the **Users can’t add or log on with Microsoft accounts** setting option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator to log on to a computer and manage the system. +- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts). + +- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. @@ -36,7 +38,7 @@ By default, this setting is not defined on domain controllers and disabled on st ### Best practices - By disabling or not configuring this policy setting on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This provides a convenient option for your users. -- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. +- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to use the **Settings** app to add new connected accounts. ### Location diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index fd9171827c..f482e0b44e 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -147,6 +147,13 @@ ### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md) ### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md) +##[Windows Defender Application Guard](windows-defender-application-guard\wd-app-guard-overview.md) +###[System requirements for Windows Defender Application Guard](windows-defender-application-guard\reqs-wd-app-guard.md) +###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard\install-wd-app-guard.md) +###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard\configure-wd-app-guard.md) +###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard\test-scenarios-wd-app-guard.md) +###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md) + ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) ### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md) #### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) diff --git a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md index e854d43efb..ebec2a5082 100644 --- a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -8,10 +8,13 @@ ms.mktglfcycl: deploy ms.pagetype: security ms.sitesec: library author: eross-msft +ms.author: lizross +ms.date: 08/14/2017 ms.localizationpriority: high --- # Block untrusted fonts in an enterprise + **Applies to:** - Windows 10 @@ -46,19 +49,44 @@ After you turn this feature on, your employees might experience reduced function - Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office. ## Turn on and use the Blocking Untrusted Fonts feature +Use Group Policy or the registry to turn this feature on, off, or to use audit mode. + +**To turn on and use the Blocking Untrusted Fonts feature through Group Policy** +1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`. + +2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**: + + - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. + + - **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log. + + - **Log events without blocking untrusted fonts**. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts. + +3. Click **OK**. + +**To turn on and use the Blocking Untrusted Fonts feature through the registry** To turn this feature on, off, or to use audit mode: 1. Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`. 2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**. -3. Update the **Value data** of the **MitigationOptions** key, making sure you keep your existing value, like in the important note below: +3. Right click on the **MitigationOptions** key, and then click **Modify**. + + The **Edit QWORD (64-bit) Value** box opens. + +4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below: - **To turn this feature on.** Type **1000000000000**. - - **To turn this feature off.** Type **2000000000000**. - - **To audit with this feature.** Type **3000000000000**.

**Important**
Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*.  -4. Restart your computer. + - **To turn this feature off.** Type **2000000000000**. + + - **To audit with this feature.** Type **3000000000000**. + + >[!Important] + >Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*.  + +4. Restart your computer. ## View the event log After you turn this feature on, or start using Audit mode, you can look at your event logs for details. @@ -68,27 +96,33 @@ After you turn this feature on, or start using Audit mode, you can look at your 1. Open the event viewer (eventvwr.exe) and go to **Application and Service Logs/Microsoft/Windows/Win32k/Operational**. 2. Scroll down to **EventID: 260** and review the relevant events. -

-**Event Example 1 - MS Word**
-WINWORD.EXE attempted loading a font that is restricted by font loading policy.
-FontType: Memory
-FontPath:
-Blocked: true

-**Note**
Because the **FontType** is *Memory*, there’s no associated **FontPath.** -

-**Event Example 2 - Winlogon**
-Winlogon.exe attempted loading a font that is restricted by font loading policy.
-FontType: File
-FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`
-Blocked: true

-**Note**
Because the **FontType** is *File*, there’s also an associated **FontPath.** -

-**Event Example 3 - Internet Explorer running in Audit mode**
-Iexplore.exe attempted loading a font that is restricted by font loading policy.
-FontType: Memory
-FontPath:
-Blocked: false

-**Note**
In Audit mode, the problem is recorded, but the font isn’t blocked. + + **Event Example 1 - MS Word**
+ WINWORD.EXE attempted loading a font that is restricted by font-loading policy.
+ FontType: Memory
+ FontPath:
+ Blocked: true + + >[!NOTE] + >Because the **FontType** is *Memory*, there’s no associated **FontPath**. + + **Event Example 2 - Winlogon**
+ Winlogon.exe attempted loading a font that is restricted by font-loading policy.
+ FontType: File
+ FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`
+ Blocked: true + + >[!NOTE] + >Because the **FontType** is *File*, there’s also an associated **FontPath**. + + **Event Example 3 - Internet Explorer running in Audit mode**
+ Iexplore.exe attempted loading a font that is restricted by font-loading policy.
+ FontType: Memory
+ FontPath:
+ Blocked: false + + >[!NOTE] + >In Audit mode, the problem is recorded, but the font isn’t blocked. ## Fix apps having problems because of blocked fonts Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems. @@ -101,12 +135,14 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa **To fix your apps by excluding processes** -1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`. Like, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. +1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`.

For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. -2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature). +2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic.   +## Related content +- [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/)   diff --git a/windows/threat-protection/index.md b/windows/threat-protection/index.md index 885e4d9279..a98bb34278 100644 --- a/windows/threat-protection/index.md +++ b/windows/threat-protection/index.md @@ -17,6 +17,7 @@ Learn more about how to help protect against threats in Windows 10 and Windows |[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.| |[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.| |[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.| +|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.| |[Windows Defender Smart​Screen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.| |[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.| |[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.| diff --git a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index 2bde953608..fdb8d3eec8 100644 --- a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -10,6 +10,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt --- diff --git a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md index 18e242a4f0..8e92f2d2cd 100644 --- a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md @@ -10,6 +10,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt --- # Manage updates and scans for endpoints that are out of date @@ -92,7 +93,7 @@ See the following for more information and allowed parameters: ## Set the number of days before protection is reported as out-of-date -You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)). +You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source. **Use Group Policy to specify the number of days before protection is considered out-of-date:** diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index d87bb53800..214f619f3f 100644 --- a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -10,6 +10,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: iaanw +ms.author: iawilt --- # Manage the sources for Windows Defender Antivirus protection updates @@ -63,7 +64,11 @@ The older the updates on an endpoint, the larger the download. However, you must Microsoft Update allows for rapid releases, which means it will download small deltas on a frequent basis. This ensures the best protection, but may increase network bandwidth. -The WSUS, Configuration Manager and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger). +The WSUS, Configuration Manager, and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger). + +> [!IMPORTANT] +> If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 2 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services). +> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date). Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table: @@ -73,7 +78,7 @@ WSUS | You are using WSUS to manage updates for your network. Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use WSUS to manage your updates. File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments. Configuration Manager | You are using System Center Configuration Manager to update your endpoints. -MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. +MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from WSUS or Microsoft Update for [a specified number of days](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date). You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI. diff --git a/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md new file mode 100644 index 0000000000..73bb0a5fb0 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -0,0 +1,46 @@ +--- +title: Configure the Group Policy settings for Windows Defender Application Guard (Windows 10) +description: Learn about the available Group Policy settings for Windows Defender Application Guard. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +localizationpriority: high +--- + +# Configure Windows Defender Application Guard policy settings + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. + +Application Guard uses both network isolation and application-specific settings. + +### Network isolation settings +These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. + +>[!NOTE] +>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. + + +|Policy name|Supported versions|Description| +|-----------|------------------|-----------| +|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| +|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| +|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| + +### Application-specific settings +These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard. + +|Name|Supported versions|Description|Options| +|-----------|------------------|-----------|-------| +|Configure Windows Defender Application Guard clipboard settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:

  • Disable the clipboard functionality completely when Virtualization Security is enabled.
  • Enable copying of certain content from Application Guard into Microsoft Edge.
  • Enable copying of certain content from Microsoft Edge into Application Guard.

    **Important**
    Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Windows Defender Application Guard print settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
  • Enable Application Guard to print into the XPS format.
  • Enable Application Guard to print into the PDF format.
  • Enable Application Guard to print to locally attached printers.
  • Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard.| +|Allow Persistence|At least Windows 10 Enterprise|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**Note**
If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
  1. Open a command-line program and navigate to Windows/System32.
  2. Type `wdagtool.exe cleanup`.
    The container environment is reset, retaining only the employee-generated data.
  3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
    The container environment is reset, including discarding all employee-generated data.
| +|Turn On/Off Windows Defender Application Guard (WDAG)|At least Windows 10 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.

**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.| + diff --git a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md new file mode 100644 index 0000000000..78a7228f40 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -0,0 +1,44 @@ +--- +title: Frequently asked questions - Windows Defender Application Guard (Windows 10) +description: Learn about the commonly asked questions and answers for Windows Defender Application Guard. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +localizationpriority: high +--- + +# Frequently asked questions - Windows Defender Application Guard + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. + +## Frequently Asked Questions + +| | | +|---|----------------------------| +|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?| +|**A:** |It's not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.| +
+ +| | | +|---|----------------------------| +|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?| +|**A:** |Depending on your organization's settings, employees can copy and paste images and text (.bmp) to and from the isolated container.| +
+ +| | | +|---|----------------------------| +|**Q:** |Why don't employees see their Favorites in the Application Guard Edge session?| +|**A:** |To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.| +
+ +| | | +|---|----------------------------| +|**Q:** |Why aren’t employees able to see their Extensions in the Application Guard Edge session?| +|**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.| diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png new file mode 100644 index 0000000000..6f2bb5afcf Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png new file mode 100644 index 0000000000..f1391f862c Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png new file mode 100644 index 0000000000..e0bedcd7cd Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png new file mode 100644 index 0000000000..357be9c65b Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png new file mode 100644 index 0000000000..25c22912a5 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png new file mode 100644 index 0000000000..48aa702feb Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png new file mode 100644 index 0000000000..56acb4be53 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png new file mode 100644 index 0000000000..c5e7982909 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png new file mode 100644 index 0000000000..01f4eb6359 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png new file mode 100644 index 0000000000..3fe617b8ed Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png b/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png new file mode 100644 index 0000000000..a946325c66 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png b/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png new file mode 100644 index 0000000000..877b707030 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png b/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png new file mode 100644 index 0000000000..5172022256 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md new file mode 100644 index 0000000000..a93a6519fc --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -0,0 +1,56 @@ +--- +title: Prepare and install Windows Defender Application Guard (Windows 10) +description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +localizationpriority: high +--- + +# Prepare and install Windows Defender Application Guard + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +## Prepare to install Windows Defender Application Guard +Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. + +- **Standalone mode.** Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the Application Guard in standalone mode testing scenario. + +- **Enterprise-managed mode.** You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container. + +The following diagram shows the flow between the host PC and the isolated container. +![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png) + +## Install Application Guard +Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. + +**To install by using the Control Panel** +1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**. + + ![Windows Features, turning on Windows Defender Application Guard](images/turn-windows-features-on.png) + +2. Select the check box next to **Windows Defender Application Guard** and then click **OK**. + + Application Guard and its underlying dependencies are all installed. + +**To install by using PowerShell** +1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. + +2. Right-click **Windows PowerShell**, and then click **Run as administrator**. + + Windows PowerShell opens with administrator credentials. + +3. Type the following command: + + ``` + Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard + ``` +4. Restart the device. + + Application Guard and its underlying dependencies are all installed. + diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md new file mode 100644 index 0000000000..a03b3514c2 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -0,0 +1,37 @@ +--- +title: System requirements for Windows Defender Application Guard (Windows 10) +description: Learn about the system requirements for installing and running Windows Defender Application Guard. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +localizationpriority: high +--- + +# System requirements for Windows Defender Application Guard + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. + +## Hardware requirements +Your environment needs the following hardware to run Application Guard. + +|Hardware|Description| +|--------|-----------| +|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).| +|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

**-AND-**

One of the following virtualization extensions for VBS:

VT-x (Intel)

**-OR-**

AMD-V| +|Hardware memory|4 GB minimum, 8 GB recommended| + +## Software requirements +Your environment needs the following hardware to run Application Guard. + +|Software|Description| +|--------|-----------| +|Operating system|Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)| +|Browser|Microsoft Edge and Internet Explorer| +|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)

**-OR-**

[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)

**-OR-**

[Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md new file mode 100644 index 0000000000..152f404382 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -0,0 +1,159 @@ +--- +title: Testing scenarios using Windows Defender Application Guard in your business or organization (Windows 10) +description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +localizationpriority: high +--- + +# Testing scenarios using Windows Defender Application Guard in your business or organization + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization. + +## Application Guard in standalone mode +You can see how an employee would use standalone mode with Application Guard. + +**To test Application Guard in Standalone mode** + +1. Download the latest Windows Insider Program build (15257 or later). + +2. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide. + +3. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu. + + ![New Application Guard window setting option](images/appguard-new-window.png) + +4. Wait for Application Guard to set up the isolated environment. + + >[!NOTE] + >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. + +5. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues. + + ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) + +## Application Guard in Enterprise-managed mode +How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode. + +### Install, set up, and turn on Application Guard +Before you can use Application Guard in enterprise mode, you must install a version of Windows 10 that includes the functionality. Then, you must use Group Policy to set up the required settings. + +1. Download the latest Windows Insider Program build (15257 or later). + +2. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide. + +3. Restart the device and then start Microsoft Edge. + +4. Set up the Network Isolation settings in Group Policy: + + a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**. + + b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting. + + c. For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box. + + ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png) + + d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting. + + e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box. + + ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png) + +5. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn On/Off Windows Defender Application Guard (WDAG)** setting. + +6. Click **Enabled**. + + ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png) + + >[!NOTE] + >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. + +7. Start Microsoft Edge and type _www.microsoft.com_. + + After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard. + + ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png) + +8. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists. + + After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. + + ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) + +### Customize Application Guard +Application Guard lets you specify your configuration, allowing you to create the proper balance between isolation-based security and productivity for your employees. + +Application Guard provides the following default behavior for your employees: + +- No copying and pasting between the host PC and the isolated container. + +- No printing from the isolated container. + +- No data persistence from one isolated container to another isolated container. + +You have the option to change each of these settings to work with your enterprise from within Group Policy. + +**To change the copy and paste options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**. + +2. Click **Enabled**. + + ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png) + +3. Choose how the clipboard works: + + - Copy and paste from the isolated session to the host PC + + - Copy and paste from the host PC to the isolated session + + - Copy and paste both directions + +4. Choose what can be copied: + + - **1.** Only text can be copied between the host PC and the isolated container. + + - **2.** Only images can be copied between the host PC and the isolated container. + + - **3.** Both text and images can be copied between the host PC and the isolated container. + +5. Click **OK**. + +**To change the print options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings. + +2. Click **Enabled**. + + ![Group Policy editor Print options](images/appguard-gp-print.png) + +3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing. + +4. Click **OK**. + +**To change the data persistence options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting. + +2. Click **Enabled**. + + ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png) + +3. Open Microsoft Edge and browse to an untrusted, but safe URL. + + The website opens in the isolated session. + +4. Add the site to your **Favorites** list and then close the isolated session. + +5. Log out and back on to your device, opening Microsoft Edge in Application Guard again. + + The previously added site should still appear in your **Favorites** list. + + >[!NOTE] + >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
  1. Open a command-line program and navigate to Windows/System32.
  2. Type `wdagtool.exe cleanup`.
    The container environment is reset, retaining only the employee-generated data.
  3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
    The container environment is reset, including discarding all employee-generated data.
diff --git a/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md new file mode 100644 index 0000000000..ac7c37e883 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -0,0 +1,47 @@ +--- +title: Windows Defender Application Guard (Windows 10) +description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +ms.author: lizross +ms.date: 08/11/2017 +localizationpriority: high +--- + +# Windows Defender Application Guard overview + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. + +Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. + + +## What is Application Guard and how does it work? +Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. + +If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials. + +![Hardware isolation diagram](images/appguard-hardware-isolation.png) + +### What types of devices should use Application Guard? +Application Guard has been created to target 3 types of enterprise systems: + +- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. + +- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network. + +- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools like Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home. + +## In this section +|Topic |Description | +|------|------------| +|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard. | +|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization. | +|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.| +|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.| +|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.| \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 34e836f47e..2232344229 100644 --- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -117,10 +117,12 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the sc qc diagtrack ``` -## Windows Defender signature updates are configured -The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md). +## Windows Defender Antivirus signature updates are configured +The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. If Windows Defender Antivirus is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md). -When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md). +When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy. + +For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md). ## Windows Defender Early Launch Antimalware (ELAM) driver is enabled If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard. diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md index 16465baf1b..25be0c5cdc 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -342,14 +342,14 @@ If you're running into compatibility issues where your app is incompatible with ### Manage the WIP-protection level for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. +We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). |Mode |Description | |-----|------------| -|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|