From 5838a7d3ac905c09073e85951310d5d0086bd054 Mon Sep 17 00:00:00 2001 From: Rittwika Rudra <33437129+RittwikaR@users.noreply.github.com> Date: Wed, 24 Aug 2022 13:09:35 -0700 Subject: [PATCH 1/9] Update Language-pack-management-csp.md On 8/26 this is being backported from Win 11 to Win 10 as part of 8C. The proposed changes reflect the new availability --- .../mdm/Language-pack-management-csp.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 948207dc6d..37651bba2c 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -18,11 +18,11 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|Yes| -|Windows SE|No|Yes| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| |Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users. @@ -95,4 +95,4 @@ The Language Pack Management CSP allows a direct way to provision languages remo ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file +[Configuration service provider reference](configuration-service-provider-reference.md) From e2b969722c41013e2eadd177ed53571aff656b10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20B=C3=A9langer?= <11839202+davidbel@users.noreply.github.com> Date: Fri, 26 Aug 2022 16:27:46 -0700 Subject: [PATCH 2/9] Update policy-csp-remotedesktopservices.md Update policy-csp-remotedesktopservices.md to add the new WebAuthn Redirection policy. --- .../mdm/policy-csp-remotedesktopservices.md | 55 ++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 09f3f50725..faf08975f1 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -33,6 +33,9 @@ manager: aaroncz RemoteDesktopServices/DoNotAllowPasswordSaving
+
+ RemoteDesktopServices/DoNotAllowWebAuthnRedirection +
RemoteDesktopServices/PromptForPasswordUponConnection
@@ -257,6 +260,56 @@ ADMX Info:
+ +**RemoteDesktopServices/DoNotAllowWebAuthnRedirection** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other). + +By default, Remote Desktop allows redirection of WebAuthn requests. + +If you enable this policy setting, users can’t use their local authenticator inside the Remote Desktop session. + +If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session. + +If you don't configure this policy setting, users can use local authenticators inside the Remote Desktop session. + + + +ADMX Info: +- GP Friendly name: *Do not allow WebAuthn redirection* +- GP name: *TS_WEBAUTHN* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection* +- GP ADMX file name: *terminalserver.admx* + + + + +
+ **RemoteDesktopServices/PromptForPasswordUponConnection** @@ -367,4 +420,4 @@ ADMX Info: ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From e04f0c6a95528580687e0241512ccd44582df9e4 Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Mon, 29 Aug 2022 08:03:25 -0400 Subject: [PATCH 3/9] Grammar edits --- windows/client-management/quick-assist.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 725cf5eda7..0b4918cbd6 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -97,8 +97,8 @@ Either the support staff or a user can start a Quick Assist session. - Type *Quick Assist* in the search box and press ENTER. - Press **CTRL** + **Windows** + **Q** - - For Windows 10 users, from the Start menu, select **Windows Accessories**, and then choose **Quick Assist**. - - For Windows 11 users, from the Start menu, select **All Apps**, **Windows Tools**, and then choose **Quick Assist**. + - For **Windows 10** users, from the Start menu, select **Windows Accessories**, and then choose **Quick Assist**. + - For **Windows 11** users, from the Start menu, select **All Apps**, **Windows Tools**, and then choose **Quick Assist**. 2. In the **Give assistance** section, the helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code. @@ -141,7 +141,7 @@ Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps ### Install Quick Assist Offline -To install Quick Assist offline, you'll need to download your APPXBUNDLE and unecoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information. +To install Quick Assist offline, you'll need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information. 1. Start **Windows PowerShell** with Administrative privileges. 1. In PowerShell, change the directory to the location you've saved the file to in step 1. (CD <*location of package file*>) From 885b3cc6c4bb57e51fdb1082cb816e3264c43f64 Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Mon, 29 Aug 2022 10:30:04 -0500 Subject: [PATCH 4/9] Update policy-csp-remotedesktopservices.md --- .../client-management/mdm/policy-csp-remotedesktopservices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index faf08975f1..5d03cb7066 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -133,7 +133,7 @@ ADMX Info: -Specifies whether it require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption. +Specifies whether it requires the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption. If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available: From fd86cdc7c2b03dba0458ff29e809f0ae4661bdd4 Mon Sep 17 00:00:00 2001 From: Rittwika Rudra <33437129+RittwikaR@users.noreply.github.com> Date: Mon, 29 Aug 2022 09:14:15 -0700 Subject: [PATCH 5/9] Update Language-pack-management-csp.md added link to the new PS module and removed mention of Intune --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 948207dc6d..3ce966e6bf 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -24,7 +24,7 @@ The table below shows the applicability of Windows: |Enterprise|No|Yes| |Education|No|Yes| -The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users. +The Language Pack Management CSP allows a way to easily add languages and related language features and manage settings like System Preferred UI Language, System Locale, Input method (Keyboard), Locale, Speech Recognizer, User Preferred Language List. This CSP can be accessed using the new [LanguagePackManagement](https://docs.microsoft.com/en-us/powershell/module/languagepackmanagement/?view=windowsserver2022-ps) PowerShell module. 1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples: @@ -95,4 +95,4 @@ The Language Pack Management CSP allows a direct way to provision languages remo ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file +[Configuration service provider reference](configuration-service-provider-reference.md) From 86e511094b46a7637737f8f300a6b30573f96e57 Mon Sep 17 00:00:00 2001 From: itsrlyAria <82474610+itsrlyAria@users.noreply.github.com> Date: Mon, 29 Aug 2022 10:02:38 -0700 Subject: [PATCH 6/9] Update policy-csp-update.md Adding the NoUpdateNotificationDuringActiveHours policy to this list of policies. --- .../mdm/policy-csp-update.md | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 26dfc16e2f..e056057f7a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -138,6 +138,9 @@ ms.collection: highpri
Update/ManagePreviewBuilds +
+
+ Update/NoUpdateNotificationDuringActiveHours
Update/PauseDeferrals @@ -2382,6 +2385,55 @@ The following list shows the supported values:
+ +**Update/NoUpdateNotificationDuringActiveHours** + + +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy can be used in conjunction with Update/ActiveHoursStart and Update/ActiveHoursEnd policies to ensure that the end user sees no update notifications during active hours until deadline is reached. Note - if no active hour period is configured then this will apply to the intelligent active hours window calculated on the device. + +Supported value type is a boolean. + +0 (Default) This configuration will provide the default behavior (notifications may display during active hours) +1: This setting will prevent notifications from displaying during active hours. + + + +ADMX Info: +- GP Friendly name: *Display options for update notifications* +- GP name: *NoUpdateNotificationDuringActiveHours* +- GP element: *NoUpdateNotificationDuringActiveHours* +- GP path: *Windows Components\WindowsUpdate\Manage end user experience* +- GP ADMX file name: *WindowsUpdate.admx* + + + +
+ + **Update/PauseDeferrals** From fc8e6f9901221e47231a70a03758269541b9310b Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 29 Aug 2022 14:07:21 -0400 Subject: [PATCH 7/9] Update Language-pack-management-csp.md Change link to relevant url --- windows/client-management/mdm/Language-pack-management-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 3ce966e6bf..75ba8815c4 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -24,7 +24,7 @@ The table below shows the applicability of Windows: |Enterprise|No|Yes| |Education|No|Yes| -The Language Pack Management CSP allows a way to easily add languages and related language features and manage settings like System Preferred UI Language, System Locale, Input method (Keyboard), Locale, Speech Recognizer, User Preferred Language List. This CSP can be accessed using the new [LanguagePackManagement](https://docs.microsoft.com/en-us/powershell/module/languagepackmanagement/?view=windowsserver2022-ps) PowerShell module. +The Language Pack Management CSP allows a way to easily add languages and related language features and manage settings like System Preferred UI Language, System Locale, Input method (Keyboard), Locale, Speech Recognizer, User Preferred Language List. This CSP can be accessed using the new [LanguagePackManagement](/powershell/module/languagepackmanagement) PowerShell module. 1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples: From 6e6c726c0a14abc45435a54e4c0b26a68f3329b5 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Mon, 29 Aug 2022 13:16:08 -0700 Subject: [PATCH 8/9] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index e1f7559c0d..faaf141188 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -10,11 +10,11 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance -author: dansimp -ms.reviewer: isbrahm +author: jogeurte +ms.reviewer: jsuther1974 ms.author: dansimp manager: dansimp -ms.date: 06/28/2022 +ms.date: 08/29/2022 ms.technology: windows-sec --- @@ -120,6 +120,9 @@ As part of normal operations, they'll eventually install software updates, or pe Windows Defender Application Control has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these sets exist, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md). +> [!NOTE] +> For others to better understand the WDAC policies that have been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later. + ## More information about filepath rules Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect will remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder. @@ -139,7 +142,7 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. > [!NOTE] -> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later. +> When authoring WDAC policies with Microsoft Endpoint Configuration Manager (MEMCM), you can instruct MEMCM to create rules for specified files and folders. These rules **aren't** WDAC filepath rules. Rather, MEMCM performs a one-time scan of the specified files and folders and builds rules for any binaries found in those locations at the time of that scan. File changes to those specified files and folders after that scan won't be allowed unless the MEMCM policy is reapplied. > [!NOTE] > There is currently a bug where MSIs cannot be allow listed in file path rules. MSIs must be allow listed using other rule types, for example, publisher rules or file attribute rules. From 28415f96f507034d4f536f7b2b3fb7b9ea435cc9 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Mon, 29 Aug 2022 13:21:10 -0700 Subject: [PATCH 9/9] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index faaf141188..0194121a74 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance -author: jogeurte +author: jgeurten ms.reviewer: jsuther1974 ms.author: dansimp manager: dansimp