diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md
index fcd5941968..d1c799ce87 100644
--- a/education/trial-in-a-box/educator-tib-get-started.md
+++ b/education/trial-in-a-box/educator-tib-get-started.md
@@ -17,6 +17,8 @@ ms.date: 12/11/2017
# Get started for Educators
Hello, Teachers! In this guide we'll show you how you can quickly and easily try out a few transformational tools in Microsoft Education.
+Connect the device to your school's Wi-Fi and then log-in with your teacher credentials included with your Trial in a Box.
+
## Explore these four tools in Microsoft Education
@@ -59,11 +61,8 @@ See how Microsoft Teams for Education works in the classroom.
**Try this!** Take a guided tour of Microsoft Teams and test drive some teaching tasks.
-1. Open your browser and visit https://aka.ms/EduTeamsWalkthrough.
-2. Sign in using these credentials:
- - **User**: MSFT
- - **Password**: onStage!
-3. Follow along with the guide.
+1. Open your browser and visit https://msteamsdemo.azurewebsites.net/.
+2. Follow along with the guide.
## 3. OneNote
OneNote acts as an unlimited digital canvas for the whole class to store text, images, handwritten drawings, attachments, links, voice, video, and more. See how a group project comes together with opportunities to interact with other students, multimedia, and sophisticated drawing tools. This one works best with your digital pen!
diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md
index aead150a8c..39abab539a 100644
--- a/education/trial-in-a-box/index.md
+++ b/education/trial-in-a-box/index.md
@@ -18,19 +18,18 @@ ms.date: 12/11/2017
+## Welcome to the Microsoft Education Trial in a Box!
+
**Applies to:**
- Windows 10 S Fall Creators Update, Office 365 for Education, Microsoft Intune for Education, Microsoft Store for Education, Minecraft: Education Edition
-Welcome to the Microsoft Education Trial in a Box!
-
## What's Trial in a Box?
-Trial in a Box lets you evaluate our latest solutions for education.
+Trial in a Box puts the Microsoft education technology into an easy package so you can see how our solution can help to:
-With Microsoft Education Trial in a Box:
-* Educators can enhance independence for students of all abilities with intelligent tools like Microsoft Learning Tools, spark creativity, collaboration, and problem-solving with OneNote
-* Students can be more creative, collaborative, and improve problem-solving skills with Minecraft: Education Edition and bring ideas to life in 3D
-* IT admins can learn about the tools they can use to implement and deploy a full cloud infrastructure for their school that's secure and easy to manage
+* Enhance independence for students of all abilities with intelligent tools like Microsoft Learning Tools, and spark creativity, collaboration, and problem-solving with OneNote.
+* Inspire creativity, collaboration, and improve problem-solving skills with Minecraft: Education Edition and bring ideas to life in 3D.
+* Allow IT admins to quickly implement and deploy a full cloud infrastructure for their school that's secure and easy to manage.
## What's in Trial in a Box?
diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
index e37f9df60c..9cbc2e2676 100644
--- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
+++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.localizationpriority: high
-ms.date: 10/17/2017
+ms.date: 1/6/2018
---
# Configure an MDM provider
@@ -23,17 +23,19 @@ Your management tool needs to be installed and configured with Azure AD, in the
**To configure a management tool in Azure AD**
-1. Sign in to the Azure Portal as an Administrator.
-2. Click **Active Directory**, and then choose your directory.
-3. Click **Applications**, find the application, and add it to your directory.
+1. Sign in to the Azure Portal as an Administrator.
+2. Click **Azure Active Directory**, and then choose your directory.
+4. Click **Mobility (MDM and MAM)**.
+3. Click **+Add Applications**, find the application, and add it to your directory.
After your management tool is added to your Azure AD directory, you can configure it to work with Microsoft Store. You can configure multiple management tools - just repeat the following procedure.
-**To configure a management tool in Store for Business**
+**To configure a management tool in Microsoft Store for Business**
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com)
-2. Click **Manage**, click **Store settings**, and then click **Management tools**.
-3. From the list of MDM tools, select the one you want to synchronize with Microsoft Store, and then click **Activate.**
+1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com)
+2. Click **Manage**, click **Settings**.
+3. Under **Distribute**, click **Management tools**.
+3. From the list of MDM tools, select the one you want to synchronize with Microsoft Store, and then click **Activate.**
Your MDM tool is ready to use with Microsoft Store. To learn how to configure synchronization and deploy apps, see these topics:
- [Manage apps you purchased from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune-classic/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
diff --git a/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md b/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md
new file mode 100644
index 0000000000..dfe6305024
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-accountpoliciesaccountlockoutpolicy.md
@@ -0,0 +1,206 @@
+---
+title: Policy CSP - AccountPoliciesAccountLockoutPolicy
+description: Policy CSP - AccountPoliciesAccountLockoutPolicy
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 12/29/2017
+---
+
+# Policy CSP - AccountPoliciesAccountLockoutPolicy
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+
+## AccountPoliciesAccountLockoutPolicy policies
+
+
+ -
+ AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration
+
+ -
+ AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold
+
+ -
+ AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter
+
+
+
+
+
+**AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+  |
+  4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, next major release. This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it.
+
+If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time.
+
+Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, next major release. This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out.
+
+Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts.
+
+Default: 0.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, next major release. This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes.
+
+If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration.
+
+Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 3866844bba..fc13b1db75 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -6,11 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 12/29/2017
---
# Policy CSP - LocalPoliciesSecurityOptions
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -37,6 +39,36 @@ ms.date: 12/14/2017
LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
+
+ LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
+
+
+ LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
+
+
+ LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
+
+
+ LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
+
+
+ LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+
+
+ LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+
+
+ LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible
+
+
+ LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges
+
+
+ LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge
+
+
+ LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey
+
LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
@@ -58,15 +90,72 @@ ms.date: 12/14/2017
LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
+
+ LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
+
+
+ LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways
+
+
+ LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
+
+
+ LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
+
+
+ LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
+
+ LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
+
+
+ LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
+
+
+ LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
+
+
+ LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
+
+
+ LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
+
+
+ LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
+
+
+ LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
+
+
+ LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
+
LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
+
+ LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
+
+
+ LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
+
+
+ LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
+
+
+ LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
+
LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
+
+ LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
+
+
+ LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
+
LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
@@ -76,6 +165,9 @@ ms.date: 12/14/2017
LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
+
+ LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
+
LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
@@ -88,6 +180,9 @@ ms.date: 12/14/2017
LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
+
+ LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
+
LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
@@ -406,6 +501,610 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Devices: Allow undock without having to log on.
+
+This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
+Default: Enabled.
+
+Caution:
+
+Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Devices: Allowed to format and eject removable media
+
+This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:
+
+- Administrators
+- Administrators and Interactive Users
+
+Default: This policy is not defined and only Administrators have this ability.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Devices: Prevent users from installing printer drivers when connecting to shared printers
+
+For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.
+
+Default on servers: Enabled.
+Default on workstations: Disabled
+
+Note
+
+This setting does not affect the ability to add a local printer. This setting does not affect Administrators.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Devices: Restrict CD-ROM access to locally logged-on user only
+
+This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously.
+
+If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network.
+
+Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Domain member: Digitally encrypt or sign secure channel data (always)
+
+This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
+
+Domain member: Digitally encrypt secure channel data (when possible)
+Domain member: Digitally sign secure channel data (when possible)
+
+Default: Enabled.
+
+Notes:
+
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Domain member: Digitally encrypt secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
+
+Default: Enabled.
+
+Important
+
+There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Domain member: Digitally sign secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
+
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Domain member: Disable machine account password changes
+
+Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
+
+Default: Disabled.
+
+Notes
+
+This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
+This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Domain member: Maximum machine account password age
+
+This security setting determines how often a domain member will attempt to change its computer account password.
+
+Default: 30 days.
+
+Important
+
+This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Domain member: Require strong (Windows 2000 or later) session key
+
+This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on.
+
+Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters:
+
+Domain member: Digitally encrypt or sign secure channel data (always)
+Domain member: Digitally encrypt secure channel data (when possible)
+Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.
+
+If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.
+
+Default: Enabled.
+
+Important
+
+In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
+In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
@@ -762,6 +1461,842 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Interactive logon: Smart card removal behavior
+
+This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
+
+The options are:
+
+ No Action
+ Lock Workstation
+ Force Logoff
+ Disconnect if a Remote Desktop Services session
+
+If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
+
+If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.
+
+If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
+
+Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+Default: This policy is not defined, which means that the system treats it as No action.
+
+On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Microsoft network client: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB client component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
+
+If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
+
+Default: Disabled.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Microsoft network client: Digitally sign communications (if server agrees)
+
+This security setting determines whether the SMB client attempts to negotiate SMB packet signing.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.
+
+If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Microsoft network client: Send unencrypted password to connect to third-party SMB servers
+
+If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
+
+Sending unencrypted passwords is a security risk.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Microsoft network server: Amount of idle time required before suspending a session
+
+This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
+
+Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
+
+For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
+
+Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Microsoft network server: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB server component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
+
+If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
+
+Default:
+
+Disabled for member servers.
+Enabled for domain controllers.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy:
+Microsoft network server: Digitally sign communications (if server agrees)
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server:
+HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Microsoft network server: Digitally sign communications (if client agrees)
+
+This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.
+
+If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled on domain controllers only.
+
+Important
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Network access: Do not allow anonymous enumeration of SAM accounts
+
+This security setting determines what additional permissions will be granted for anonymous connections to the computer.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
+
+This security option allows additional restrictions to be placed on anonymous connections as follows:
+
+Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
+Disabled: No additional restrictions. Rely on default permissions.
+
+Default on workstations: Enabled.
+Default on server:Enabled.
+
+Important
+
+This policy has no impact on domain controllers.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Network access: Do not allow anonymous enumeration of SAM accounts and shares
+
+This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Network access: Let Everyone permissions apply to anonymous users
+
+This security setting determines what additional permissions are granted for anonymous connections to the computer.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. By Default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group do not apply to anonymous users. If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission.
+
+If this policy is enabled, the Everyone SID is added to the token that is created for anonymous connections. In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Network access: Restrict anonymous access to Named Pipes and Shares
+
+When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
+
+Network access: Named pipes that can be accessed anonymously
+Network access: Shares that can be accessed anonymously
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Network access: Restrict clients allowed to make remote calls to SAM
+
+This policy setting allows you to restrict remote rpc connections to SAM.
+
+If not selected, the default security descriptor will be used.
+
+This policy is supported on at least Windows Server 2016.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Network security: Allow Local System to use computer identity for NTLM
+
+This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.
+
+If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.
+
+If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.
+
+By default, this policy is enabled on Windows 7 and above.
+
+By default, this policy is disabled on Windows Vista.
+
+This policy is supported on at least Windows Vista or Windows Server 2008.
+
+Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
@@ -811,6 +2346,265 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Network security: Do not store LAN Manager hash value on next password change
+
+This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
+
+
+Default on Windows Vista and above: Enabled
+Default on Windows XP: Disabled.
+
+Important
+
+Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Network security LAN Manager authentication level
+
+This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
+
+Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
+
+Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
+
+Important
+
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM.
+
+Default:
+
+Windows 2000 and windows XP: send LM and NTLM responses
+
+Windows Server 2003: Send NTLM response only
+
+Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+
+This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
+Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+
+This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
+Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**
@@ -907,6 +2701,120 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Shutdown: Clear virtual memory pagefile
+
+This security setting determines whether the virtual memory pagefile is cleared when the system is shut down.
+
+Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile.
+
+When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+System objects: Require case insensitivity for non-Windows subsystems
+
+This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX.
+
+If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting does not allow the Win32 subsystem to become case sensitive.
+
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**
@@ -1072,6 +2980,64 @@ The following list shows the supported values:
+**LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+User Account Control: Detect application installations and prompt for elevation
+
+This policy setting controls the behavior of application installation detection for the computer.
+
+The options are:
+
+Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated**
@@ -1275,6 +3241,64 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+User Account Control: Use Admin Approval Mode for the built-in Administrator account
+
+This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
+
+The options are:
+
+• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
+
+• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations**
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 5a8e93e3be..6a8faf5e69 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -6,11 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 12/19/2017
---
# Policy CSP - Update
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -112,6 +114,9 @@ ms.date: 12/14/2017
Update/PauseQualityUpdatesStartTime
+
+ Update/PhoneUpdateRestrictions
+
Update/RequireDeferUpgrade
@@ -1756,6 +1761,23 @@ The following list shows the supported values:
+**Update/PhoneUpdateRestrictions**
+
+
+This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupdateapproval) instead.
+
+
+
+
+
+
+
+
+
+
+
+
+
**Update/RequireDeferUpgrade**
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index fadfbb83c4..a04ffd61a6 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -6,11 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/01/2017
+ms.date: 12/29/2017
---
# Policy CSP - WindowsDefenderSecurityCenter
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -22,9 +24,15 @@ ms.date: 11/01/2017
WindowsDefenderSecurityCenter/CompanyName
+
+ WindowsDefenderSecurityCenter/DisableAccountProtectionUI
+
WindowsDefenderSecurityCenter/DisableAppBrowserUI
+
+ WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
+
WindowsDefenderSecurityCenter/DisableEnhancedNotifications
@@ -55,6 +63,15 @@ ms.date: 11/01/2017
WindowsDefenderSecurityCenter/EnableInAppCustomization
+
+ WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
+
+
+ WindowsDefenderSecurityCenter/HideSecureBoot
+
+
+ WindowsDefenderSecurityCenter/HideTPMTroubleshooting
+
WindowsDefenderSecurityCenter/Phone
@@ -108,6 +125,61 @@ ms.date: 11/01/2017
+**WindowsDefenderSecurityCenter/DisableAccountProtectionUI**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, next major release. Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+Valid values:
+
+- 0 - (Disable) The users can see the display of the Account protection area in Windows Defender Security Center.
+- 1 - (Enable) The users cannot see the display of the Account protection area in Windows Defender Security Center.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**WindowsDefenderSecurityCenter/DisableAppBrowserUI**
@@ -154,6 +226,61 @@ ms.date: 11/01/2017
+**WindowsDefenderSecurityCenter/DisableDeviceSecurityUI**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, next major release. Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+Valid values:
+
+- 0 - (Disable) The users can see the display of the Device security area in Windows Defender Security Center.
+- 1 - (Enable) The users cannot see the display of the Device secuirty area in Windows Defender Security Center.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**WindowsDefenderSecurityCenter/DisableEnhancedNotifications**
@@ -603,7 +730,7 @@ ms.date: 11/01/2017
-Added in Windows 10, version 1709.Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification.
+
Added in Windows 10, version 1709. Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification.
Value type is integer. Supported operations are Add, Get, Replace, and Delete. Valid values:
@@ -614,6 +741,165 @@ ms.date: 11/01/2017
+**WindowsDefenderSecurityCenter/HideRansomwareDataRecovery**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, next major update. Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center. If you enable or do not configure this setting, the Ransomware data recovery area will be visible and actionable for users.
+
+ If you disable (same as not configured) this setting, the Ransomware data protection area will not be visible and any related toast notifications will not be active on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+
+**WindowsDefenderSecurityCenter/HideSecureBoot**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, next major update. Use this policy to hide the Secure boot area in the Windows Defender Security Center.
+
+Valid values:
+
+- 0 - (Disable or not configured) The Secure boot area is displayed.
+- 1 - (Enable) The Secure boot area is hidden.
+
+
+
+
+
+
+
+
+
+
+
+
+
+**WindowsDefenderSecurityCenter/HideTPMTroubleshooting**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, next major update. Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center.
+
+Valid values:
+
+- 0 - (Disable or not configured) The Security processor (TPM) troubleshooting area is displayed.
+- 1 - (Enable) The Security processor (TPM) troubleshooting area is hidden.
+
+
+
+
+
+
+
+
+
+
+
+
+
**WindowsDefenderSecurityCenter/Phone**
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 06074818fe..64f38bbf58 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -359,9 +359,12 @@ If you're running Windows 10, version 1507 or Windows 10, version 1511, create a
### 7. Insider Preview builds
The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10.
+This setting stops communication with the Windows Insider Preview service that checks for new builds.
+Windows Insider Preview builds only apply to Windows 10 and are not available for Windows Server 2016.
+
> [!NOTE]
-> This setting stops communication with the Windows Insider Preview service that checks for new builds. Windows Insider Preview builds only apply to Windows 10 and are not available for Windows Server 2016.
+> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for zero exhaust) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the telemetry level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
To turn off Insider Preview builds for a released version of Windows 10:
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
index dbf65d48c2..4dc169b2f3 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
@@ -76,6 +76,12 @@ RuleOption -Help** in a Windows PowerShell session. Table 2 describes each rule
| **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. |
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. |
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
+| **11 Disabled:Script Enforcement** | WDAC policies also restrict scripts and MSIs, and PowerShell runs in constrained language mode. Enabling this rule option will allow unsigned scripts to run and will leave PowerShell in full language mode. |
+| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. |
+| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as System Center Configuration Manager, that has been defined as a managed installer. |
+| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
+| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.|
+| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
## Windows Defender Application Control file rule levels
diff --git a/windows/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
index bf20b8965c..fc01d0cc1b 100644
--- a/windows/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
+++ b/windows/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
@@ -9,8 +9,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: iaanw
-ms.author: iawilt
+author: v-anbic
+ms.author: v-anbic
ms.date: 09/12/2017
---