The root node. +The root node. -
Supported operation is Get. +Supported operation is Get. **ApprovedUpdates** -
Node for update approvals and EULA acceptance on behalf of the end-user. +Node for update approvals and EULA acceptance on behalf of the end-user. > [!NOTE] > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. -
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. +The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. -
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. +The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. > [!NOTE] > For the Windows 10 build, the client may need to reboot after additional updates are added. -
Supported operations are Get and Add. +Supported operations are Get and Add. **ApprovedUpdates/_Approved Update Guid_** -
Specifies the update GUID. +Specifies the update GUID. -
To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. +To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. -
Supported operations are Get and Add. +Supported operations are Get and Add. -
Sample syncml:
+Sample syncml:
```
Specifies the time the update gets approved. +Specifies the time the update gets approved. -
Supported operations are Get and Add. +Supported operations are Get and Add. **FailedUpdates** -
Specifies the approved updates that failed to install on a device. +Specifies the approved updates that failed to install on a device. -
Supported operation is Get. +Supported operation is Get. **FailedUpdates/_Failed Update Guid_** -
Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. +Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. -
Supported operation is Get. +Supported operation is Get. **FailedUpdates/*Failed Update Guid*/HResult** -
The update failure error code. +The update failure error code. -
Supported operation is Get. +Supported operation is Get. -**FailedUpdates/*Failed Update Guid*/Status** -
Specifies the failed update status (for example, download, install). +**FailedUpdates/*Failed Update Guid*/State** +Specifies the failed update state. -
Supported operation is Get. +| Update Status | Integer Value | +| -------------------------- | ------------- | +| UpdateStatusNewUpdate | 1 | +| UpdateStatusReadyToDownload| 2 | +| UpdateStatusDownloading | 4 | +| UpdateStatusDownloadBlocked| 8 | +| UpdateStatusDownloadFailed | 16 | +| UpdateStatusReadyToInstall | 32 | +| UpdateStatusInstalling | 64 | +| UpdateStatusInstallBlocked | 128 | +| UpdateStatusInstallFailed | 256 | +| UpdateStatusRebootRequired | 512 | +| UpdateStatusUpdateCompleted| 1024 | +| UpdateStatusCommitFailed | 2048 | +| UpdateStatusPostReboot | 4096 | + +Supported operation is Get. **FailedUpdates/*Failed Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates** -
The updates that are installed on the device. +The updates that are installed on the device. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates/_Installed Update Guid_** -
UpdateIDs that represent the updates installed on a device. +UpdateIDs that represent the updates installed on a device. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates/*Installed Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates** -
The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved. +The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/_Installable Update Guid_** -
Update identifiers that represent the updates applicable and not installed on a device. +Update identifiers that represent the updates applicable and not installed on a device. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/Type** -
The UpdateClassification value of the update. Valid values are: +The UpdateClassification value of the update. Valid values are: - 0 - None - 1 - Security - 2 - Critical -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/RevisionNumber** -
The revision number for the update that must be passed in server to server sync to get the metadata for the update. +The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates** -
The updates that require a reboot to complete the update session. +The updates that require a reboot to complete the update session. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/_Pending Reboot Update Guid_** -
Update identifiers for the pending reboot state. +Update identifiers for the pending reboot state. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** -
The time the update is installed. +The time the update is installed. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **LastSuccessfulScanTime** -
The last successful scan time. +The last successful scan time. -
Supported operation is Get. +Supported operation is Get. **DeferUpgrade** -
Upgrades deferred until the next period. +Upgrades deferred until the next period. -
Supported operation is Get.
+Supported operation is Get.
**Rollback**
Added in Windows 10, version 1803. Node for the rollback operations.
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 36c6607860..f2f46412bc 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -38,6 +38,7 @@
"ms.collection": [
"tier2"
],
+ "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.technology": "itpro-configure",
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index 8ad4658ea1..f94f31723e 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -14,7 +14,7 @@ ms.collection:
appliesto:
- ✅ Windows 10
- ✅ Windows 11
-ms.date: 11/23/2022
+ms.date: 11/14/2023
---
# Deploy Windows Enterprise licenses
@@ -306,6 +306,6 @@ If a device isn't able to connect to Windows Update, it can lose activation stat
## Virtual Desktop Access (VDA)
-Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another [qualified multitenant hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant hoster.
Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md).
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index f878a7d748..d42a253d04 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -11,16 +11,14 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier2
-ms.date: 11/23/2022
+ms.date: 11/17/2023
+appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
---
# What's new in Windows client deployment
-*Applies to:*
-
-- Windows 10
-- Windows 11
-
This article provides an overview of new solutions and online content related to deploying Windows client in your organization.
- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index).
@@ -33,41 +31,39 @@ When you deploy Windows 11 with Autopilot, you can enable users to view addition
Check out the following new articles about Windows 11:
-- [Overview of Windows 11](/windows/whats-new/windows-11)
-- [Plan for Windows 11](/windows/whats-new/windows-11-plan)
-- [Prepare for Windows 11](/windows/whats-new/windows-11-prepare)
-
-The [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available. For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans). For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
+| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher), or F3 to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2 and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses). For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans). For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network. For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Microsoft Entra ID | Microsoft Entra ID must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Microsoft Entra Connect to enable Microsoft Entra hybrid join. At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements). Other device management prerequisites include: See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works with Windows Autopatch. For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).
+- [Overview of Windows 11](/windows/whats-new/windows-11).
+- [Plan for Windows 11](/windows/whats-new/windows-11-plan).
+- [Prepare for Windows 11](/windows/whats-new/windows-11-prepare).
+- [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.
## Deployment tools
-[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later, and Windows 11.
-New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
-VPN support is added to [Windows Autopilot](#windows-autopilot)
-An in-place upgrade wizard is available in [Configuration Manager](#microsoft-configuration-manager).
-The Windows 10 deployment and update [landing page](index.yml) has been redesigned, with more content added and more content coming soon.
+- [SetupDiag](#setupdiag) is included with all currently supported versions of Windows.
+- New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
+- VPN support is added to [Windows Autopilot](#windows-autopilot).
+- An in-place upgrade wizard is available in [Configuration Manager](#microsoft-configuration-manager).
## The Modern Desktop Deployment Center
-The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Microsoft 365 Apps for enterprise.
+The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) has content to help you with large-scale deployment of supported version of Windows and Microsoft 365 Apps for enterprise.
## Microsoft 365
-Microsoft 365 is a new offering from Microsoft that combines
+Microsoft 365 is a new offering from Microsoft that combines:
-- Windows 10
-- Office 365
+- A currently supported version of Windows.
+- Office 365.
- Enterprise Mobility and Security (EMS).
-See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [Microsoft 365 Enterprise poster](deploy-m365.md#microsoft-365-enterprise-poster).
+See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a [Microsoft 365 Enterprise poster](deploy-m365.md#microsoft-365-enterprise-poster).
-## Windows 10 servicing and support
+## Windows servicing and support
### Delivery Optimization
-Windows PowerShell cmdlets for Delivery Optimization have been improved:
+Windows PowerShell cmdlets for Delivery Optimization is improved:
-- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
+- **Get-DeliveryOptimizationStatus** has the **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting.
@@ -79,29 +75,36 @@ Other improvements in [Delivery Optimization](./do/waas-delivery-optimization.md
The following Delivery Optimization policies are removed in the Windows 10, version 2004 release:
-- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- - Reason: Replaced with separate policies for foreground and background
-- Max Upload Bandwidth (DOMaxUploadBandwidth)
+- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth).
+ - Reason: Replaced with separate policies for foreground and background.
+- Max Upload Bandwidth (DOMaxUploadBandwidth).
- Reason: impacts uploads to internet peers only, which isn't used in enterprises.
-- Absolute max throttle (DOMaxDownloadBandwidth)
- - Reason: separated to foreground and background
+- Absolute max throttle (DOMaxDownloadBandwidth).
+ - Reason: separated to foreground and background.
### Windows Update for Business
[Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include:
-- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
-- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds.
+- **Intune console updates**: target version is now available allowing you to specify which supported version of Windows you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
+
+- **Validation improvements**: To ensure devices and end users stay productive and protected, Microsoft blocks devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, a new policy is available that enables admins to opt devices out of the built-in safeguard holds.
+
+- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and locks their device in order to complete the update. This automatic sign-on ensures that when the user returns and unlocks the device, the update is completed.
+
+- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There's now a single, common start date for phased deployments (no more SAC-T designation). In addition, there's a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
-- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
-- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
-- **Pause updates**: We've extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you'll need to update your device before pausing again.
-- **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
-- **Intelligent active hours**: To further enhance active hours, users now can let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
-- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
-Microsoft previously announced that we're [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. These editions include all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there's no change for these editions). These support policies are summarized in the table below.
+- **Pause updates**: The ability to pause updates for both feature and monthly updates is extended. This extension ability is for all currently supported editions of Windows, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, the device needs to update before pausing again.
+
+- **Improved update notifications**: When there's an update requiring you to restart your device, a colored dot appears on the Power button in the Start menu and on the Windows icon in the taskbar.
+
+- **Intelligent active hours**: To further enhance active hours, users now can let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
+
+- **Improved update orchestration to improve system responsiveness**: This feature improves system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
+
+Microsoft previously announced that we're [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. These editions include all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there's no change for these editions). These support policies are summarized in the following table:
@@ -111,7 +114,7 @@ Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Mi
Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
-For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
+For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
## Deployment solutions and tools
@@ -119,17 +122,17 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris
[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices.
-With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
+With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Microsoft Entra hybrid join with VPN support.
-If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, these language settings were only supported with self-deploying profiles.
+If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios now skip the language, locale, and keyboard pages. In previous versions, these language settings were only supported with self-deploying profiles.
The following Windows Autopilot features are available in Windows 10, version 1903 and later:
-- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
+- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision) is new in Windows 10, version 1903. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
+- Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates begin downloading automatically during OOBE.
+- Windows Autopilot sets the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### Microsoft Configuration Manager
@@ -137,25 +140,21 @@ An in-place upgrade wizard is available in Configuration Manager. For more infor
### Windows 10 Subscription Activation
-Windows 10 Education support has been added to Windows 10 Subscription Activation.
+Windows 10 Education support is added to Windows 10 Subscription Activation.
With Windows 10, version 1903, you can step up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions - Windows 10 Education. For more information, see [Windows 10 Subscription Activation](./windows-10-subscription-activation.md).
### SetupDiag
-[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
+[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why an update of Windows failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
-In Windows 10, version 2004, SetupDiag is now automatically installed.
-
-During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there's an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup.
+During the upgrade process, Windows Setup extracts all its sources files to the `%SystemDrive%\$Windows.~bt\Sources` directory. **SetupDiag.exe** is also installed to this directory. If there's an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under `%SystemDrive%\Windows.Old` for cleanup.
### Upgrade Readiness
-The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+Upgrade Readiness helps you ensure that applications and drivers are ready for an upgrade of Windows. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-
-The development of Upgrade Readiness has been heavily influenced by input from the community; the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+Input from the community heavily influenced the development of Upgrade Readiness and the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
For more information about Upgrade Readiness, see the following articles:
@@ -164,7 +163,7 @@ For more information about Upgrade Readiness, see the following articles:
### Update Compliance
-Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
+Update Compliance helps you to keep supported Windows devices in your organization secure and up-to-date.
Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
@@ -172,31 +171,35 @@ For more information about Update Compliance, see [Monitor Windows Updates with
### Device Health
-Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](/mem/configmgr/desktop-analytics/overview)
+Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](/mem/configmgr/desktop-analytics/overview).
### MBR2GPT
MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
-There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of supported versions of Windows that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
### Microsoft Deployment Toolkit (MDT)
-MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019. There's currently an issue that causes MDT to incorrectly detect that UEFI is present in Windows 10, version 2004. This issue is currently under investigation.
+MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019.
For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
+> [!IMPORTANT]
+>
+> MDT doesn't support versions of Windows after Windows 10 and Windows Server 2019.
+
### Windows Assessment and Deployment Kit (ADK)
-The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
+IT Pros can use the tools in the Windows Assessment and Deployment Kit (Windows ADK) to deploy Windows.
Download the Windows ADK and Windows PE add-on for Windows 11 [here](/windows-hardware/get-started/adk-install).
For information about what's new in the ADK, see [What's new in the Windows ADK](/windows-hardware/get-started/what-s-new-in-kits-and-tools).
-Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
+Also see [Windows ADK for Windows scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
## Testing and validation guidance
@@ -206,19 +209,19 @@ The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual
For more information, see the following guides:
-- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
-- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md).
+- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
+- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md).
## Troubleshooting guidance
-[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The article provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
+[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and continues to be updated with new fixes. The article provides a detailed explanation of the Windows upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
## Related articles
-[Overview of Windows as a service](update/waas-overview.md)
-[Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
-[Windows 10 release information](/windows/windows-10/release-information)
-[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
-[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
-[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+- [Overview of Windows as a service](update/waas-overview.md).
+- [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md).
+- [Windows 10 release information](/windows/windows-10/release-information).
+- [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications).
+- [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md).
+- [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md).
diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md
index 010894a61d..c93ec2fbed 100644
--- a/windows/deployment/do/waas-delivery-optimization.md
+++ b/windows/deployment/do/waas-delivery-optimization.md
@@ -50,7 +50,8 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC)
|------------------|---------------|----------------|----------|----------------|
| Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Windows 10 Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Windows 10/11 UWP Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Windows 11 Win32 Store apps | Windows 11 | :heavy_check_mark: | | |
| Windows 10 Store for Business apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 2ab8313425..a0eb436b76 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR)
ms.prod: windows-client
author: frankroj
ms.author: frankroj
-ms.date: 11/23/2022
+ms.date: 11/16/2023
manager: aaroncz
ms.localizationpriority: high
ms.topic: how-to
@@ -12,19 +12,18 @@ ms.collection:
- highpri
- tier2
ms.technology: itpro-deploy
+appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
---
# MBR2GPT.EXE
-*Applies to:*
+**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows operating system (OS) by using the **`/allowFullOS`** option.
-- Windows 10
+**MBR2GPT.EXE** is located in the **`Windows\System32`** directory on a computer running Windows.
-**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option.
-
-MBR2GPT.EXE is located in the **`Windows\System32`** directory on a computer running Windows 10 version 1703 or later.
-
-The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version.
+The tool is available in both the full OS environment and Windows PE.
See the following video for a detailed description and demonstration of MBR2GPT.
@@ -33,13 +32,13 @@ See the following video for a detailed description and demonstration of MBR2GPT.
You can use MBR2GPT to:
- Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT.
-- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them.
-- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
-- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT if your task sequence uses Windows PE version 1703 or later.
+- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them.
+- Convert an operating system disk from MBR to GPT using Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT).
-Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion.
+Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to a currently supported version of Windows, then perform the MBR to GPT conversion.
> [!IMPORTANT]
+>
> After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
>
> Make sure that your device supports UEFI before attempting to convert the disk.
@@ -57,9 +56,9 @@ Before any change to the disk is made, MBR2GPT validates the layout and geometry
- The disk doesn't have any extended/logical partition
- The BCD store on the system partition contains a default OS entry pointing to an OS partition
- The volume IDs can be retrieved for each volume that has a drive letter assigned
-- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
+- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the `/map` command-line option
-If any of these checks fails, the conversion won't proceed, and an error will be returned.
+If any of these checks fails, the conversion doesn't proceed, and an error is returned.
## Syntax
@@ -72,9 +71,9 @@ If any of these checks fails, the conversion won't proceed, and an error will be
|**/validate**| Instructs `MBR2GPT.exe` to perform only the disk validation steps and report whether the disk is eligible for conversion. |
|**/convert**| Instructs `MBR2GPT.exe` to perform the disk validation and to proceed with the conversion if all validation tests pass. |
|**/disk:*\
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.|
+|**/allowFullOS**| By default, `MBR2GPT.exe` can only run from Windows PE and is blocked from running in full Windows. This option overrides this block and enables disk conversion while running in the full Windows environment.
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new EFI system partition is created by shrinking the OS partition.|
## Examples
@@ -83,7 +82,7 @@ If any of these checks fails, the conversion won't proceed, and an error will be
In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**.
```cmd
-X:\>mbr2gpt.exe /validate /disk:0
+X:\> mbr2gpt.exe /validate /disk:0
MBR2GPT: Attempting to validate disk 0
MBR2GPT: Retrieving layout of disk
MBR2GPT: Validating layout, disk sector size is: 512
@@ -94,19 +93,24 @@ MBR2GPT: Validation completed successfully
In the following example:
-1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
+1. The current disk partition layout is displayed prior to conversion using DiskPart - three partitions are present on the MBR disk (disk 0):
-2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
+ - A system reserved partition.
+ - A Windows partition.
+ - A recovery partition.
+ - A DVD-ROM is also present as volume 0.
-3. The MBR2GPT tool is used to convert disk 0.
+1. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
-4. The DiskPart tool displays that disk 0 is now using the GPT format.
+1. The MBR2GPT tool is used to convert disk 0.
-5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
+1. The DiskPart tool displays that disk 0 is now using the GPT format.
-6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+1. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
-As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
+1. The OS volume is selected again. The detail displays that the OS volume is converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+
+As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly.
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
-
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index 840ea3d5a7..05c5f63d80 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -9,9 +9,8 @@ ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
appliesto:
-- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 11/16/2023
---
# Configure BranchCache for Windows client updates
@@ -33,7 +32,10 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode
Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)).
-In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization **Download mode** to '100' (Bypass) to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+
+> [!Note]
+> Setting [Download mode](../do/waas-delivery-optimization-reference.md#download-mode) to '100' (Bypass) is only available in Windows 10, version 1607 and later, not in Windows 11. BranchCache isn't supported for Windows 11.
## Configure servers for BranchCache
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 6af6c31910..2a1baa5255 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -16,7 +16,7 @@ appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
-ms.date: 08/22/2023
+ms.date: 11/30/2023
---
# Configure Windows Update for Business
@@ -210,7 +210,7 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
## Enable optional updates
-
+
In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Enable optional updates** policy.
To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**.
@@ -243,8 +243,8 @@ The following options are available for the policy:
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
-| GPO for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
-| MDM for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: ./Device/Vendor/MSFT/Policy/Config/Update/**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+| **GPO applies to**:
**GPO location**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+| **MDM applies to**:
**MDM location**: ./Device/Vendor/MSFT/Policy/Config/Update/**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
## Enable features that are behind temporary enterprise feature control
@@ -269,7 +269,7 @@ The following are quick-reference tables of the supported policy values for Wind
| GPO Key | Key type | Value |
| --- | --- | --- |
-| AllowOptionalContent *Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
+| AllowOptionalContent *Added in*:
| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
| BranchReadinessLevel | REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build Other value or absent: Receive all applicable updates |
| DeferFeatureUpdates | REG_DWORD | 1: Defer feature updatesOther value or absent: Don't defer feature updates |
@@ -285,7 +285,7 @@ The following are quick-reference tables of the supported policy values for Wind
| MDM Key | Key type | Value |
| --- | --- | --- |
-| AllowOptionalContent *Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
+| AllowOptionalContent *Added in*:
| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
| BranchReadinessLevel | REG_DWORD |2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build 32: Systems take feature updates from General Availability Channel Note: Other value or absent: Receive all applicable updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index e65bab8900..cc945db4c2 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 10/10/2023
+ms.date: 11/30/2023
---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@@ -47,19 +47,19 @@ Drivers are automatically enabled because they're beneficial to device systems.
### Set when devices receive feature and quality updates
-#### I want to receive pre-release versions of the next feature update
+#### I want to receive prerelease versions of the next feature update
-1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
+1. Ensure that you're enrolled in the Windows Insider Program for Business. Windows Insider is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
-1. For any of test devices you want to install pre-release builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**.
+1. For any of test devices you want to install prerelease builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set the option to **Enable preview builds**.
-1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using pre-release builds for validation.
+1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using prerelease builds for validation.
-1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
+1. Additionally, you can defer prerelease feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This schedule helps ensure that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
#### I want to manage which released feature update my devices receive
-A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you won't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
+A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you don't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
- To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays)
- To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdatesstarttime)
@@ -72,7 +72,7 @@ In this example, there are three rings for quality updates. The first ring ("pil
-When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
+When the quality update is released, it's offered to devices in the pilot ring the next time they scan for updates.
##### Five days later
The devices in the fast ring are offered the quality update the next time they scan for updates.
@@ -80,11 +80,11 @@ The devices in the fast ring are offered the quality update the next time they s
##### Ten days later
-Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
+Ten days after the quality update is released, it's offered to the devices in the slow ring the next time they scan for updates.
-If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
+If no problems occur, all of the devices that scan for updates are offered the quality update within ten days of its release, in three waves.
##### What if a problem occurs with the update?
@@ -109,13 +109,13 @@ If you need a device to stay on a version beyond the point when deferrals on the
#### I want to manage when devices download, install, and restart after updates
-We recommended that you allow to update automatically--this is the default behavior. If you don't set an automatic update policy, the device will attempt to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
+We recommended that you allow to update automatically, which is the default behavior. If you don't set an automatic update policy, the device attempts to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
For more granular control, you can set the maximum period of active hours the user can set with [Update/ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange). You could also set specific start and end times for active ours with [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) and [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart).
-It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates are not disabled and provides a better experience when users can set their own active hours.
+It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates aren't disabled and provides a better experience when users can set their own active hours.
-To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To do this, use Option 3, and then set the following policies as appropriate for your plan:
+To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To use a schedule, use Option 3, and then set the following policies as appropriate for your plan:
- [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
- [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek)
@@ -132,7 +132,7 @@ If you don't want to allow any automatic updates prior to the deadline, set [Upd
#### I want to keep devices secure and compliant with update deadlines
-We recommend that you use set specific deadlines for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. Use these settings:
+We recommend that you use set specific deadlines for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. Deadlines work by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. Use these settings:
- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates ](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
@@ -140,7 +140,7 @@ We recommend that you use set specific deadlines for feature and quality updates
- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates)
- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
-These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
+These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point, the device automatically schedules a restart regardless of active hours.
These notifications are what the user sees depending on the settings you choose:
@@ -172,7 +172,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
There are additional settings that affect the notifications.
-We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
+We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
**0** (default) - Use the default Windows Update notifications
**1** - Turn off all notifications, excluding restart warnings
@@ -181,14 +181,14 @@ We recommend that you use the default notifications as they aim to provide the b
> [!NOTE]
> Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
-Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#update-schedulerestartwarning). This setting allows you to specify the period for auto-restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto-restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#update-scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
+Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#update-schedulerestartwarning). This setting allows you to specify the period for auto restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#update-scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
#### I want to manage the update settings a user can access
-Every Windows device provides users with a variety of controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
+Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using [Update/SetDisablePauseUXAccess](/windows/client-management/mdm/policy-csp-update#update-setdisablepauseuxaccess).
-When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out.
+When you disable this setting, users see **Some settings are managed by your organization** and the update pause settings are greyed out.
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess).
@@ -205,3 +205,11 @@ The features that are turned off by default from servicing updates will be enabl
- **0** (default): Allowed. All features in the latest monthly cumulative update are enabled.
- When the policy is set to **0**, all features that are currently turned off will turn on when the device next reboots
- **1** - Not allowed. Features that are shipped turned off by default will remain off
+
+#### I want to enable optional updates
+
+*Applies to:*
+- Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later
+- Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed
+
+In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using [AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent). For more information about optional content, see [Enable optional updates](waas-configure-wufb.md#enable-optional-updates).
\ No newline at end of file
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 372a36d6df..22c937a71a 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -17,7 +17,7 @@ appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
-ms.date: 10/10/2023
+ms.date: 11/30/2023
---
# Walkthrough: Use Group Policy to configure Windows Update for Business
@@ -202,7 +202,9 @@ If you use Windows Server Update Server (WSUS), you can prevent users from scann
#### I want to enable optional updates
-(*Starting in Windows 11, version 22H2 or later*)
+*Applies to:*
+- Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later
+- Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed
In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > Enable optional updates** policy.
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index df89fc602d..aefcd10aa4 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -9,7 +9,7 @@ ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: how-to
-ms.date: 11/23/2022
+ms.date: 11/14/2023
---
# Configure VDA for Windows subscription activation
@@ -31,7 +31,7 @@ Deployment instructions are provided for the following scenarios:
- VMs must be running a supported version of Windows Pro edition.
- VMs must be joined to Active Directory or Microsoft Entra ID.
-- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). For more information, download the PDF that describes the [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
+- VMs must be hosted by a Qualified Multitenant Hoster (QMTH).
## Activation
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 40769fc671..11b304e822 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -225,26 +225,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
> [!IMPORTANT]
> Don't attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, don't start the VM outside the PoC network.
-If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM:
-
-1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page.
-
- > [!NOTE]
- > The above link may not be available in all locales.
-
-2. Under **Virtual machine**, choose **IE11 on Win7**.
-
-3. Under **Select platform**, choose **HyperV (Windows)**.
-
-4. Select **Download .zip**. The download is 3.31 GB.
-
-5. Extract the zip file. Three directories are created.
-
-6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
-
-7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx).
-
-8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
+
If you have a PC available to convert to VM (computer 2):
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 6b8718bf68..b5fc8eb923 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.topic: conceptual
-ms.date: 11/23/2022
+ms.date: 11/14/2023
appliesto:
- ✅ Windows 10
- ✅ Windows 11
@@ -39,7 +39,15 @@ This article covers the following information:
For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
> [!NOTE]
-> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their Conditional Access policies using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
+>
+> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**:
+>
+> - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+> - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+>
+> Although the app ID is the same in both instances, the name of the cloud app will depend on the tenant.
+>
+> For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
## Subscription activation for Enterprise
@@ -239,7 +247,7 @@ For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise
## Virtual Desktop Access (VDA)
-Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster (QMTH)](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
index eb2f5d26d5..e41d8e60f4 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
@@ -1,7 +1,7 @@
---
title: Post-device registration readiness checks
description: This article details how post-device registration readiness checks are performed in Windows Autopatch
-ms.date: 09/16/2022
+ms.date: 09/16/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
index e68ee4d6bd..71b96ec441 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
@@ -1,7 +1,7 @@
---
title: Quality update trending report
description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups.
-ms.date: 05/01/2023
+ms.date: 09/01/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
index 3b72dc6d90..fe9d6b3321 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@@ -1,7 +1,7 @@
---
title: Maintain the Windows Autopatch environment
description: This article details how to maintain the Windows Autopatch environment
-ms.date: 05/15/2023
+ms.date: 09/15/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
index 690e61a507..20c341551a 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
@@ -1,7 +1,7 @@
---
title: Submit a support request
description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests
-ms.date: 01/06/2023
+ms.date: 09/06/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 54d107d92d..3f0e20c935 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: windows-client
ms.topic: faq
- ms.date: 07/19/2023
+ ms.date: 12/04/2023
audience: itpro
ms.localizationpriority: medium
manager: dougeby
@@ -28,7 +28,7 @@ sections:
Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported.
- question: Does Windows Autopatch support Windows Education (A3/A5) or Windows Front Line Worker (F3) licensing?
answer: |
- Autopatch isn't available for 'A' or 'F' series licensing.
+ Autopatch isn't available for 'A'. Windows Autopatch supports some 'F' series licensing. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
- question: Will Windows Autopatch support local domain join Windows 10?
answer: |
Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Microsoft Entra join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
@@ -54,8 +54,8 @@ sections:
- [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.)
- question: What are the licensing requirements for Windows Autopatch?
answer: |
- - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
- - [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for Co-management)
+ - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only) or F3. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
+ - [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for co-management)
- [Microsoft Intune](/mem/intune/fundamentals/licenses) (includes Configuration Manager 2010 or greater via co-management)
- question: Are there hardware requirements for Windows Autopatch?
answer: |
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
index 043db6fb77..0e481d7a66 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
@@ -1,7 +1,7 @@
---
title: Privacy
description: This article provides details about the data platform and privacy compliance for Autopatch
-ms.date: 03/13/2023
+ms.date: 09/13/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
index 6588ea5a13..bc26753af7 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
@@ -1,7 +1,7 @@
---
title: Submit a tenant enrollment support request
description: This article details how to submit a tenant enrollment support request
-ms.date: 01/13/2023
+ms.date: 09/13/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index 8acdf328e5..f7a2045294 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -1,7 +1,7 @@
---
title: Fix issues found by the Readiness assessment tool
description: This article details how to fix issues found by the Readiness assessment tool.
-ms.date: 01/12/2023
+ms.date: 09/12/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index b0df16842e..f1351f3709 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,7 +1,7 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 04/24/2023
+ms.date: 12/04/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -21,7 +21,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
| Area | Prerequisite details |
| ----- | ----- |
-| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2 and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).
|
| Device management | [Devices must be already enrolled with Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) prior to registering with Windows Autopatch. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
|
+
+## November service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC689492](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Service maintenance to improve Windows Autopatch performance |
+
## October 2023
### October feature releases or updates
diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml
index 211570e4b0..cb49bed653 100644
--- a/windows/hub/breadcrumb/toc.yml
+++ b/windows/hub/breadcrumb/toc.yml
@@ -1,3 +1,27 @@
-- name: Windows
- tocHref: /windows/
- topicHref: /windows/index
+items:
+ - name: Docs
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Windows
+ tocHref: /windows/
+ topicHref: /windows/resources/
+ items:
+ - name: What's new
+ tocHref: /windows/whats-new/
+ topicHref: /windows/whats-new/
+ - name: Configuration
+ tocHref: /windows/configuration/
+ topicHref: /windows/configuration/
+ - name: Deployment
+ tocHref: /windows/deployment/
+ topicHref: /windows/deployment/
+ - name: Client management
+ tocHref: /windows/client-management/
+ topicHref: /windows/client-management/
+ - name: Privacy
+ tocHref: /windows/privacy/
+ topicHref: /windows/privacy/
+ - name: Security
+ tocHref: /windows/security/
+ topicHref: /windows/security/
\ No newline at end of file
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 321c0452a5..d67fd0b5fb 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -39,6 +39,7 @@
"tier1"
],
"audience": "ITPro",
+ "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.technology": "itpro-fundamentals",
diff --git a/windows/hub/zone-pivot-groups.yml b/windows/hub/zone-pivot-groups.yml
new file mode 100644
index 0000000000..75e37a9170
--- /dev/null
+++ b/windows/hub/zone-pivot-groups.yml
@@ -0,0 +1,18 @@
+# YamlMime:ZonePivotGroups
+groups:
+- id: windows-versions-10-11
+ title: Windows versions
+ prompt: "Select the Windows version you want to learn about:"
+ pivots:
+ - id: windows-10
+ title: Windows 10
+ - id: windows-11
+ title: Windows 11
+- id: windows-editions-proent-proedu
+ title: Windows editions
+ prompt: "Select the Windows edition you want to learn about:"
+ pivots:
+ - id: windows-pro
+ title: Windows Pro Edu/Education
+ - id: windows-ent
+ title: Windows Pro/Enterprise
diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
index 4ac93439c6..f79b3dd872 100644
--- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
@@ -1,6 +1,6 @@
---
description: Learn more about the diagnostic data gathered for Windows 11, versions 23H2 and 22H2.
-title: Required diagnostic events and fields for Windows 11, versions 23H3 and 22H2
+title: Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2
keywords: privacy, telemetry
ms.prod: windows-client
ms.technology: itpro-privacy
@@ -3655,4 +3655,4 @@ The following fields are available:
- **ScenarioSupported** Whether the updated scenario that was passed in was supported.
- **SessionId** The UpdateAgent “SessionId” value.
- **UpdateId** Unique identifier for the Update.
-- **WuId** Unique identifier for the Windows Update client.
\ No newline at end of file
+- **WuId** Unique identifier for the Windows Update client.
diff --git a/windows/security/application-security/application-control/user-account-control/how-it-works.md b/windows/security/application-security/application-control/user-account-control/how-it-works.md
index fa5d96ef91..27338890ca 100644
--- a/windows/security/application-security/application-control/user-account-control/how-it-works.md
+++ b/windows/security/application-security/application-control/user-account-control/how-it-works.md
@@ -16,7 +16,7 @@ With UAC, each application that requires the *administrator access token* must p
Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust:
- A *high integrity application* is one that performs tasks that modify system data, such as a disk partitioning application
-- A *low integrity application* is one that performs tasks that could potentially compromise the operating system, like as a Web brows
+- A *low integrity application* is one that performs tasks that could potentially compromise the operating system, like as a Web browser
Applications with lower integrity levels can't modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provides valid administrator credentials.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md b/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
index c51eebd95c..c1eee0110d 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/plan-wdac-management.md
@@ -2,7 +2,7 @@
title: Plan for WDAC policy management
description: Learn about the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control policies.
ms.localizationpriority: medium
-ms.date: 11/02/2022
+ms.date: 11/22/2023
ms.topic: article
---
@@ -11,7 +11,7 @@ ms.topic: article
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
-This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
+This article describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
## Policy XML lifecycle management
@@ -23,7 +23,7 @@ Most Windows Defender Application Control policies will evolve over time and pro
2. [Deploy the audit mode policy](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) to intended devices.
3. [Monitor audit block events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations) from the intended devices and add/edit/delete rules as needed to address unexpected/unwanted blocks.
4. Repeat steps 2-3 until the remaining block events meet expectations.
-5. [Generate the enforced mode version](/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies) of the policy. In enforced mode, files that aren't allowed by the policy are prevented from executing and corresponding block events are generated.
+5. [Generate the enforced mode version](/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies) of the policy. In enforced mode, files that the policy doesn't allow are prevented from running and corresponding block events are generated.
6. [Deploy the enforced mode policy](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.
@@ -35,7 +35,7 @@ To effectively manage Windows Defender Application Control policies, you should
### Set PolicyName, PolicyID, and Version metadata for each policy
-Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing Windows Defender Application Control events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy.
+Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique policy ID. These unique attributes help you differentiate each policy when reviewing Windows Defender Application Control events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy.
> [!NOTE]
> PolicyID only applies to policies using the [multiple policy format](deploy-multiple-wdac-policies.md) on computers running Windows 10, version 1903 and above, or Windows 11. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10.
@@ -45,15 +45,15 @@ In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/con
### Policy rule updates
-As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you use WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you're less likely to need policy updates.
+You might need to revise your policy when new apps are deployed or existing apps are updated by the software publisher to ensure that apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you use WDAC [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you're less likely to need policy updates.
## WDAC event management
-Each time that a process is blocked by Windows Defender Application Control, events will be written to either the CodeIntegrity\Operational or the AppLocker\MSI and Script Windows event logs. The event details which file tried to run, the attributes of that file and its signatures, and the process that attempted to run the blocked file.
+Each time that WDAC blocks a process, events are written to either the CodeIntegrity\Operational or the AppLocker\MSI and Script Windows event logs. The event describes the file that tried to run, the attributes of that file and its signatures, and the process that attempted to run the blocked file.
-Collecting these events in a central location can help you maintain your Windows Defender Application Control policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)).
+Collecting these events in a central location can help you maintain your Windows Defender Application Control policy and troubleshoot rule configuration problems. You can [use the Azure Monitor Agent](/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent) to automatically collect your WDAC events for analysis.
-Additionally, Windows Defender Application Control events are collected by [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) and can be queried using the [advanced hunting](../operations/querying-application-control-events-centrally-using-advanced-hunting.md) feature.
+Additionally, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) collects WDAC events which can be queried using the [advanced hunting](../operations/querying-application-control-events-centrally-using-advanced-hunting.md) feature.
## Application and user support policy
@@ -75,9 +75,9 @@ If your organization has an established help desk support department in place, c
### End-user support
-Because Windows Defender Application Control is preventing unapproved apps from running, it's important that your organization carefully plan how to provide end-user support. Considerations include:
+Because Windows Defender Application Control is preventing unapproved apps from running, it's important that your organization carefully plans how to provide end-user support. Considerations include:
-- Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app?
+- Do you want to use an intranet site as a frontline of support for users who try to run a blocked app?
- How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app?
## Document your plan
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
index 68d101d832..961a1e4dc4 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
@@ -2,7 +2,7 @@
title: Understand Windows Defender Application Control (WDAC) policy rules and file rules
description: Learn how WDAC policy rules and file rules can control your Windows 10 and Windows 11 computers.
ms.localizationpriority: medium
-ms.date: 08/11/2023
+ms.date: 11/22/2023
ms.topic: article
---
@@ -11,7 +11,7 @@ ms.topic: article
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
-Windows Defender Application Control (WDAC) can control what runs on Windows 10, Windows 11, and Windows Server 2016 and later, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
+Windows Defender Application Control (WDAC) can control what runs on your Windows devices by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how to identify applications your organization trusts.
## Windows Defender Application Control policy rules
@@ -20,7 +20,9 @@ To modify the policy rule options of an existing WDAC policy XML, use the [WDAC
You can set several rule options within a WDAC policy. Table 1 describes each rule option, and whether supplemental policies can set them. Some rule options are reserved for future work or not supported.
> [!NOTE]
-> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked-instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
+> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, applications run normally but WDAC logs events whenever a file runs that isn't allowed by the policy. To allow these files, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
+>
+> Some apps may behave differently even when your policy is in audit mode. When an option may change behaviors in audit mode, that is noted in Table 1. You should always test your apps thoroughly when deploying significant updates to your WDAC policies.
### Table 1. Windows Defender Application Control policy - policy rule options
@@ -37,7 +39,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **8 Required:EV Signers** | This option isn't currently supported. | No |
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a boot-critical driver fails during startup, the WDAC policy is placed in audit mode so that Windows loads. Administrators can validate the reason for the failure in the CodeIntegrity event log. | No |
-| **11 Disabled:Script Enforcement** | This option disables script enforcement options, covering PowerShell, Windows Based Script Host (wscript.exe), Windows Console Based Script Host (cscript.exe), HTA files run in Microsoft HTML Application Host (mshta.exe), and MSXML. For more information on script enforcement, see [Script enforcement with WDAC](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement).
NOTE: This option isn't supported on Windows Server 2016 or Windows 10 1607 LTSB and shouldn't be used on those operating systems. | No |
+| **11 Disabled:Script Enforcement** | This option disables script enforcement options, covering PowerShell, Windows Based Script Host (wscript.exe), Windows Console Based Script Host (cscript.exe), HTA files run in Microsoft HTML Application Host (mshta.exe), and MSXML. Some script hosts may behave differently even when your policy is in audit mode. For more information on script enforcement, see [Script enforcement with WDAC](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement).
NOTE: This option isn't supported on Windows Server 2016 or Windows 10 1607 LTSB and shouldn't be used on those operating systems. | No |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies also apply to Universal Windows applications. | No |
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft's Intelligent Security Graph (ISG). | Yes |
@@ -45,7 +47,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot.
NOTE: This option is only supported on Windows 10, version 1709 and later, or Windows Server 2019 and later.| No |
| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it.
NOTE: This option is only supported on Windows 10, version 1903 and later, or Windows Server 2022 and later. | No |
| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator.
NOTE: This option is only supported on Windows 10, version 1903 and later, or Windows Server 2022 and later. | Yes |
-| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries.
NOTE: This option is only supported on Windows 10, version 1803 and later, or Windows Server 2019 and later. | No |
+| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries.
NOTE: This option is only supported on Windows 10, version 1803 and later, or Windows Server 2019 and later.
NOTE: This option is always enforced if *any* WDAC UMCI policy enables it. There's no audit mode for .NET dynamic code security hardening. | No |
| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with revoked certificates, or expired certificates with the Lifetime Signing EKU on the signature, as "Unsigned binaries" for user-mode process/components, under enterprise signing scenarios. | No |
| **Enabled:Developer Mode Dynamic Code Trust** | Use this option to trust UWP apps that are [debugged in Visual Studio](/visualstudio/debugger/run-windows-store-apps-on-a-remote-machine) or deployed through device portal when Developer Mode is enabled on the system. | No |
@@ -71,7 +73,7 @@ Each file rule level has advantages and disadvantages. Use Table 2 to select the
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates typically have shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root because the scan doesn't resolve the complete certificate chain via the local root stores or with an online check. |
| **RootCertificate** | Not supported. |
-| **WHQL** | Only trusts binaries that have been submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. |
+| **WHQL** | Only trusts binaries that were submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. |
| **WHQLPublisher** | This level combines the WHQL level and the CN on the leaf certificate, and is primarily for kernel binaries. |
| **WHQLFilePublisher** | This level combines the "FileName" attribute of the signed file, plus "WHQLPublisher", plus a minimum version number. This level is primarily for kernel binaries. By default, this level uses the OriginalFileName attribute of the file's resource header. Use [-SpecificFileNameLevel](#use--specificfilenamelevel-with-filename-filepublisher-or-whqlfilepublisher-level-rules) to choose an alternative attribute, such as ProductName. |
@@ -96,7 +98,7 @@ For example, consider an IT professional in a department that runs many servers.
To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](/powershell/module/configci/new-cipolicy) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They deploy the policy in auditing mode to determine the potential impact from enforcing the policy. With the help of the audit data, they update their WDAC policies to include any other software they want to run. Then they enable the WDAC policy in enforced mode for their servers.
-As part of normal operations, they'll eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they won't need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version.
+As part of normal operations, they'll eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they don't need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version.
## File rule precedence order
@@ -107,7 +109,7 @@ WDAC has a built-in file rule conflict logic that translates to precedence order
## Use -SpecificFileNameLevel with FileName, FilePublisher, or WHQLFilePublisher level rules
-By default, the FileName, FilePublisher, and WHQLFilePublisher rule levels will use the OriginalFileName attribute from the file's resource header. You can use an alternative resource header attribute for your rules by setting the **-SpecificFileNameLevel**. For instance, a software developer may use the same ProductName for all binaries that are part of an app. Using -SpecificFileNameLevel, you can create a single rule to cover all of those binaries in your policy rather than individual rules for every file.
+By default, the FileName, FilePublisher, and WHQLFilePublisher rule levels use the OriginalFileName attribute from the file's resource header. You can use an alternative resource header attribute for your rules by setting the **-SpecificFileNameLevel**. For instance, a software developer might use the same ProductName for all binaries that are part of an app. Using -SpecificFileNameLevel, you can create a single rule to cover all of those binaries in your policy rather than individual rules for every file.
Table 3 describes the available resource header attribute options you can set with -SpecificFileNameLevel.
@@ -124,7 +126,7 @@ Table 3 describes the available resource header attribute options you can set wi
## More information about filepath rules
-Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect to remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder.
+Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect to remain admin-writeable only. You might want to avoid path rules for directories where standard users can modify ACLs on the folder.
### User-writable filepaths
@@ -182,8 +184,8 @@ In the cmdlets, rather than try to predict which hash will be used, we precalcul
### Why does scan create eight hash rules for certain files?
-Separate rules are created for UMCI and KMCI. If the cmdlets can't determine that a file will only run in user-mode or in the kernel, then rules are created for both signing scenarios out of an abundance of caution. If you know that a particular file will only load in either user-mode or kernel, then you can safely remove the extra rules.
+Separate rules are created for UMCI and KMCI. If the cmdlets can't determine that a file only runs in user-mode or in the kernel, then rules are created for both signing scenarios out of an abundance of caution. If you know that a particular file only loads in either user-mode or kernel, then you can safely remove the extra rules.
### When does WDAC use the flat file hash value?
-There are some rare cases where a file's format doesn't conform to the Authenticode spec and so WDAC falls back to use the flat file hash. This can occur for a number of reasons, such as if changes are made to the in-memory version of the file at runtime. In such cases, you'll see that the hash shown in the correlated 3089 signature information event matches the flat file hash from the 3076/3077 block event. To create rules for files with an invalid format, you can add hash rules to the policy for the flat file hash using the WDAC Wizard or by editing the policy XML directly.
+There are some rare cases where a file's format doesn't conform to the Authenticode spec and so WDAC falls back to use the flat file hash. This behavior can occur for many reasons, such as if changes are made to the in-memory version of the file at runtime. In such cases, you'll see that the hash shown in the correlated 3089 signature information event matches the flat file hash from the 3076/3077 block event. To create rules for files with an invalid format, you can add hash rules to the policy for the flat file hash using the WDAC Wizard or by editing the policy XML directly.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md b/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
index 8f866fa055..b0ec0ebfe9 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet.md
@@ -2,7 +2,7 @@
title: Windows Defender Application Control and .NET
description: Understand how WDAC and .NET work together and use Dynamic Code Security to verify code loaded by .NET at runtime.
ms.localizationpriority: medium
-ms.date: 08/10/2022
+ms.date: 11/22/2023
ms.topic: article
---
@@ -10,9 +10,9 @@ ms.topic: article
.NET apps (as written in a high-level language like C#) are compiled to an Intermediate Language (IL). IL is a compact code format that can be supported on any operating system or architecture. Most .NET apps use APIs that are supported in multiple environments, requiring only the .NET runtime to run. IL needs to be compiled to native code in order to execute on a CPU, for example Arm64 or x64. When .NET compiles IL to native image (NI) on a device with a WDAC user mode policy, it first checks whether the original IL file passes the current WDAC policies. If so, .NET sets an NTFS extended attribute (EA) on the generated NI file so that WDAC knows to trust it as well. When the .NET app runs, WDAC sees the EA on the NI file and allows it.
-The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles the block gracefully and will fall back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you may notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies.
+The EA set on the NI file only applies to the currently active WDAC policies. If one of the active WDAC policies is updated or a new policy is applied, the EA on the NI file is invalidated. The next time the app runs, WDAC will block the NI file. .NET handles the block gracefully and falls back to the original IL code. If the IL still passes the latest WDAC policies, then the app runs without any functional impact. Since the IL is now being compiled at runtime, you might notice a slight impact to performance of the app. When .NET must fall back to IL, .NET will also schedule a process to run at the next maintenance window to regenerate all NI files, thus reestablishing the WDAC EA for all code that passes the latest WDAC policies.
-In some cases, if an NI file is blocked, you may see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#net-native-images-may-generate-false-positive-block-events).
+In some cases, if an NI file is blocked, you might see a "false positive" block event in the *CodeIntegrity - Operational* event log as described in [WDAC Admin Tips & Known Issues](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#net-native-images-may-generate-false-positive-block-events).
To mitigate any performance impact caused when the WDAC EA isn't valid or missing:
@@ -22,14 +22,17 @@ To mitigate any performance impact caused when the WDAC EA isn't valid or missin
## WDAC and .NET hardening
-Security researchers have found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent WDAC controls.
-Beginning with Windows 10, version 1803, WDAC includes a new option, called *Dynamic Code Security* that works with .NET to verify code loaded at runtime.
+Security researchers found that some .NET capabilities that allow apps to load libraries from external sources or generate new code at runtime can be used to circumvent WDAC controls.
+To address this potential vulnerability, WDAC includes an option called *Dynamic Code Security* that works with .NET to verify code loaded at runtime.
-When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any non-local sources, such as the internet or a network share.
+When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any remote sources, such as the internet or a network share.
-Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with.
+> [!IMPORTANT]
+> .Net dynamic code security hardening is *turned on and enforced* if any WDAC policy with UMCI enabled has set option **19 Enabled:Dynamic Code Security**. There is no audit mode for this feature. You should test your apps with this option set before turning it on across large numbers of devices.
-Dynamic Code Security isn't enabled by default because existing policies may not account for externally loaded libraries.
+Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that was tampered with.
+
+Dynamic Code Security isn't enabled by default because existing policies might not account for externally loaded libraries.
Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, aren't currently supported with Dynamic Code Security enabled.
Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
index 44d5693f5a..98e2c42da8 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/configure-wdac-managed-installer.md
@@ -1,9 +1,9 @@
---
title: Managed installer and ISG technical reference and troubleshooting guide
-description: Explains how to configure a custom Manged Installer.
+description: A technical reference and troubleshooting guide for managed installer and Intelligent Security Graph (ISG).
ms.localizationpriority: medium
ms.date: 11/11/2022
-ms.topic: article
+ms.topic: troubleshooting
---
# Managed installer and ISG technical reference and troubleshooting guide
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
index 0666d011c5..91af264958 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
@@ -2,7 +2,7 @@
title: WDAC Admin Tips & Known Issues
description: WDAC Known Issues
ms.manager: jsuther
-ms.date: 05/09/2023
+ms.date: 11/22/2023
ms.topic: article
ms.localizationpriority: medium
---
@@ -23,7 +23,7 @@ This article covers tips and tricks for admins and known issues with Windows Def
The *\{PolicyId GUID\}* value is unique by policy and defined in the policy XML with the <PolicyId> element.
-For **single policy format WDAC policies**, in addition to the two preceding locations, also look for a file called SiPolicy.p7b that may be found in the following locations:
+For **single policy format WDAC policies**, in addition to the two preceding locations, also look for a file called SiPolicy.p7b in the following locations:
- <EFI System Partition>\\Microsoft\\Boot\\SiPolicy.p7b
- <OS Volume>\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b
@@ -35,7 +35,7 @@ For **single policy format WDAC policies**, in addition to the two preceding loc
When the WDAC engine evaluates files against the active set of policies on the device, rules are applied in the following order. Once a file encounters a match, WDAC stops further processing.
-1. Explicit deny rules - if any explicit deny rule exists for the file, it's blocked even if other rules are created to try to allow it. Deny rules can use any [rule level](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend.
+1. Explicit deny rules - a file is blocked if any explicit deny rule exists for it, even if other rules are created to try to allow it. Deny rules can use any [rule level](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend.
2. Explicit allow rules - if any explicit allow rule exists for the file, the file runs.
@@ -43,17 +43,24 @@ When the WDAC engine evaluates files against the active set of policies on the d
4. Lastly, WDAC makes a cloud call to the ISG to get reputation about the file, if the policy enables the ISG option.
-5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.
+5. If no explicit rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.
## Known issues
### Boot stop failure (blue screen) occurs if more than 32 policies are active
-If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit.
+If the maximum number of policies is exceeded, the device will bluescreen referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit.
+
+### Audit mode policies can change the behavior for some apps or cause app crashes
+
+Although WDAC audit mode is designed to avoid impact to apps, some features are always on/always enforced with any WDAC policy that includes the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode:
+
+- Some script hosts might block code or run code with fewer privileges even in audit mode. See [Script enforcement with WDAC](/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement) for information about individual script host behaviors.
+- Option **19 Enabled:Dynamic Code Security** is always enforced if any UMCI policy includes that option. See [WDAC and .NET](/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet#wdac-and-net-hardening).
### Managed Installer and ISG may cause excessive events
-When Managed Installer and ISG are enabled, 3091 and 3092 events are logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events have been moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy.
+When Managed Installer and ISG are enabled, 3091 and 3092 events are logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events were moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy.
### .NET native images may generate false positive block events
@@ -83,13 +90,13 @@ msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi
```
### Slow boot and performance with custom policies
-WDAC will evaluate all running processes, including inbox Windows processes. If policies don't build off the WDAC templates or don't trust the Windows signers, you'll see slower boot times, degraded performance and possibly boot issues. For these reasons, it's strongly recommended to build off the [WDAC base templates](../design/example-wdac-base-policies.md).
+WDAC evaluates all processes that run, including inbox Windows processes. If policies don't build off the WDAC templates or don't trust the Windows signers, you'll see slower boot times, degraded performance and possibly boot issues. For these reasons, you should use the [WDAC base templates](../design/example-wdac-base-policies.md) whenever possible to create your policies.
#### AppId Tagging policy considerations
If the AppId Tagging Policy wasn't built off the WDAC base templates or doesn't allow the Windows in-box signers, you'll notice a significant increase in boot times (~2 minutes).
-If you can't allowlist the Windows signers, or build off the WDAC base templates, it is strongly recommended to add the following rule to your policies to improve the performance:
+If you can't allowlist the Windows signers, or build off the WDAC base templates, it's recommended to add the following rule to your policies to improve the performance:
:::image type="content" source="../images/known-issue-appid-dll-rule.png" alt-text="Allow all dlls in the policy.":::
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
index 370243790a..5f3515a26b 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -119,10 +119,7 @@ sections:
- question: |
Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
answer: |
- This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
-
- - [Create an inbound icmp rule](../../../operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md)
- - [Open Group Policy management console for Microsoft Defender Firewall](../../../operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+ This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule with Group Policy, see [Configure Windows Firewall rules with group policy](../../../operating-system-security/network-security/windows-firewall/configure.md)
### First rule (DHCP Server)
- Program path: `%SystemRoot%\System32\svchost.exe`
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
index b5b54f3574..79a92c0c24 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
@@ -19,7 +19,7 @@ Microsoft Defender Application Guard Extension defends devices in your organizat
## Prerequisites
-Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1803 or later:
+Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1809 or later:
- Windows 10 Professional
- Windows 10 Enterprise
@@ -84,4 +84,4 @@ Unexpected response while processing trusted state | The extension was able to c
## Related articles
- [Microsoft Defender Application Guard overview](md-app-guard-overview.md)
-- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)
\ No newline at end of file
+- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 4dffa28451..f8830210ba 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -39,6 +39,7 @@
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
+ "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.localizationpriority": "medium",
"ms.prod": "windows-client",
diff --git a/windows/security/hardware-security/toc.yml b/windows/security/hardware-security/toc.yml
index 1b95b86db3..c941dc715a 100644
--- a/windows/security/hardware-security/toc.yml
+++ b/windows/security/hardware-security/toc.yml
@@ -6,10 +6,8 @@ items:
- name: Windows Defender System Guard
href: how-hardware-based-root-of-trust-helps-protect-windows.md
- name: Trusted Platform Module
- href: tpm/trusted-platform-module-top-node.md
+ href: tpm/trusted-platform-module-overview.md
items:
- - name: Trusted Platform Module overview
- href: tpm/trusted-platform-module-overview.md
- name: TPM fundamentals
href: tpm/tpm-fundamentals.md
- name: How Windows uses the TPM
diff --git a/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
index e2b7facad8..9be58182e9 100644
--- a/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md
@@ -2,7 +2,7 @@
title: Back up TPM recovery information to Active Directory
description: Learn how to back up the Trusted Platform Module (TPM) recovery information to Active Directory.
ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
---
# Back up the TPM recovery information to AD DS
diff --git a/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md b/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md
index 05ed6c63a9..29abbe115b 100644
--- a/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md
+++ b/windows/security/hardware-security/tpm/change-the-tpm-owner-password.md
@@ -2,7 +2,7 @@
title: Change the TPM owner password
description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
ms.topic: conceptual
-ms.date: 04/26/2023
+ms.date: 11/17/2023
---
# Change the TPM owner password
@@ -14,12 +14,7 @@ This article for the IT professional describes how to change the password or PIN
Starting with Windows 10, version 1607, Windows doesn't retain the TPM owner password when provisioning the TPM. The password is set to a random high entropy value and then discarded.
> [!IMPORTANT]
->
-> Although the TPM owner password isn't retained starting with Windows 10, version 1607, you can change a default registry key to retain it. However, we strongly recommend that you don't make this change. To retain the TPM owner password, under the registry key of
->
-> `HKLM\Software\Policies\Microsoft\TPM`
->
-> create a `REG_DWORD` value of `OSManagedAuthLevel` and set it to `4`.
+> Although the TPM owner password isn't retained starting with Windows 10, version 1607, you can change a default registry key to retain it. However, we strongly recommend that you don't make this change. To retain the TPM owner password, under the registry key `HKLM\Software\Policies\Microsoft\TPM`, create a `REG_DWORD` value of `OSManagedAuthLevel` and set it to `4`.
>
> For Windows versions newer than Windows 10 1703, the default value for this key is 5. A value of 5 means:
>
@@ -52,4 +47,4 @@ You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets i
## Related articles
-- [Trusted Platform Module](trusted-platform-module-top-node.md)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
diff --git a/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
index e75ebe55d6..b513a67096 100644
--- a/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md
@@ -2,7 +2,7 @@
title: How Windows uses the TPM
description: Learn how Windows uses the Trusted Platform Module (TPM) to enhance security.
ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
---
# How Windows uses the Trusted Platform Module
@@ -31,11 +31,11 @@ The security features of Windows combined with the benefits of a TPM offer pract
## Platform Crypto Provider
-Windows includes a cryptography framework called *Cryptographic API: Next Generation* (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself.
+Windows includes a cryptography framework called Cryptographic API: Next Generation (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself.
Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third-party hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
-The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers can't offer or can't offer as effectively:
+The Platform Crypto Provider, introduced in the Windows 8, exposes the following special TPM properties, which software-only CNG providers can't offer or can't offer as effectively:
- **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they're vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they aren't removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM isn't a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
@@ -49,7 +49,7 @@ These TPM features give Platform Crypto Provider distinct advantages over softwa
Smart cards are physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card's certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). However, smart cards can be expensive because they require purchase and deployment of both smart cards and smart card readers.
-In Windows, the *Virtual Smart Card* feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes *something the user has* but still requires a PIN. While physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses.
+In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes *something the user has* but still requires a PIN. While physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses.
For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key, so that it can't be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card, can reduce total cost of ownership. The *lost card* or *card left at home* scenarios are not applicable, and the benefits of smart card-based multifactor authentication is preserved. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
@@ -61,7 +61,7 @@ The adoption of new authentication technology requires that identity providers a
Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
-- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM).
+- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an endorsement key. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM).
- **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
@@ -129,16 +129,16 @@ The TPM adds hardware-based security benefits to Windows. When installed on hard
-|Feature | Benefits when used on a system with a TPM|
-|---|---|
-| Platform Crypto Provider |
|
-| Virtual Smart Card |
|
-| Windows Hello for Business |
|
-| BitLocker Drive Encryption |
|
-|Device Encryption |
|
-| Measured Boot |
|
-| Health Attestation |
|
-| Credential Guard |
|
+| Feature | Benefits when used on a system with a TPM |
+|----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Platform Crypto Provider | - If the machine is compromised, the private key associated with the certificate can't be copied off the device.
- The TPM's dictionary attack mechanism protects PIN values to use a certificate. |
+| Virtual Smart Card | Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers. |
+| Windows Hello for Business | - Credentials provisioned on a device can't be copied elsewhere.
- Confirm a device's TPM before credentials are provisioned. |
+| BitLocker Drive Encryption | Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware. |
+| Device Encryption | With a Microsoft account and the right hardware, consumers' devices seamlessly benefit from data-at-rest protection. |
+| Measured Boot | A hardware root of trust contains boot measurements that help detect malware during remote attestation. |
+| Health Attestation | MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365. |
+| Credential Guard | Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization. |
diff --git a/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
index 6eab697f4d..9e08708019 100644
--- a/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -2,7 +2,7 @@
title: Troubleshoot the TPM
description: Learn how to view and troubleshoot the Trusted Platform Module (TPM).
ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
ms.collection:
- tier1
---
@@ -15,13 +15,14 @@ This article provides information how to troubleshoot the Trusted Platform Modul
- [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm)
With TPM 1.2 and Windows 11, you can also take the following actions:
-- [Turn on or turn off the TPM](#turn-on-or-turn-off)
+
+- [Turn on or turn off the TPM](#turn-on-or-turn-off-the-tpm)
For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
## About TPM initialization and ownership
-Windows automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you had to initialize the TPM and create an owner password.
+Windows automatically initializes and takes ownership of the TPM. There's no need for you to initialize the TPM and create an owner password.
### TPM initialization
@@ -68,7 +69,7 @@ Clearing the TPM can result in data loss. To protect against such loss, review t
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
-**To clear the TPM**
+#### To clear the TPM
1. Open the Windows Defender Security Center app.
1. Select **Device security**.
@@ -78,7 +79,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
- You'll be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
- After the device restarts, your TPM will be automatically prepared for use by Windows.
-## Turn on or turn off the TPM
+## Turn on or turn off the TPM
Normally, the TPM is turned on as part of the TPM initialization process. You don't normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
@@ -102,7 +103,7 @@ If you want to stop using the services that are provided by the TPM, you can use
- If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the *.tpm* file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**.
- If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**.
- If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
-
+
## Use the TPM cmdlets
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
diff --git a/windows/security/hardware-security/tpm/manage-tpm-commands.md b/windows/security/hardware-security/tpm/manage-tpm-commands.md
index 52a9473f9b..d309758d11 100644
--- a/windows/security/hardware-security/tpm/manage-tpm-commands.md
+++ b/windows/security/hardware-security/tpm/manage-tpm-commands.md
@@ -2,7 +2,7 @@
title: Manage TPM commands
description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
ms.topic: conceptual
-ms.date: 04/26/2023
+ms.date: 11/17/2023
---
# Manage TPM commands
@@ -15,10 +15,9 @@ The following procedures describe how to manage the TPM command lists. You must
## Block TPM commands by using the Local Group Policy Editor
-1. Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
+1. Open the Local Group Policy Editor (`gpedit.msc`). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
> [!NOTE]
- >
> Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS).
1. In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**.
@@ -32,7 +31,6 @@ The following procedures describe how to manage the TPM command lists. You must
1. For each command that you want to block, select **Add**, enter the command number, and then select **OK**.
> [!NOTE]
- >
> For a list of commands, see links in the [TPM Specification](https://www.trustedcomputinggroup.org/tpm-main-specification/).
1. After you have added numbers for each command that you want to block, select **OK** twice.
@@ -41,9 +39,7 @@ The following procedures describe how to manage the TPM command lists. You must
## Block or allow TPM commands by using the TPM MMC
-1. Open the TPM MMC (tpm.msc)
-
-1. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
+1. Open the TPM MMC (`tpm.msc`). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
1. In the console tree, select **Command Management**. A list of TPM commands is displayed.
@@ -53,9 +49,7 @@ The following procedures describe how to manage the TPM command lists. You must
## Block new commands
-1. Open the TPM MMC (tpm.msc).
-
- If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
+1. Open the TPM MMC (`tpm.msc`). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
1. In the console tree, select **Command Management**. A list of TPM commands is displayed.
@@ -69,4 +63,4 @@ You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatfo
## Related articles
-- [Trusted Platform Module](trusted-platform-module-top-node.md)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
diff --git a/windows/security/hardware-security/tpm/manage-tpm-lockout.md b/windows/security/hardware-security/tpm/manage-tpm-lockout.md
index a281a8e40b..abf6374e8f 100644
--- a/windows/security/hardware-security/tpm/manage-tpm-lockout.md
+++ b/windows/security/hardware-security/tpm/manage-tpm-lockout.md
@@ -2,7 +2,7 @@
title: Manage TPM lockout
description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
ms.topic: conceptual
-ms.date: 04/26/2023
+ms.date: 11/17/2023
---
# Manage TPM lockout
@@ -17,20 +17,19 @@ Windows takes ownership of the TPM ownership upon first boot. By default, Window
In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values.
-### TPM 1.2
-
-The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. These delays can prevent them from using the TPM for a period of time.
-
### TPM 2.0
TPM 2.0 devices have standardized lockout behavior which Windows configures. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This configuration means that every continuous 10 minutes of powered on operation without an event causes the counter to decrease by 1.
If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner's authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher.
+### TPM 1.2
+
+The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. These delays can prevent them from using the TPM for a period of time.
+
## Reset the TPM lockout by using the TPM MMC
> [!NOTE]
->
> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password isn't available in Windows 10 starting with version 1607 and higher.
The following procedure explains the steps to reset the TPM lockout by using the TPM MMC.
@@ -39,7 +38,7 @@ The following procedure explains the steps to reset the TPM lockout by using the
1. Open the TPM MMC (tpm.msc).
-1 In the **Action** pane, select **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
+1. In the **Action** pane, select **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
1. Choose one of the following methods to enter the TPM owner password:
@@ -77,4 +76,4 @@ You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets i
## Related articles
-- [Trusted Platform Module](trusted-platform-module-top-node.md)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
diff --git a/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index 01ddf58aa0..281201247a 100644
--- a/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -2,14 +2,14 @@
title: UnderstandPCR banks on TPM 2.0 devices
description: Learn about what happens when you switch PCR banks on TPM 2.0 devices.
ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
---
# PCR banks on TPM 2.0 devices
For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This article provides background about what happens when you switch PCR banks on TPM 2.0 devices.
-A *Platform Configuration Register (PCR)* is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes - the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a *PCR bank*.
+A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes - the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a *PCR bank*.
To store a new value in a PCR, the existing value is extended with a new value as follows: `PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend)`
@@ -21,8 +21,7 @@ Some TPM PCRs are used as checksums of log events. The log events are extended i
## How does Windows use PCRs?
-To bind the use of a TPM based key to a certain state of the device, the key can be sealed to an expected set of PCR values.\
-For instance, PCRs 0 through 7 have a well-defined value after the boot process, when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
+To bind the use of a TPM based key to a certain state of the device, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process, when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
It's important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the `SHA-1 PCR[12]`, if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values won't match.
@@ -30,7 +29,7 @@ It's important to note that this binding to PCR values also includes the hashing
When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
-As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows won't be able to unseal it if the PCR banks are switched while BitLocker is enabled.
+As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR[12] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows won't be able to unseal it if the PCR banks are switched while BitLocker is enabled.
## What can I do to switch PCRs when BitLocker is already active?
@@ -42,7 +41,7 @@ You can configure a TPM to have multiple PCR banks active. When BIOS performs me
- Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices`
- DWORD: `TPMActivePCRBanks`
-- Defines which PCR banks are currently active. (This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.)
+- Defines which PCR banks are currently active. This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.
Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions isn't met.
@@ -50,6 +49,6 @@ You can identify which PCR bank is currently used by Windows by looking at the r
- Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices`
- DWORD: `TPMDigestAlgID`
-- Algorithm ID of the PCR bank that Windows is currently using. (This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.)
+- Algorithm ID of the PCR bank that Windows is currently using. This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.
Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they aren't used by Windows and measurements that appear to be from Windows shouldn't be trusted.
diff --git a/windows/security/hardware-security/tpm/tpm-fundamentals.md b/windows/security/hardware-security/tpm/tpm-fundamentals.md
index 4393c94d01..d4612701db 100644
--- a/windows/security/hardware-security/tpm/tpm-fundamentals.md
+++ b/windows/security/hardware-security/tpm/tpm-fundamentals.md
@@ -2,24 +2,27 @@
title: Trusted Platform Module (TPM) fundamentals
description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks.
ms.topic: conceptual
-ms.date: 03/09/2023
+ms.date: 11/17/2023
---
# TPM fundamentals
-This article provides a description of the *Trusted Platform Module* (TPM 1.2 and TPM 2.0) components, and explains how they're used to mitigate dictionary attacks.
+This article provides a description of the Trusted Platform Module (TPM 1.2 and TPM 2.0) components, and explains how they're used to mitigate dictionary attacks.
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is installed on the motherboard of a computer, and it communicates with the rest of the system by using a hardware bus.
-Devices that incorporate a TPM can create cryptographic keys and encrypt them, so that the keys can only be decrypted by the TPM. This process, often called *wrapping* or *binding a key*, can help protect the key from disclosure. Each TPM has a *master wrapping key*, called the *storage root key*, which is stored within the TPM itself. The private portion of a storage root key, or *endorsement key*, that is created in a TPM is never exposed to any other component, software, process, or user.
+Devices that incorporate a TPM can create cryptographic keys and encrypt them, so that the keys can only be decrypted by the TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure. Each TPM has a primary wrapping key, called the **storage root key**, which is stored within the TPM itself. The private portion of a storage root key, or **endorsement key**, that is created in a TPM is never exposed to any other component, software, process, or user.
-You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys can't be migrated, the private portion of the key is never exposed outside the TPM.
+You can specify whether encryption keys that the TPM creates can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys can't be migrated, the private portion of the key is never exposed outside the TPM.
Devices that incorporate a TPM can also create a key wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as *sealing the key to the TPM*. Decrypting the key is called *unsealing*. The TPM can also seal and unseal data that is generated outside the TPM. With sealed key and software, such as BitLocker Drive Encryption, data can be locked until specific hardware or software conditions are met.
With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. The TPM uses its own internal firmware and logic circuits to process instructions. Hence, it doesn't rely on the operating system and it isn't exposed to vulnerabilities that might exist in the operating system or application software.
-For information about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more information, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module).
+- For information about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md).
+- For more information about which TPM services can be controlled centrally by using Group Policy settings, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
+
+The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more information, see the [Trusted Platform Module page](http://www.trustedcomputinggroup.org/developers/trusted_platform_module) on the Trusted Computing Group website.
The following sections provide an overview of the technologies that support the TPM:
@@ -33,12 +36,9 @@ The following sections provide an overview of the technologies that support the
- [TPM Key Attestation](#key-attestation)
- [Anti-hammering](#anti-hammering)
-The following article describes the TPM services that can be controlled centrally by using Group Policy settings:
-[TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
-
## Measured Boot with support for attestation
-The *Measured Boot* feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components. Anti-malware software can use the log to determine whether components that ran before it are trustworthy or infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
+The Measured Boot feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components. Anti-malware software can use the log to determine whether components that ran before it are trustworthy or infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
## TPM-based Virtual Smart Card
@@ -48,7 +48,7 @@ The Virtual Smart Card emulates the functionality of traditional smart cards. Vi
## TPM-based certificate storage
-The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal).
+The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can also be used for crypto-operations through [Cryptography API: Next Generation (CNG)](/windows/win32/seccng/cng-portal).
## TPM Cmdlets
@@ -68,7 +68,7 @@ A trusted application can use TPM only if the TPM contains an endorsement key, w
## Key attestation
-*TPM key attestation* allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM-attested key provides higher security assurance backed up by non-exportability, anti-hammering, and isolation of keys provided by a TPM.
+TPM key attestation allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM-attested key provides higher security assurance backed up by nonexportability, anti-hammering, and isolation of keys provided by a TPM.
## Anti-hammering
@@ -84,12 +84,9 @@ TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2
For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
-Attempts to use a key with an authorization value for the next 10 minutes wouldn't return success or failure. Instead, the response indicates that the TPM is locked.\
-After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31. The TPM leaves the locked state and returns to normal operation.\
-With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM doesn't remember any authorization failures, and 32 failed attempts could occur again.
+Attempts to use a key with an authorization value for the next 10 minutes wouldn't return success or failure. Instead, the response indicates that the TPM is locked. After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31. The TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM doesn't remember any authorization failures, and 32 failed attempts could occur again.
-Windows doesn't require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated.\
-Windows requires that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes.
+Windows doesn't require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows requires that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes.
The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM, and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators.
@@ -99,18 +96,16 @@ TPM 2.0 allows some keys to be created without an authorization value associated
### Rationale behind the defaults
-Originally, BitLocker allowed from 4 to 20 characters for a PIN.
-Windows Hello has its own PIN for sign-in, which can be 4 to 127 characters.
-Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
+Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
-Staring in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20).
+Starting in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20).
### TPM-based smart cards
The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
-- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered.
- With a virtual smart card, the TPM's anti-hammering protection isn't reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors
-- Hardware manufacturers and software developers can use the security features of the TPM to meet their requirements
-- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password
+
+- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM's anti-hammering protection isn't reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
+- Hardware manufacturers and software developers can use the security features of the TPM to meet their requirements.
+- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password.
diff --git a/windows/security/hardware-security/tpm/tpm-recommendations.md b/windows/security/hardware-security/tpm/tpm-recommendations.md
index d9a7ce1a95..4471400a65 100644
--- a/windows/security/hardware-security/tpm/tpm-recommendations.md
+++ b/windows/security/hardware-security/tpm/tpm-recommendations.md
@@ -2,7 +2,7 @@
title: TPM recommendations
description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
ms.topic: conceptual
-ms.date: 02/02/2023
+ms.date: 11/17/2023
ms.collection:
- tier1
---
@@ -34,25 +34,15 @@ From an industry standard, Microsoft has been an industry leader in moving and s
TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
-
- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
-
- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
-
- TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs don't support all algorithms.
-
- For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](/windows/win32/seccertenroll/cng-cryptographic-algorithm-providers).
-
- TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://www.microsoft.com/security/blog/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption)).
-
- Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
-
- TPM 2.0 offers a more **consistent experience** across different implementations.
-
- TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
-
- TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
-
- While TPM 1.2 parts are discrete silicon components, which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s), and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
> [!NOTE]
@@ -64,11 +54,9 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
There are three implementation options for TPMs:
-- Discrete TPM chip as a separate component in its own semiconductor package
-
-- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
-
-- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
+- Discrete TPM chip as a separate component in its own semiconductor package.
+- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components.
+- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit.
Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions, which should suit all needs.
@@ -94,22 +82,22 @@ For end consumers, TPM is behind the scenes but is still relevant. TPM is used f
The following table defines which Windows features require TPM support.
- Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
--|-|-|-|-
- Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
- BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Device Encryption requires Modern Standby](../../operating-system-security/data-protection/bitlocker/index.md#device-encryption) including TPM 2.0 support
- Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
- Windows Defender Application Control (Device Guard) | No | Yes | Yes
- Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
- Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers.
- Device Health Attestation| Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
- Windows Hello/Windows Hello for Business| No | Yes | Yes | Microsoft Entra join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage.
- UEFI Secure Boot | No | Yes | Yes
- TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes
- Virtual Smart Card | Yes | Yes | Yes
- Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM.
- Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required.
- SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
+| Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
+|--|--|--|--|--|
+| Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated. |
+| BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Device Encryption requires Modern Standby](../../operating-system-security/data-protection/bitlocker/index.md#device-encryption) including TPM 2.0 support |
+| Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. |
+| Windows Defender Application Control (Device Guard) | No | Yes | Yes |
+| Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
+| Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers. |
+| Device Health Attestation | Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated. |
+| Windows Hello/Windows Hello for Business | No | Yes | Yes | Microsoft Entra join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage. |
+| UEFI Secure Boot | No | Yes | Yes |
+| TPM Platform Crypto Provider Key Storage Provider | Yes | Yes | Yes |
+| Virtual Smart Card | Yes | Yes | Yes |
+| Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. |
+| Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required. |
+| SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
## OEM Status on TPM 2.0 system availability and certified parts
@@ -117,4 +105,4 @@ Government customers and enterprise customers in regulated industries may have a
## Related topics
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
index 55f111a138..46a0c61d51 100644
--- a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
@@ -2,7 +2,7 @@
title: Trusted Platform Module Technology Overview
description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/17/2023
ms.collection:
- tier1
---
@@ -13,21 +13,26 @@ This article describes the Trusted Platform Module (TPM) and how Windows uses it
## Feature description
-The [*Trusted Platform Module (TPM)*](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the advantages of using TPM technology are:
+The [Trusted Platform Module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-overview) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the advantages of using TPM technology are:
-- Generate, store, and limit the use of cryptographic keys
-- Use it for device authentication by using the TPM's unique RSA key, which is burned into the chip
-- Help ensure platform integrity by taking and storing security measurements of the boot process
+- Generate, store, and limit the use of cryptographic keys.
+- Use it for device authentication by using the TPM's unique RSA key, which is burned into the chip.
+- Help ensure platform integrity by taking and storing security measurements of the boot process.
The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
-TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.
+TPM-based keys can be configured in various ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM activates its dictionary attack logic and prevents further authorization value guesses.
Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, see the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/).
-### Automatic initialization of the TPM with Windows
+[!INCLUDE [trusted-platform-module-tpm-20](../../../../includes/licensing/trusted-platform-module-tpm.md)]
-Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809.
+## Automatic initialization of the TPM with Windows
+
+Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
+
+> [!NOTE]
+> We're [no longer actively developing the TPM management console](/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809.
In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects.
@@ -37,21 +42,15 @@ Certificates can be installed or created on computers that are using the TPM. Af
Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process.
-Anti-malware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization aren't running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
+Anti-malware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows. These measurements include the launch of Hyper-V to test that datacenters using virtualization aren't running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
-[!INCLUDE [trusted-platform-module-tpm-20](../../../../includes/licensing/trusted-platform-module-tpm.md)]
-
-## New and changed functionality
-
-For more info on new and changed functionality for Trusted Platform Module in Windows, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module)
-
## Device health attestation
-Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
+Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that allows or denies a managed device access to a secure resource.
-Some security issues that you can check on the device include the following:
+Some security issues that you can check on the devices include:
- Is Data Execution Prevention supported and enabled?
- Is BitLocker Drive Encryption supported and enabled?
diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
index 586da21da4..4ea0c0f2d7 100644
--- a/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -2,18 +2,12 @@
title: TPM Group Policy settings
description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
ms.topic: conceptual
-ms.date: 07/31/2023
+ms.date: 11/17/2023
---
# TPM Group Policy settings
-This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
-
-The Group Policy settings for TPM services are located at:
-
-**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
-
-The following Group Policy settings were introduced in Windows.
+This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. The Group Policy settings for TPM services are located under **Computer Configuration** > **Administrative Templates** > **System** > **Trusted Platform Module Services**.
## Configure the level of TPM owner authorization information available to the operating system
@@ -22,28 +16,27 @@ The following Group Policy settings were introduced in Windows.
This policy setting configured which TPM authorization values are stored in the registry of the local computer. Certain authorization values are required in order to allow Windows to perform certain actions.
-|TPM 1.2 value | TPM 2.0 value | Purpose | Kept at level 0?| Kept at level 2?| Kept at level 4? |
-|--------------|---------------|---------|-----------------|-----------------|------------------|
-| OwnerAuthAdmin | StorageOwnerAuth | Create SRK | No | Yes | Yes |
-| OwnerAuthEndorsement | EndorsementAuth | Create or use EK (1.2 only: Create AIK) | No | Yes | Yes |
-| OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | Yes |
+| TPM 1.2 value | TPM 2.0 value | Purpose | Kept at level 0? | Kept at level 2? | Kept at level 4? |
+|----------------------|------------------|-------------------------------------------|------------------|------------------|------------------|
+| OwnerAuthAdmin | StorageOwnerAuth | Create SRK | No | Yes | Yes |
+| OwnerAuthEndorsement | EndorsementAuth | Create or use EK (1.2 only: Create AIK) | No | Yes | Yes |
+| OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | Yes |
There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
-- **Full** This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
+- **Full**: This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
-- **Delegated** This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
+- **Delegated**: This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
-- **None** This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
+- **None**: This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
> [!NOTE]
> If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid.
**Registry information**
-Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM
-
-DWORD: OSManagedAuthLevel
+Registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM`
+DWORD: `OSManagedAuthLevel`
The following table shows the TPM owner authorization values in the registry.
@@ -68,9 +61,8 @@ This setting helps administrators prevent the TPM hardware from entering a locko
For each standard user, two thresholds apply. Exceeding either threshold prevents the user from sending a command that requires authorization to the TPM. Use the following policy settings to set the lockout duration:
-- [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold) This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
-
-- [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold) This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
+- [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold): This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
+- [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold): This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
@@ -118,9 +110,7 @@ Introduced in Windows 10, version 1703, this policy setting configures the TPM t
## TPM Group Policy settings in Windows Security
-You can change what users see about TPM in **Windows Security**. The Group Policy settings for the TPM area in **Windows Security** are located at:
-
-**Computer Configuration\\Administrative Templates\\Windows Components\\Windows Security\\Device security**
+You can change what users see about TPM in **Windows Security**. The Group Policy settings for the TPM area in **Windows Security** are located under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Security** > **Device security**.
### Disable the Clear TPM button
@@ -132,6 +122,6 @@ If you don't want users to see the recommendation to update TPM firmware, you ca
## Related topics
-- [Trusted Platform Module](trusted-platform-module-top-node.md)
+- [Trusted Platform Module](trusted-platform-module-overview.md)
- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true)
- [BitLocker planning guide](../../operating-system-security/data-protection/bitlocker/planning-guide.md)
diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md b/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md
deleted file mode 100644
index 7befac5b61..0000000000
--- a/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Trusted Platform Module
-description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
-ms.topic: conceptual
-ms.date: 02/02/2023
-ms.collection:
-- tier1
----
-
-# Trusted Platform Module
-
-Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. The following topics provide details.
-
-
-
-| Topic | Description |
-|-------|-------------|
-| [Trusted Platform Module Overview](trusted-platform-module-overview.md) | Provides an overview of the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. |
-| [TPM fundamentals](tpm-fundamentals.md) | Provides background about how a TPM can work with cryptographic keys. Also describes technologies that work with the TPM, such as TPM-based virtual smart cards. |
-| [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) | Describes TPM services that can be controlled centrally by using Group Policy settings. |
-| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer's TPM information to Active Directory Domain Services. |
-| [Troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, describes how to turn the TPM on or off. |
-| [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md) | Provides background about what happens when you switch PCR banks on TPM 2.0 devices. |
-| [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows features for which a TPM is required or recommended. |
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 7fee850283..1d0c6679ba 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -2,7 +2,7 @@
title: Remote Credential Guard
description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device.
ms.topic: how-to
-ms.date: 09/06/2023
+ms.date: 12/04/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -33,7 +33,7 @@ Using a Remote Desktop session without Remote Credential Guard has the following
The security benefits of Remote Credential Guard include:
- Credentials aren't sent to the remote host
-- During the remote session you can connect to other systems using SSO
+- During the remote session, you can connect to other systems using SSO
- An attacker can act on behalf of the user only when the session is ongoing
The security benefits of [Restricted Admin mode][TECH-1] include:
@@ -67,14 +67,14 @@ The remote host:
The client device:
- Must be running the Remote Desktop Windows application. The Remote Desktop Universal Windows Platform (UWP) application doesn't support Remote Credential Guard
-- Must use Kerberos authentication to connect to the remote host. If the client can't connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
+- Must use Kerberos authentication to connect to the remote host. If the client can't connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard doesn't allow NTLM fallback because it would expose credentials to risk
[!INCLUDE [remote-credential-guard](../../../includes/licensing/remote-credential-guard.md)]
## Enable delegation of nonexportable credentials on the remote hosts
This policy is required on the remote hosts to support Remote Credential Guard and Restricted Admin mode. It allows the remote host to delegate nonexportable credentials to the client device.\
-If you disable or don't configure this setting, Restricted Admin and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host, exposing users to the risk of credential theft from attackers on the remote host.
+If you disable or don't configure this setting, Restricted Admin and Remote Credential Guard mode aren't supported. Users must pass their credentials to the host, exposing them to the risk of credential theft from attackers on the remote host.
To enable delegation of nonexportable credentials on the remote hosts, you can use:
@@ -131,9 +131,12 @@ To enable Remote Credential Guard on the clients, you can configure a policy tha
> [!TIP]
> If you don't want to configure your clients to enforce Remote Credential Guard, you can use the following command to use Remote Credential Guard for a specific RDP session:
+>
> ```cmd
> mstsc.exe /remoteGuard
> ```
+>
+> If the server hosts the RDS Host role, then the command works only if the user is an administrator of the remote host.
The policy can have different values, depending on the level of security you want to enforce:
@@ -203,17 +206,17 @@ To further harden security, we also recommend that you implement Windows Local A
For more information about LAPS, see [What is Windows LAPS][LEARN-1].
-## Additional considerations
+## Considerations
-Here are some additional considerations for Remote Credential Guard:
+Here are some considerations for Remote Credential Guard:
-- Remote Credential Guard doesn't support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
+- Remote Credential Guard doesn't support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access is denied
- Remote Credential Guard can be used only when connecting to a device that is joined to an Active Directory domain. It can't be used when connecting to remote devices joined to Microsoft Entra ID
- Remote Credential Guard can be used from a Microsoft Entra joined client to connect to an Active Directory joined remote host, as long as the client can authenticate using Kerberos
- Remote Credential Guard only works with the RDP protocol
- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own
- The server and client must authenticate using Kerberos
-- Remote Credential Guard is only supported for direct connections to the target machines and not for the ones via Remote Desktop Connection Broker and Remote Desktop Gateway
+- Remote Credential Guard is only supported for direct connections to the target machines. It isn't support for connections via Remote Desktop Connection Broker and Remote Desktop Gateway
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 61e9d781c0..cb77691205 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -1,9 +1,10 @@
---
-ms.date: 11/07/2023
+ms.date: 11/22/2023
title: Smart Card and Remote Desktop Services
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
-ms.topic: conceptual
+ms.topic: concept-article
---
+
# Smart Card and Remote Desktop Services
This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
@@ -25,7 +26,7 @@ In a Remote Desktop scenario, a user is using a remote server for running servic
Notes about the redirection model:
-1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as "Client session"), the user runs `net use /smartcard`
+1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as *Client session*), the user runs `net use /smartcard`
1. Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer
1. The authentication is performed by the LSA in session 0
1. The CryptoAPI processing is performed in the LSA (`lsass.exe`). This is possible because RDP redirector (`rdpdr.sys`) allows per-session, rather than per-process, context
@@ -44,7 +45,7 @@ When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services
Remote Desktop Services enables users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.
-In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
+In addition, group policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer isn't in the same domain or workgroup, the following command can be used to deploy the certificate:
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 933f9bc3d3..3fa6fe2bae 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -2,7 +2,7 @@
title: Smart Card Architecture
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.topic: reference-architecture
-ms.date: 11/06/2023
+ms.date: 11/22/2023
---
# Smart Card Architecture
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index 851e89b13a..fe6f0b5c39 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -1,15 +1,13 @@
---
-title: Certificate Propagation Service
-description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
+title: Certificate propagation service
+description: Learn about the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.topic: concept-article
-ms.date: 08/24/2021
+ms.date: 11/22/2023
---
-# Certificate Propagation Service
+# Certificate propagation service
-This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
-
-The certificate propagation service activates when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+The certificate propagation service (CertPropSvc) is a Windows service that activates when a user inserts a smart card in a reader that is attached to the device. The action causes the certificates to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
> [!NOTE]
> The certificate propagation service must be running for smart card Plug and Play to work.
@@ -47,9 +45,9 @@ Root certificate propagation is responsible for the following smart card deploym
- Joining the domain
- Accessing a network remotely
-In both cases, the computer isn't joined to a domain, and therefore, trust isn't being managed by Group Policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
+In both cases, the computer isn't joined to a domain, and therefore, trust isn't being managed by group policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
-When the smart card is inserted, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise resources. You might also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user signs out. This is configurable with Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+When the smart card is inserted, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise resources. You might also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user signs out. This is configurable with group policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
For more information about root certificate requirements, see [Smart card root certificate requirements for use with domain sign-in](smart-card-certificate-requirements-and-enumeration.md#smart-card-root-certificate-requirements-for-use-with-domain-sign-in).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 4e345d6a7b..9f8291d4a6 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -2,7 +2,7 @@
title: Certificate Requirements and Enumeration
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.topic: concept-article
-ms.date: 11/06/2023
+ms.date: 11/22/2023
---
# Certificate Requirements and Enumeration
@@ -23,23 +23,23 @@ When a smart card is inserted, the following steps are performed.
1. The certificate is then queried from the key context by using KP_CERTIFICATE. The certificate is added to an in-memory certificate store.
1. For each certificate in the certificate store from Step 5 or Step 7, the following checks are performed:
- 1. The certificate must be valid, based on the computer system clock (not expired or valid with a future date).
- 1. The certificate must not be in the AT_SIGNATURE part of a container.
- 1. The certificate must have a valid user principal name (UPN).
- 1. The certificate must have the digital signature key usage.
- 1. The certificate must have the smart card logon EKU.
+ 1. The certificate must be valid, based on the computer system clock (not expired or valid with a future date)
+ 1. The certificate must not be in the AT_SIGNATURE part of a container
+ 1. The certificate must have a valid user principal name (UPN)
+ 1. The certificate must have the digital signature key usage
+ 1. The certificate must have the smart card logon EKU
- Any certificate that meets these requirements is displayed to the user with the certificate's UPN (or e-mail address or subject, depending on the presence of the certificate extensions).
+ Any certificate that meets these requirements is displayed to the user with the certificate's UPN (or e-mail address or subject, depending on the presence of the certificate extensions)
-1. The process then chooses a certificate, and the PIN is entered.
-1. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt.
-1. If successful, LogonUI.exe closes. This causes the context acquired in Step 3 to be released.
+1. The process then chooses a certificate, and the PIN is entered
+1. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt
+1. If successful, `LogonUI.exe` closes. This causes the context acquired in Step 3 to be released
## Smart card sign-in flow in Windows
Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) doesn't reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
-Client certificates that don't contain a UPN in the `subjectAltName`` (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
+Client certificates that don't contain a UPN in the `subjectAltName` (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
Support for multiple certificates on the same card is enabled by default. New certificate types must be enabled through Group Policy.
@@ -53,22 +53,22 @@ The following diagram illustrates how smart card sign-in works in the supported
Following are the steps that are performed during a smart card sign-in:
-1. Winlogon requests the sign-in UI credential information.
+1. Winlogon requests the sign-in UI credential information
1. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
- 1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
- 1. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
- 1. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
+ 1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected)
+ 1. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them
+ 1. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal
> [!NOTE]
> Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
- 1. Notifies the sign-in UI that it has new credentials.
+ 1. Notifies the sign-in UI that it has new credentials
-1. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
-1. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
-1. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB_CERTIFICATE_LOGON structure. The main contents of the KERB_CERTIFICATE_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain isn't in the same forest because it enables a certificate to be mapped to multiple user accounts.
-1. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
-1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
+1. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box
+1. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN
+1. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB_CERTIFICATE_LOGON structure. The main contents of the KERB_CERTIFICATE_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain isn't in the same forest because it enables a certificate to be mapped to multiple user accounts
+1. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI
+1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser
1. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB_AS_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.\
@@ -185,11 +185,11 @@ A single user certificate can be mapped to multiple accounts. For example, a use
Based on the information that is available in the certificate, the sign-in conditions are:
1. If no UPN is present in the certificate:
- 1. Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts
- 1. A hint must be supplied if mapping isn't unique (for example, if multiple users are mapped to the same certificate)
+ 1. Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts
+ 1. A hint must be supplied if mapping isn't unique (for example, if multiple users are mapped to the same certificate)
1. If a UPN is present in the certificate:
- 1. The certificate can't be mapped to multiple users in the same forest
- 1. The certificate can be mapped to multiple users in different forests. For a user to sign in to other forests, an X509 hint must be supplied to the user
+ 1. The certificate can't be mapped to multiple users in the same forest
+ 1. The certificate can be mapped to multiple users in different forests. For a user to sign in to other forests, an X509 hint must be supplied to the user
## Smart card sign-in for multiple users into a single account
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 0ba2519568..d5df22275e 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -2,7 +2,7 @@
title: Smart Card Troubleshooting
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.topic: troubleshooting
-ms.date: 11/06/2023
+ms.date: 11/22/2023
---
# Smart Card Troubleshooting
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index 87a6861bb1..96a66ee27a 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -2,7 +2,7 @@
title: Smart card events
description: Learn about smart card deployment and development events.
ms.topic: troubleshooting
-ms.date: 06/02/2023
+ms.date: 11/22/2023
---
# Smart card events
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 270eda4a77..d218b20bc5 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -2,7 +2,7 @@
title: Smart Card Group Policy and Registry Settings
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.topic: reference
-ms.date: 11/06/2023
+ms.date: 11/22/2023
---
# Smart Card Group Policy and Registry Settings
@@ -262,7 +262,7 @@ When this setting isn't turned on, Credential Manager can return plaintext PINs.
You can use this policy setting to control the way the subject name appears during sign-in.
> [!NOTE]
-> To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
+> To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is *CN=User1, OU=Users, DN=example, DN=com* and the UPN is *user1@example.com*, *User1* is displayed with *user1@example.com*. If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
When this policy setting is turned on, the subject name during sign-in appears reversed from the way that it's stored in the certificate.
@@ -276,11 +276,11 @@ When this policy setting isn't turned on, the subject name appears the same as i
### Turn on certificate propagation from smart card
-You can use this policy setting to manage the certificate propagation that occurs when a smart card is inserted.
+You can use this policy setting to manage the certificate propagation that occurs when a smart card is inserted.
> [!NOTE]
> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
-When this policy setting is turned on, certificate propagation occurs when the user inserts the smart card.
+When this policy setting is turned on, certificate propagation occurs when the user inserts the smart card.
When this policy setting is turned off, certificate propagation doesn't occur, and the certificates aren't available to applications, like Outlook.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index 2641967e6d..6727a73a66 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -2,7 +2,7 @@
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
ms.topic: overview
-ms.date: 1/06/2023
+ms.date: 11/22/2023
---
# How Smart Card Sign-in Works in Windows
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 616ea96b49..7709e7524f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -2,23 +2,23 @@
title: Smart Card Removal Policy Service
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.topic: concept-article
-ms.date: 09/24/2021
+ms.date: 11/22/2023
---
# Smart Card Removal Policy Service
-This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
+This article describes the role of the removal policy service (`ScPolicySvc`) in smart card implementations.
-The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+The smart card removal policy service is applicable when a user signs in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by group policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
-
+
-The numbers in the previous figure represent the following actions:
+The numbers in the diagram represent the following actions:
-1. Winlogon isn't directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
-1. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
-1. ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
-1. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
+1. `Winlogon` isn't directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated
+1. The smart card resource manager service notifies the smart card removal policy service that a sign-in occurred
+1. `ScPolicySvc` retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, `ScPolicySvc` is notified
+1. `ScPolicySvc` calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, `ScPolicySvc` sends a message to Winlogon to lock the computer.
## See also
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index 6d468b9bda..cf988e8549 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -2,7 +2,7 @@
title: Smart Cards for Windows Service
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.topic: concept-article
-ms.date: 11/06/2023
+ms.date: 11/22/2023
---
# Smart Cards for Windows Service
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index 737d2d83fc..63cb9feca0 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -2,7 +2,7 @@
title: Smart Card Tools and Settings
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
ms.topic: conceptual
-ms.date: 11/06/2023
+ms.date: 11/22/2023
---
# Smart Card Tools and Settings
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index b832cf3024..da1a559648 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -2,7 +2,7 @@
title: Smart Card Technical Reference
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.topic: overview
-ms.date: 11/06/2023
+ms.date: 11/22/2023
---
# Smart Card Technical Reference
diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml
index 5762bfaf81..26eafa1368 100644
--- a/windows/security/identity-protection/toc.yml
+++ b/windows/security/identity-protection/toc.yml
@@ -24,7 +24,7 @@ items:
href: enterprise-certificate-pinning.md
- name: Web sign-in
href: web-sign-in/index.md
- - name: Federated sign-in 🔗
+ - name: Federated sign-in (EDU) 🔗
href: /education/windows/federated-sign-in
- name: Advanced credential protection
items:
diff --git a/windows/security/includes/sections/operating-system-security.md b/windows/security/includes/sections/operating-system-security.md
index 4a4ee4acf2..ea66bca2df 100644
--- a/windows/security/includes/sections/operating-system-security.md
+++ b/windows/security/includes/sections/operating-system-security.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 09/18/2023
+ms.date: 11/21/2023
ms.topic: include
---
@@ -10,8 +10,8 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
| **[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts.
Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
-| **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.
The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The antimalware software can use the log to determine whether components that ran before it are trustworthy, or if they are infected with malware. The antimalware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
-| **[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Microsoft Entra ID for conditional access. |
+| **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.
The Measured Boot feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The anti-malware software can use the log to determine whether components that ran before it are trustworthy, or if they're infected with malware. The anti-malware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
+| **[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Microsoft Entra ID for conditional access. |
| **[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
| **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.
Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
@@ -19,13 +19,13 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
-| **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a protection solution included in all versions of Windows. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection.
The combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but are not considered malware. |
+| **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a protection solution included in all versions of Windows. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection.
The combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but aren't considered malware. |
| **[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.
LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
| **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.
Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
| **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
-| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.
Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware. |
+| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that aren't included in the trusted list are prevented from making any changes to files inside protected folders.
Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware. |
| **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
-| **[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
+| **[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they're entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
| **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. |
## Network security
@@ -33,11 +33,11 @@ ms.topic: include
| Feature name | Description |
|:---|:---|
| **[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
-| **[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)** | Starting in Windows 11, the Windows DNS client supports DNS over HTTPS (DoH), an encrypted DNS protocol. This allows administrators to ensure their devices protect DNS queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites.
In a zero-trust model where there is no trust placed in a network boundary, having a secure connection to a trusted name resolver is required. |
-| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
-| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
+| **[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)** | Starting in Windows 11, the Windows DNS client supports DNS over HTTPS (DoH), an encrypted DNS protocol. This allows administrators to ensure their devices protect DNS queries from on-path attackers, whether they're passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites.
In a zero-trust model where there is no trust placed in a network boundary, having a secure connection to a trusted name resolver is required. |
+| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, and issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
+| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification program designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
| **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots. |
-| **[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
+| **[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)** | Windows Firewall provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there's no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
| **[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.
In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls. |
| **[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
| **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.
With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
@@ -51,5 +51,5 @@ ms.topic: include
| **[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Microsoft Entra ID. |
| **[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).
BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
| **[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
-| **[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow.
Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content. |
-| **[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
+| **[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow.
Windows Hello for Business is used to protect the container, which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content. |
+| **[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message hasn't been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 7433169832..069ecf8fb7 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -63,7 +63,7 @@ productDirectory:
- url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
text: Windows security baselines
- url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
- text: MMicrosoft Defender SmartScreen
+ text: Microsoft Defender SmartScreen
- url: /windows/security/operating-system-security
text: Learn more about OS security >
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/configure.md b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
index 2440fda840..12bf6e3613 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/configure.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
@@ -10,11 +10,9 @@ ms.date: 10/30/2023
To configure BitLocker, you can use one of the following options:
- Configuration Service Provider (CSP): this option is commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. The [BitLocker CSP][WIN-1] is used to configure BitLocker, and to report the status of different BitLocker functions to the MDM solution. With Microsoft Intune, you can use the BitLocker status in [compliance policies][INT-1], combining them with [Conditional Access][ENTRA-1]. Conditional Access can prevent or grant access to services like Exchange Online and SharePoint Online, based on the status of BitLocker. To learn more about the Intune options to configure and monitor BitLocker, check the following articles:
-
- [Manage BitLocker policy for Windows devices with Intune][INT-2]
- [Monitor device encryption with Intune][INT-3]
- [Use compliance policies to set rules for devices you manage with Intune][INT-4]
-
- Group policy (GPO): this option can be used for devices that are joined to an Active Directory domain and aren't managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor
- Microsoft Configuration Manager: this option can be used for devices that are managed by Microsoft Configuration Manager using the BitLocker management agent. To learn more about options to configure BitLocker via Microsoft Configuration Manager, see [Deploy BitLocker management][MCM-1]
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
deleted file mode 100644
index 41280919f0..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
+++ /dev/null
@@ -1,209 +0,0 @@
----
-title: Best practices for configuring Windows Firewall
-description: Learn about best practices for configuring Windows Firewall
-ms.prod: windows-client
-ms.date: 11/10/2023
-ms.topic: best-practice
----
-
-# Best practices for configuring Windows Firewall
-
-Windows Firewall with Advanced Security provides host-based, two-way network traffic filtering and blocks unauthorized network traffic flowing into or out of the local device. Configuring your Windows Firewall based on the following best practices can help you optimize protection for devices in your network. These recommendations cover a wide range of deployments including home networks and enterprise desktop/server systems.
-
-To open Windows Firewall, select **Start** > **Run**, type **wf.msc**, and then select **OK**. See also [Open Windows Firewall](open-windows-firewall-with-advanced-security.md).
-
-## Keep default settings
-
-When you open the Windows Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect.
-
-
-
-1. **Domain profile**: Used for networks where there's a system of account authentication against an Active Directory domain controller
-1. **Private profile**: Designed for and best used in private networks such as a home network
-1. **Public profile**: Designed with higher security in mind for public networks, like Wi-Fi hotspots, coffee shops, airports, hotels, or stores
-
-To view detailed settings for each profile, right-click the top-level **Windows Defender Firewall with Advanced Security** node in the left pane and then select **Properties**.
-
-Maintain the default settings in Windows Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections.
-
-:::image type="content" source="images/fw03-defaults.png" alt-text="Screenshot of the default inbound/outbound Firewall settings.":::
-
-> [!IMPORTANT]
-> To maintain maximum security, do not change the default Block setting for inbound connections.
-
-For more on configuring basic firewall settings, see [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) and [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md).
-
-## Rule precedence for inbound rules
-
-In many cases, a next step for administrators is to customize the firewall profiles using *rules* (sometimes called *filters*), so that they can work with applications or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic.
-
-The rule-adding task can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this:
-
-
-
-> [!NOTE]
->This article doesn't cover step-by-step rule configuration. See the [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) for general guidance on policy creation.
-
-In many cases, allowing specific types of inbound traffic is required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions:
-
-1. Explicitly defined allow rules take precedence over the default block setting
-1. Explicit block rules take precedence over any conflicting allow rules
-1. More specific rules take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 takes precedence.
-
-> [!TIP]
-> Because of 1 and 2, when designing a set of policies you should make sure that there are no other explicit block rules that could inadvertently overlap, thus preventing the traffic flow you wish to allow.
-
-A general security recommended practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.
-
-> [!NOTE]
-> Windows Firewall doesn't support weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors as described.
-
-## Create rules for new applications before first launch
-
-### Inbound allow rules
-
-When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there's a default block action in Windows Firewall, it's necessary to create inbound exception rules to allow this traffic. It's common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule.
-
-If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network.
-
-- If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic.
-- If the user isn't a local admin, they won't be prompted. In most cases, block rules are created.
-
-In either of these scenarios, once the rules are added, they must be deleted to generate the prompt again. If not, the traffic continues to be blocked.
-
-> [!NOTE]
-> The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user.
-
-### Known issues with automatic rule creation
-
-When designing a set of firewall policies for your network, it's a recommended practice to configure *allow rules* for any networked applications deployed on the host. Having the rules in place before the user first launches the application helps to ensure a seamless experience.
-
-The absence of these staged rules doesn't necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practices and provide these rules before the application's first launch to avoid unexpected networking issues.
-
-To determine why some applications are blocked from communicating in the network, check for the following instances:
-
-1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt
-1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes
-1. Local Policy Merge is disabled, preventing the application or network service from creating local rules
-
-Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy.
-
-:::image type="content" alt-text="Windows Firewall prompt." source="images/fw04-userquery.png":::
-
-See also [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md).
-
-## Establish local policy merge and application rules
-
-Firewall rules can be deployed:
-
-1. Locally using the Firewall snap-in (**wf.msc**)
-1. Locally using PowerShell
-1. Remotely using Group Policy if the device is a member of an Active Directory Name or managed by Configuration Manager
-1. Remotely, using a mobile device management (MDM) solution like Microsoft Intune
-
-Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for *Domain*, *Private*, and *Public profiles*.
-
-The rule-merging settings either allow or prevent local administrators from creating their own firewall rules in addition to those rules obtained from Group Policy.
-
-
-
-> [!TIP]
-> In the firewall [configuration service provider](/windows/client-management/mdm/firewall-csp), the equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*.
-
-If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity.
-
-Administrators may disable *LocalPolicyMerge* in high-security environments to maintain tighter control over endpoints. This setting can impact some applications and services that automatically generate a local firewall policy upon installation as discussed above. For these types of apps and services to work, admins should push rules centrally via group policy (GP), Mobile Device
-Management (MDM), or both (for hybrid or co-management environments).
-
-[Firewall CSP](/windows/client-management/mdm/firewall-csp) and [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) also have settings that can affect rule merging.
-
-As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools.
-
-In general, to maintain maximum security, admins should only deploy firewall exceptions for apps and services determined to serve legitimate purposes.
-
-> [!NOTE]
-> The use of wildcard patterns, such as *C:\*\\teams.exe* is not supported in application rules. You can only create rules using the full path to the application(s).
-
-## Understand group policy processing
-
-The Windows Firewall settings configured via group policy or CSP are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset of 0 to 30 minutes.
-
-Windows Firewall monitors the registry for changes, and if something is written to the registry it notifies the *Windows Filtering Platform (WFP)*, which performs the following actions:
-
-- Reads all firewall rules and settings
-- Applies any new filters
-- Removes the old filters
-
-> [!NOTE]
-> The actions are triggered whenever something is written to, or deleted from the registry location the GPO settings are stored, regardless if there's really a configuration change. During the process, IPsec connections are disconnected.
-
-Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. To control the behavior of the registry group policy processing, you can use the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing`. The *Process even if the Group Policy objects haven't changed* option updates and reapplies the policies even if the policies haven't changed. This option is disabled by default.
-
-If you enable the option *Process even if the Group Policy objects haven't changed*, the WFP filters get reapplied during **every** background refresh. In case you have 10 group policies, the WFP filters get reapplied 10 times during the refresh interval. If an error happens during policy processing, the applied settings might be incomplete, resulting in issues like:
-
-- Windows Firewall blocks inbound or outbound traffic allowed by group policies
-- Local Firewall settings are applied instead of group policy settings
-- IPsec connections can't establish
-
-The temporary solution is to refresh the group policy settings, using the command `gpupdate.exe /force`, which requires connectivity to a domain controller.
-
-To avoid the issue, leave the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing` to the default value of *Not Configured* or, if already configured, configure it *Disabled*.
-
-> [!IMPORTANT]
-> The checkbox next to **Process even if the Group Policy objects have not changed** must be unchecked. If you leave it unchecked, WFP filters are written only in case there's a configuration change.
->
-> If there's a requirement to force registry deletion and rewrite, then disable background processing by checking the checkbox next to **Do not apply during periodic background processing**.
-
-## Know how to use *shields up* mode for active attacks
-
-An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It's an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack.
-
-Shields up can be achieved by checking **Block all
-incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or the legacy file *firewall.cpl*.
-
-
-
-*Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type*
-
-:::image type="content" alt-text="Firewall cpl." source="images/fw07-legacy.png":::
-
-*Figure 7: Legacy firewall.cpl*
-
-By default, the Windows Firewall blocks everything unless there's an exception rule created. This setting overrides the exceptions.
-
-For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there's an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access won't work as long as shields up is activated.
-
-Once the emergency is over, uncheck the setting to restore regular network traffic.
-
-## Create outbound rules
-
-What follows are a few general guidelines for configuring outbound rules.
-
-- The default configuration of Blocked for Outbound rules can be considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default
-- It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use
-- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments)
-
-For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md).
-
-## Document your changes
-
-When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.
-
-## Configure Windows Firewall rules with WDAC tagging policies
-
-Windows Firewall now supports the use of Windows Defender Application Control (WDAC) Application ID (AppID) tags in firewall rules. With this capability, Windows Firewall rules can now be scoped to an application or a group of applications by referencing process tags, without using absolute path or sacrificing security. There are two steps for this configuration:
-
-### Step 1: Deploy WDAC AppId Tagging Policies
-
-A Windows Defender Application Control (WDAC) policy needs to be deployed which specifies individual applications or groups of applications to apply a PolicyAppId tag to the process token(s). Then, the admin can define firewall rules that are scoped to all processes tagged with the matching PolicyAppId.
-
-Follow the detailed [WDAC Application ID (AppId) Tagging Guide](/windows/security/threat-protection/windows-defender-application-control/appidtagging/windows-defender-application-control-appid-tagging-guide) to create, deploy, and test an AppID (Application ID) policy to tag applications.
-
-### Step 2: Configure Firewall Rules using PolicyAppId Tags
-
-- **Deploy firewall rules with Intune:** When creating firewall rules with Intune Microsoft Defender Firewall Rules, provide the AppId tag in the Policy App ID setting. The properties come directly from the [Firewall configuration service provider](/windows/client-management/mdm/firewall-csp)(CSP) and apply to the Windows platform.
-You can do this through the Intune admin center under Endpoint security > Firewall. Policy templates can be found via Create policy > Windows 10, Windows 11, and Windows Server > Microsoft Defender Firewall or Microsoft Defender Firewall Rules.
-
-OR
-
-- **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule) and specify the `-PolicyAppId` tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md
new file mode 100644
index 0000000000..06fbba84f9
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-logging.md
@@ -0,0 +1,177 @@
+---
+title: Configure Windows Firewall logging
+description: Learn how to configure Windows Firewall to log dropped packets or successful connections with CSP and group policy.
+ms.topic: how-to
+ms.date: 11/21/2023
+---
+
+# Configure Windows Firewall logging
+
+To configure Windows Firewall to log dropped packets or successful connections, you can use:
+
+- Configuration Service Provider (CSP), using an MDM solution like Microsoft Intune
+- Group policy (GPO)
+
+[!INCLUDE [tab-intro](../../../../../includes/configure/tab-intro.md)]
+
+# [:::image type="icon" source="../../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
+
+1. Sign into the [Microsoft Intune admin center][INT]
+1. Go to **Endpoint security** > **Firewall** > **Create policy** > **Windows 10, Windows 11, and Windows Server** > **Windows Firewall** > **Create**
+1. Enter a name and, optionally, a description > **Next**
+1. Under **Configuration settings**, for each network location type (*Domain*, *Private*, *Public*), configure:
+ - **Log file path**
+ - **Enable log dropped packets**
+ - **Enable log success connections**
+ - **Log max file size**
+1. Select **Next** > **Next**
+1. Assign the policy to a group that contains as members the devices or users that you want to configure > **Next** > **Create**
+
+> [!TIP]
+> If you prefer you can also use a [Settings catalog policy][MEM-1] to configure Windows Firewall logging.
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [Firewall CSP][CSP-1].
+
+| Network profile | Setting |
+|--|--|
+| *Domain* | Setting name: [EnableLogDroppedPackets][CSP-2]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogDroppedPackets` |
+| *Domain* | Setting name: [LogFilePath][CSP-5]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogFilePath` |
+| *Domain* | Setting name: [EnableLogSuccessConnections][CSP-8]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogSuccessConnections` |
+| *Domain* | Setting name: [LogMaxFileSize][CSP-11]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogMaxFileSize` |
+| *Private* | Setting name: [EnableLogDroppedPackets][CSP-3]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogDroppedPackets` |
+| *Private* | Setting name: [LogFilePath][CSP-6]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogFilePath`|
+| *Private* | Setting name: [EnableLogSuccessConnections][CSP-9]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogSuccessConnections` |
+| *Private* | Setting name: [LogMaxFileSize][CSP-12]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogMaxFileSize` |
+| *Public* | Setting name: [EnableLogDroppedPackets][CSP-4]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogDroppedPackets` |
+| *Public* | Setting name: [LogFilePath][CSP-7]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogFilePath`|
+| *Public* | Setting name: [EnableLogSuccessConnections][CSP-10]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogSuccessConnections` |
+| *Public* | Setting name: [LogMaxFileSize][CSP-13]
OMA-URI: `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogMaxFileSize` |
+
+# [:::image type="icon" source="../../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo)
+
+[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
+
+1. Expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**
+1. In the details pane, in the **Overview** section, select **Windows Defender Firewall Properties**
+1. For each network location type (*Domain*, *Private*, *Public*), perform the following steps
+ 1. Select the tab that corresponds to the network location type
+ 1. Under **Logging**, select **Customize**
+ 1. The default path for the log is `%windir%\system32\logfiles\firewall\pfirewall.log`. If you want to change this path, clear the **Not configured** check box and enter the path to the new location, or select **Browse** to select a file location
+1. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, clear the **Not configured** check box, and enter the new size in KB, or use the up and down arrows to select a size. The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
+1. No logging occurs until you set one of following two options:
+ - To create a log entry when Windows Defender Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**
+ - To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**
+1. Select **OK** twice
+
+[!INCLUDE [gpo-settings-2](../../../../../includes/configure/gpo-settings-2.md)]
+
+---
+
+> [!IMPORTANT]
+> The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file.
+
+## Recommendations
+
+Here are some recommendations for configuring Windows Firewall logging:
+
+- Change the logging size to at least **20,480 KB (20 MB)** to ensure that the log file doesn't fill up too quickly. The maximum log size is 32,768 KB (32 MB)
+- For each profile (Domain, Private, and Public) change the default log file name from `%windir%\system32\logfiles\firewall\pfirewall.log` to:
+ - `%windir%\system32\logfiles\firewall\pfirewall_Domain.log`
+ - `%windir%\system32\logfiles\firewall\pfirewall_Private.log`
+ - `%windir%\system32\logfiles\firewall\pfirewall_Public.log`
+- Log dropped packets to **Yes**
+- Log successful connections to **Yes**
+
+On a single system, you can use the following commands to configure logging:
+
+```cmd
+netsh advfirewall>set allprofiles logging allowedconnections enable
+netsh advfirewall>set allprofiles logging droppedconnections enable
+```
+
+## Parsing methods
+
+There are several methods to parse the Windows Firewall log files. For example:
+
+- Enable *Windows Event Forwarding* (WEF) to a *Windows Event Collector* (WEC). To learn more, see [Use Windows Event Forwarding to help with intrusion detection][WIN-1]
+- Forward the logs to your SIEM product such as our Azure Sentinel. To learn more, see [Windows Firewall connector for Microsoft Sentinel][AZ-1]
+- Forward the logs to Azure Monitor and use KQL to parse the data. To learn more, see [Azure Monitor agent on Windows client devices][AZ-2]
+
+> [!TIP]
+> If logs are slow to appear in your SIEM solution, you can decrease the log file size. Just beware that the downsizing results in more resource usage due to the increased log rotation.
+
+## Troubleshoot if the log file is not created or modified
+
+Sometimes the Windows Firewall log files aren't created, or the events aren't written to the log files. Some examples when this condition might occur include:
+
+- Missing permissions for the *Windows Defender Firewall Service* (`mpssvc`) on the folder or on the log files
+- You want to store the log files in a different folder and the permissions are missing, or aren't set automatically
+- if firewall logging is configured via policy settings, it can happen that
+ - the log folder in the default location `%windir%\System32\LogFiles\firewall` doesn't exist
+ - the log folder in a custom path doesn't exist
+
+In both cases, you must create the folder manually or via script, and add the permissions for `mpssvc`.
+
+```PowerShell
+New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall
+```
+
+Verify if `mpssvc` has *FullControl* on the folder and the files. From an elevated PowerShell session, use the following commands, ensuring to use the correct path:
+
+```PowerShell
+$LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
+(Get-ACL -Path $LogPath).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
+```
+
+The output should show `NT SERVICE\mpssvc` having *FullControl*:
+
+```PowerShell
+IdentityReference FileSystemRights AccessControlType IsInherited InheritanceFlags
+----------------- ---------------- ----------------- ----------- ----------------
+NT AUTHORITY\SYSTEM FullControl Allow False ObjectInherit
+BUILTIN\Administrators FullControl Allow False ObjectInherit
+NT SERVICE\mpssvc FullControl Allow False ObjectInherit
+```
+
+If not, add *FullControl* permissions for `mpssvc` to the folder, subfolders and files. Make sure to use the correct path.
+
+```PowerShell
+$LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
+$NewAcl = Get-Acl -Path $LogPath
+
+$identity = "NT SERVICE\mpssvc"
+$fileSystemRights = "FullControl"
+$inheritanceFlags = "ContainerInherit,ObjectInherit"
+$propagationFlags = "None"
+$type = "Allow"
+
+$fileSystemAccessRuleArgumentList = $identity, $fileSystemRights, $inheritanceFlags, $propagationFlags, $type
+$fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
+
+$NewAcl.SetAccessRule($fileSystemAccessRule)
+Set-Acl -Path $LogPath -AclObject $NewAcl
+```
+
+Restart the device to restart the *Windows Defender Firewall* service.
+
+
+
+[INT-1]: /mem/intune/configuration/custom-settings-windows-10
+[CSP-1]: /windows/client-management/mdm/firewall-csp
+[AZ-1]: /azure/sentinel/data-connectors/windows-firewall
+[INT]: https://go.microsoft.com/fwlink/?linkid=2109431
+[MEM-1]: /mem/intune/configuration/settings-catalog
+[WIN-1]: /windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
+[AZ-2]: /azure/azure-monitor/agents/azure-monitor-agent-windows-client
+[CSP-2]: /windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogdroppedpackets
+[CSP-3]: /windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablelogdroppedpackets
+[CSP-4]: /windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablelogdroppedpackets
+[CSP-5]: /windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogfilepath
+[CSP-6]: /windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogfilepath
+[CSP-7]: /windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogfilepath
+[CSP-8]: /windows/client-management/mdm/firewall-csp#mdmstoredomainprofileenablelogsuccessconnections
+[CSP-9]: /windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileenablelogsuccessconnections
+[CSP-10]: /windows/client-management/mdm/firewall-csp#mdmstorepublicprofileenablelogsuccessconnections
+[CSP-11]: /windows/client-management/mdm/firewall-csp#mdmstoredomainprofilelogmaxfilesize
+[CSP-12]: /windows/client-management/mdm/firewall-csp#mdmstoreprivateprofilelogmaxfilesize
+[CSP-13]: /windows/client-management/mdm/firewall-csp#mdmstorepublicprofilelogmaxfilesize
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
deleted file mode 100644
index e60bc7b3ec..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: Configure the Windows Defender Firewall Log
-description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/07/2021
----
-
-# Configure the Windows Defender Firewall with Advanced Security Log
-
-
-To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
-
-**Administrative credentials**
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-
-## To configure the Windows Defender Firewall with Advanced Security log
-
-1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-
-2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
-
-3. For each network location type (Domain, Private, Public), perform the following steps.
-
- 1. Click the tab that corresponds to the network location type.
-
- 2. Under **Logging**, click **Customize**.
-
- 3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this path, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location.
-
- > [!IMPORTANT]
- > The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file.
-
- 5. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
-
- 6. No logging occurs until you set one of following two options:
-
- - To create a log entry when Windows Defender Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
-
- - To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
-
- 7. Click **OK** twice.
-
-### Troubleshoot if the log file is not created or modified
-
-Sometimes the Windows Firewall log files aren't created, or the events aren't written to the log files. Some examples when this condition might occur include:
-
-- missing permissions for the Windows Defender Firewall Service (MpsSvc) on the folder or on the log files
-- you want to store the log files in a different folder and the permissions were removed, or haven't been set automatically
-- if firewall logging is configured via policy settings, it can happen that
- - the log folder in the default location `%windir%\System32\LogFiles\firewall` doesn't exist
- - the log folder in a custom path doesn't exist
- In both cases, you must create the folder manually or via script, and add the permissions for MpsSvc
-
-If firewall logging is configured via Group Policy only, it also can happen that the `firewall` folder is not created in the default location `%windir%\System32\LogFiles\`. The same can happen if a custom path to a non-existent folder is configured via Group Policy. In this case, create the folder manually or via script and add the permissions for MPSSVC.
-
-```PowerShell
-New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall
-```
-
-Verify if MpsSvc has *FullControl* on the folder and the files.
-From an elevated PowerShell session, use the following commands, ensuring to use the correct path:
-
-```PowerShell
-$LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
-(Get-ACL -Path $LogPath).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize
-```
-
-The output should show `NT SERVICE\mpssvc` having *FullControl*:
-
-```PowerShell
-IdentityReference FileSystemRights AccessControlType IsInherited InheritanceFlags
------------------ ---------------- ----------------- ----------- ----------------
-NT AUTHORITY\SYSTEM FullControl Allow False ObjectInherit
-BUILTIN\Administrators FullControl Allow False ObjectInherit
-NT SERVICE\mpssvc FullControl Allow False ObjectInherit
-```
-
-If not, add *FullControl* permissions for mpssvc to the folder, subfolders and files. Make sure to use the correct path.
-
-```PowerShell
-$LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall"
-$ACL = get-acl -Path $LogPath
-$ACL.SetAccessRuleProtection($true, $false)
-$RULE = New-Object System.Security.AccessControl.FileSystemAccessRule ("NT SERVICE\mpssvc","FullControl","ContainerInherit,ObjectInherit","None","Allow")
-$ACL.AddAccessRule($RULE)
-```
-
-Restart the device to restart the Windows Defender Firewall Service.
-
-### Troubleshoot Slow Log Ingestion
-
-If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this downsizing will result in more resource usage due to the increased resource usage for log rotation.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
similarity index 58%
rename from windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
rename to windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
index 6bf60cec66..36140db191 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
@@ -1,114 +1,86 @@
---
-title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
-description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
-ms.prod: windows-client
+title: Manage Windows Firewall with the command line
+description: Learn how to manage Windows Firewall from the command line. This guide provides examples how to manage Windows Firewall with PowerShell and Netsh.
ms.topic: conceptual
-ms.date: 09/08/2021
+ms.date: 11/21/2023
---
-# Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
+# Manage Windows Firewall with the command line
+This article provides examples how to manage Windows Firewall with PowerShell and `netsh.exe`, which can be used to automate the management of Windows Firewall.
-The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It's designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows.
+## Set profile global defaults
-You can use Windows PowerShell to manage your firewall and IPsec deployments. This object-oriented scripting environment will make it easier for you to manage policies and monitor network conditions than was possible in netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in netsh and how you can use Windows PowerShell to accomplish them.
+Global defaults set the device behavior in a per-profile basis. Windows Firewall supports Domain, Private, and Public profiles.
-In future versions of Windows, Microsoft might remove the netsh functionality for Windows Defender Firewall. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Defender Firewall.
+Windows Firewall drops traffic that doesn't correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create aren't enforced, you might need to enable Windows Firewall. Here's how to enable Windows Firewall on a local device:
-Windows PowerShell and netsh command references are at the following locations.
-
-- [Netsh Commands for Windows Defender Firewall](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771920(v=ws.10))
-
-## Scope
-
-This guide doesn't teach you the fundamentals of Windows Defender Firewall, which can be found in [Windows Defender Firewall](windows-firewall-with-advanced-security.md). It doesn't teach the fundamentals of Windows PowerShell, and it assumes that you're familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#other-resources) section of this guide.
-
-## Audience and user requirements
-
-This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you're familiar with Windows Defender Firewall, the Windows PowerShell language, and the basic concepts of Windows PowerShell.
-
-## In this topic
-
-| Section | Description |
-| - | - |
-| [Set profile global defaults](#bkmk-profileglobaldefaults) | Enable and control firewall behavior|
-| [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules|
-| [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`|
-| [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters|
-| [Deploy secure firewall rules with IPsec](#deploy-secure-firewall-rules-with-ipsec) | Domain and server isolation|
-| [Other resources](#other-resources) | More information about Windows PowerShell|
-
-## Set profile global defaults
-
-Global defaults set the device behavior in a per-profile basis. Windows Defender Firewall supports Domain, Private, and Public profiles.
-
-### Enable Windows Defender Firewall with Advanced Security
-
-Windows Defender Firewall drops traffic that doesn't correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create aren't being enforced, you may need to enable Windows Defender Firewall. Here's how to enable Windows Defender Firewall on a local domain device:
-
-**Netsh**
-
-``` syntax
-netsh advfirewall set allprofiles state on
-```
-
-**Windows PowerShell**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
```
-### Control Windows Defender Firewall with Advanced Security behavior
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
-The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Defender Firewall with Advanced Security console.
+``` cmd
+netsh.exe advfirewall set allprofiles state on
+```
+---
+
+### Control Windows Firewall behavior
+
+The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall console.
The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen True -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+```cmd
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
netsh advfirewall set allprofiles settings inboundusernotification enable
netsh advfirewall set allprofiles settings unicastresponsetomulticast enable
netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
```
-Windows PowerShell
+---
-```powershell
-Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
-```
+### Disable Windows Firewall
-### Disable Windows Defender Firewall with Advanced Security
-
-Microsoft recommends that you don't disable Windows Defender Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](https://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
-
-Disabling Windows Defender Firewall with Advanced Security can also cause problems, including:
+Microsoft recommends that you don't disable Windows Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](https://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
+Disabling Windows Firewall can also cause problems, including:
- Start menu can stop working
- Modern applications can fail to install or update
- Activation of Windows via phone fails
-- Application or OS incompatibilities that depend on Windows Defender Firewall
+- Application or OS incompatibilities that depend on Windows Firewall
-Microsoft recommends disabling Windows Defender Firewall only when installing a third-party firewall, and resetting Windows Defender Firewall back to defaults when the third-party software is disabled or removed.
-
-If disabling Windows Defender Firewall is required, don't disable it by stopping the Windows Defender Firewall service (in the **Services** snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc).
-Stopping the Windows Defender Firewall service isn't supported by Microsoft.
-
-Non-Microsoft firewall software can programmatically disable only the parts of Windows Defender Firewall that need to be disabled for compatibility.
+Microsoft recommends disabling Windows Firewall only when installing a third-party firewall, and resetting Windows Firewall back to defaults when the third-party software is disabled or removed.
+If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
+Stopping the Windows Firewall service isn't supported by Microsoft.
+Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall that need to be disabled for compatibility.
You shouldn't disable the firewall yourself for this purpose.
+The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
+Use the following procedure to turn off the firewall, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**.
+For more information, see [Windows Firewall deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
+The following example disables Windows Firewall for all profiles.
-The proper method to disable the Windows Defender Firewall is to disable the Windows Defender Firewall Profiles and leave the service running.
-
-Use the following procedure to turn off the firewall, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Defender Firewall|Domain Prolfile|Windows Defender Firewall:Protect all network connections**.
-For more information, see [Windows Defender Firewall with Advanced Security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
-
-The following example disables Windows Defender Firewall for all profiles.
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+---
+
## Deploy basic firewall rules
This section provides scriptlet examples for creating, modifying, and deleting firewall rules.
@@ -116,50 +88,49 @@ This section provides scriptlet examples for creating, modifying, and deleting f
### Create firewall rules
Adding a firewall rule in Windows PowerShell looks a lot like it did in Netsh, but the parameters and values are specified differently.
-
Here's an example of how to allow the Telnet application to listen on the network. This firewall rule is scoped to the local subnet by using a keyword instead of an IP address. Just like in Netsh, the rule is created on the local device, and it becomes effective immediately.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+New-NetFirewallRule -DisplayName "Allow Inbound Telnet" -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall firewall add rule name="Allow Inbound Telnet" dir=in program= %SystemRoot%\System32\tlntsvr.exe remoteip=localsubnet action=allow
```
-Windows PowerShell
-
-```powershell
-New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow
-```
+---
The following scriptlet shows how to add a basic firewall rule that blocks outbound traffic from a specific application and local port to a Group Policy Object (GPO) in Active Directory. In Windows PowerShell, the policy store is specified as a parameter within the **New-NetFirewall** cmdlet. In Netsh, you must first specify the GPO that the commands in a Netsh session should modify. The commands you enter are run against the contents of the GPO, and the execution remains in effect until the Netsh session is ended or until another set store command is executed.
-
Here, **domain.contoso.com** is the name of your Active Directory Domain Services (AD DS), and **gpo\_name** is the name of the GPO that you want to modify. Quotation marks are required if there are any spaces in the GPO name.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+New-NetFirewallRule -DisplayName "Block Outbound Telnet" -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -LocalPort 23 -Action Block -PolicyStore domain.contoso.com\gpo_name
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall set store gpo=domain.contoso.com\gpo_name
netsh advfirewall firewall add rule name="Block Outbound Telnet" dir=out program=%SystemRoot%\System32\telnet.exe protocol=tcp localport=23 action=block
```
-Windows PowerShell
-
-```powershell
-New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name
-```
+---
### GPO Caching
To reduce the burden on busy domain controllers, Windows PowerShell allows you to load a GPO to your local session, make all your changes in that session, and then save it back at all once.
-
The following command performs the same actions as the previous example (by adding a Telnet rule to a GPO), but we do so by applying GPO caching in PowerShell. Changing the GPO by loading it onto your local session and using the *-GPOSession* parameter aren't supported in Netsh
-Windows PowerShell
-
```powershell
-$gpo = Open-NetGPO –PolicyStore domain.contoso.com\gpo_name
-New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\telnet.exe –Protocol TCP –LocalPort 23 -Action Block –GPOSession $gpo
-Save-NetGPO –GPOSession $gpo
+$gpo = Open-NetGPO -PolicyStore domain.contoso.com\gpo_name
+New-NetFirewallRule -DisplayName "Block Outbound Telnet" -Direction Outbound -Program %SystemRoot%\System32\telnet.exe -Protocol TCP -LocalPort 23 -Action Block -GPOSession $gpo
+Save-NetGPO -GPOSession $gpo
```
This command doesn't batch your individual changes, it loads and saves the entire GPO at once. So if any other changes are made by other administrators, or in a different Windows PowerShell window, saving the GPO overwrites those changes.
@@ -167,120 +138,105 @@ This command doesn't batch your individual changes, it loads and saves the entir
### Modify an existing firewall rule
When a rule is created, Netsh and Windows PowerShell allow you to change rule properties and influence, but the rule maintains its unique identifier (in Windows PowerShell, this identifier is specified with the *-Name* parameter).
-
For example, you could have a rule **Allow Web 80** that enables TCP port 80 for inbound unsolicited traffic. You can change the rule to match a different remote IP address of a Web server whose traffic will be allowed by specifying the human-readable, localized name of the rule.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+Set-NetFirewallRule -DisplayName "Allow Web 80" -RemoteAddress 192.168.0.2
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall firewall set rule name="Allow Web 80" new remoteip=192.168.0.2
```
-Windows PowerShell
-
-```powershell
-Set-NetFirewallRule –DisplayName “Allow Web 80” -RemoteAddress 192.168.0.2
-```
+---
Netsh requires you to provide the name of the rule for it to be changed and we don't have an alternate way of getting the firewall rule. In Windows PowerShell, you can query for the rule using its known properties.
-
When you run `Get-NetFirewallRule`, you may notice that common conditions like addresses and ports don't appear. These conditions are represented in separate objects called Filters. As shown before, you can set all the conditions in New-NetFirewallRule and Set-NetFirewallRule. If you want to query for firewall rules based on these fields (ports, addresses, security, interfaces, services), you'll need to get the filter objects themselves.
-
You can change the remote endpoint of the **Allow Web 80** rule (as done previously) using filter objects. Using Windows PowerShell, you query by port using the port filter, then assuming other rules exist affecting the local port, you build with further queries until your desired rule is retrieved.
-
-In the following example, we assume the query returns a single firewall rule, which is then piped to the `Set-NetFirewallRule` cmdlet utilizing Windows PowerShell’s ability to pipeline inputs.
-
-Windows PowerShell
+In the following example, we assume the query returns a single firewall rule, which is then piped to the `Set-NetFirewallRule` cmdlet utilizing Windows PowerShell's ability to pipeline inputs.
```powershell
-Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Direction –eq “Inbound” -and $_.Action –eq “Allow”} | Set-NetFirewallRule -RemoteAddress 192.168.0.2
+Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Direction -eq "Inbound" -and $_.Action -eq "Allow"} | Set-NetFirewallRule -RemoteAddress 192.168.0.2
```
You can also query for rules using the wildcard character. The following example returns an array of firewall rules associated with a particular program. The elements of the array can be modified in subsequent `Set-NetFirewallRule` cmdlets.
-Windows PowerShell
-
```powershell
Get-NetFirewallApplicationFilter -Program "*svchost*" | Get-NetFirewallRule
```
Multiple rules in a group can be simultaneously modified when the associated group name is specified in a Set command. You can add firewall rules to specified management groups in order to manage multiple rules that share the same influences.
-
In the following example, we add both inbound and outbound Telnet firewall rules to the group **Telnet Management**. In Windows PowerShell, group membership is specified when the rules are first created so we re-create the previous example rules. Adding rules to a custom rule group isn't possible in Netsh.
-Windows PowerShell
-
```powershell
-New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management”
-New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management”
+New-NetFirewallRule -DisplayName "Allow Inbound Telnet" -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow -Group "Telnet Management"
+New-NetFirewallRule -DisplayName "Block Outbound Telnet" -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow -Group "Telnet Management"
```
If the group isn't specified at rule creation time, the rule can be added to the rule group using dot notation in Windows PowerShell. You can't specify the group using `Set-NetFirewallRule` since the command allows querying by rule group.
-Windows PowerShell
-
```powershell
-$rule = Get-NetFirewallRule -DisplayName “Allow Inbound Telnet”
-$rule.Group = “Telnet Management”
+$rule = Get-NetFirewallRule -DisplayName "Allow Inbound Telnet"
+$rule.Group = "Telnet Management"
$rule | Set-NetFirewallRule
```
With the help of the `Set` command, if the rule group name is specified, the group membership isn't modified but rather all rules of the group receive the same modifications indicated by the given parameters.
-
The following scriptlet enables all rules in a predefined group containing remote management influencing firewall rules.
-**Netsh**
-
-``` syntax
-netsh advfirewall firewall set rule group="Windows Defender Firewall remote management" new enable=yes
-```
-
-Windows PowerShell
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
-Set-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” –Enabled True
+Set-NetFirewallRule -DisplayGroup "Windows Firewall Remote Management" -Enabled True
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
+netsh advfirewall firewall set rule group="Windows Firewall remote management" new enable=yes
+```
+
+---
+
There's also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by group or by other properties of the rule.
-Windows PowerShell
-
```powershell
-Enable-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” -Verbose
+Enable-NetFirewallRule -DisplayGroup "Windows Firewall Remote Management" -Verbose
```
### Delete a firewall rule
Rule objects can be disabled so that they're no longer active. In Windows PowerShell, the **Disable-NetFirewallRule** cmdlet will leave the rule on the system, but put it in a disabled state so the rule no longer is applied and impacts traffic. A disabled firewall rule can be re-enabled by **Enable-NetFirewallRule**. This cmdlet is different from the **Remove-NetFirewallRule**, which permanently removes the rule definition from the device.
-
The following cmdlet deletes the specified existing firewall rule from the local policy store.
-**Netsh**
-
-``` syntax
-netsh advfirewall firewall delete rule name=“Allow Web 80”
-```
-
-Windows PowerShell
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
-Remove-NetFirewallRule –DisplayName “Allow Web 80”
+Remove-NetFirewallRule -DisplayName "Allow Web 80"
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
+netsh advfirewall firewall delete rule name="Allow Web 80"
+```
+
+---
+
Like with other cmdlets, you can also query for rules to be removed. Here, all blocking firewall rules are deleted from the device.
-Windows PowerShell
-
```powershell
-Remove-NetFirewallRule –Action Block
+Remove-NetFirewallRule -Action Block
```
It may be safer to query the rules with the **Get** command and save it in a variable, observe the rules to be affected, then pipe them to the **Remove** command, just as we did for the **Set** commands. The following example shows how you can view all the blocking firewall rules, and then delete the first four rules.
-Windows PowerShell
-
```powershell
-$x = Get-NetFirewallRule –Action Block
+$x = Get-NetFirewallRule -Action Block
$x
$x[0-3] | Remove-NetFirewallRule
```
@@ -288,86 +244,76 @@ $x[0-3] | Remove-NetFirewallRule
## Manage remotely
Remote management using WinRM is enabled by default. The cmdlets that support the *CimSession* parameter use WinRM and can be managed remotely by default.
-
The following example returns all firewall rules of the persistent store on a device named **RemoteDevice**.
-Windows PowerShell
-
```powershell
-Get-NetFirewallRule –CimSession RemoteDevice
+Get-NetFirewallRule -CimSession RemoteDevice
```
-We can perform any modifications or view rules on remote devices by using the *–CimSession* parameter. Here we remove a specific firewall rule from a remote device.
-
-Windows PowerShell
+We can perform any modifications or view rules on remote devices by using the *-CimSession* parameter. Here we remove a specific firewall rule from a remote device.
```powershell
-$RemoteSession = New-CimSession –ComputerName RemoteDevice
-Remove-NetFirewallRule –DisplayName “AllowWeb80” –CimSession $RemoteSession -Confirm
+$RemoteSession = New-CimSession -ComputerName RemoteDevice
+Remove-NetFirewallRule -DisplayName "AllowWeb80" -CimSession $RemoteSession -Confirm
```
## Deploy basic IPsec rule settings
An Internet Protocol security (IPsec) policy consists of rules that determine IPsec behavior. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.
-
-Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Defender Firewall with Advanced Security console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
-
+Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Firewall console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples.
-
### Create IPsec rules
The following cmdlet creates basic IPsec transport mode rule in a Group Policy Object. An IPsec rule is simple to create; all that is required is the display name, and the remaining properties use default values. Inbound traffic is authenticated and integrity checked using the default quick mode and main mode settings. These default settings can be found in the console under Customize IPsec Defaults.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+New-NetIPsecRule -DisplayName "Require Inbound Authentication" -PolicyStore domain.contoso.com\gpo_name
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall set store gpo=domain.contoso.com\gpo_name
netsh advfirewall consec add rule name="Require Inbound Authentication" endpoint1=any endpoint2=any action=requireinrequestout
```
-Windows PowerShell
-
-```powershell
-New-NetIPsecRule -DisplayName “Require Inbound Authentication” -PolicyStore domain.contoso.com\gpo_name
-```
+---
### Add custom authentication methods to an IPsec rule
-If you want to create a custom set of quick-mode proposals that includes both AH and ESP in an IPsec rule object, you create the associated objects separately and link their associations. For more information about authentication methods, see [Choosing the IPsec Protocol](/previous-versions/windows/it-pro/windows-server-2003/cc757847(v=ws.10)) .
-
+If you want to create a custom set of quick-mode proposals that includes both AH and ESP in an IPsec rule object, you create the associated objects separately and link their associations. For more information about authentication methods, see [Choosing the IPsec Protocol](/previous-versions/windows/it-pro/windows-server-2003/cc757847(v=ws.10)).
You can then use the newly created custom quick-mode policies when you create IPsec rules. The cryptography set object is linked to an IPsec rule object.
-
-
In this example, we build on the previously created IPsec rule by specifying a custom quick-mode crypto set. The final IPsec rule requires outbound traffic to be authenticated by the specified cryptography method.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+$AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP -AHHash SHA1 -ESPHash SHA1 -Encryption DES3
+$QMCryptoSet = New-NetIPsecQuickModeCryptoSet -DisplayName "ah:sha1+esp:sha1-des3" -Proposal $AHandESPQM -PolicyStore domain.contoso.com\gpo_name
+New-NetIPsecRule -DisplayName "Require Inbound Authentication" -InboundSecurity Require -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name -PolicyStore domain.contoso.com\gpo_name
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall set store gpo=domain.contoso.com\gpo_name
netsh advfirewall consec add rule name="Require Outbound Authentication" endpoint1=any endpoint2=any action=requireinrequestout qmsecmethods=ah:sha1+esp:sha1-3des
```
-Windows PowerShell
-
-```powershell
-$AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP –AHHash SHA1 -ESPHash SHA1 -Encryption DES3
-$QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “ah:sha1+esp:sha1-des3” -Proposal $AHandESPQM –PolicyStore domain.contoso.com\gpo_name
-New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name –PolicyStore domain.contoso.com\gpo_name
-```
+---
### IKEv2 IPsec transport rules
A corporate network may need to secure communications with another agency. But, you discover the agency runs non-Windows operating systems and requires the use of the Internet Key Exchange Version 2 (IKEv2) standard.
-
You can apply IKEv2 capabilities in Windows Server 2012 by specifying IKEv2 as the key module in an IPsec rule. This capability specification can only be done using computer certificate authentication and can't be used with phase-2 authentication.
-Windows PowerShell
-
```powershell
-New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request –Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 –RemoteAddress $nonWindowsGateway
+New-NetIPsecRule -DisplayName "Require Inbound Authentication" -InboundSecurity Require -OutboundSecurity Request -Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 -RemoteAddress $nonWindowsGateway
```
For more info about IKEv2, including scenarios, see [Securing End-to-End IPsec Connections by Using IKEv2](securing-end-to-end-ipsec-connections-by-using-ikev2.md).
@@ -375,105 +321,90 @@ For more info about IKEv2, including scenarios, see [Securing End-to-End IPsec C
### Copy an IPsec rule from one policy to another
Firewall and IPsec rules with the same rule properties can be duplicated to simplify the task of re-creating them within different policy stores.
-
To copy the previously created rule from one policy store to another, the associated objects must also be copied separately. There's no need to copy associated firewall filters. You can query rules to be copied in the same way as other cmdlets.
-
Copying individual rules is a task that isn't possible through the Netsh interface. Here's how you can accomplish it with Windows PowerShell.
-Windows PowerShell
-
```powershell
-$Rule = Get-NetIPsecRule –DisplayName “Require Inbound Authentication”
-$Rule | Copy-NetIPsecRule –NewPolicyStore domain.costoso.com\new_gpo_name
-$Rule | Copy-NetPhase1AuthSet –NewPolicyStore domain.costoso.com\new_gpo_name
+$Rule = Get-NetIPsecRule -DisplayName "Require Inbound Authentication"
+$Rule | Copy-NetIPsecRule -NewPolicyStore domain.costoso.com\new_gpo_name
+$Rule | Copy-NetPhase1AuthSet -NewPolicyStore domain.costoso.com\new_gpo_name
```
### Handling Windows PowerShell errors
-To handle errors in your Windows PowerShell scripts, you can use the *–ErrorAction* parameter. This parameter is especially useful with the **Remove** cmdlets. If you want to remove a particular rule, you'll notice that it fails if the rule isn't found. When rules are being removed, if the rule isn’t already there, it's acceptable to ignore that error. In this case, you can do the following to suppress any “rule not found” errors during the remove operation.
-
-Windows PowerShell
+To handle errors in your Windows PowerShell scripts, you can use the *-ErrorAction* parameter. This parameter is especially useful with the **Remove** cmdlets. If you want to remove a particular rule, you'll notice that it fails if the rule isn't found. When rules are being removed, if the rule isn't already there, it's acceptable to ignore that error. In this case, you can do the following to suppress any "rule not found" errors during the remove operation.
```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98” –ErrorAction SilentlyContinue
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98" -ErrorAction SilentlyContinue
```
-The use of wildcards can also suppress errors, but they could potentially match rules that you didn't intend to remove. These wildcards can be a useful shortcut, but should only be used if you know there aren’t any extra rules that will be accidentally deleted. So the following cmdlet will also remove the rule, suppressing any “not found” errors.
-
-Windows PowerShell
+The use of wildcards can also suppress errors, but they could potentially match rules that you didn't intend to remove. These wildcards can be a useful shortcut, but should only be used if you know there aren't any extra rules that will be accidentally deleted. So the following cmdlet will also remove the rule, suppressing any "not found" errors.
```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*”
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98*"
```
-When using wildcards, if you want to double-check the set of rules that is matched, you can use the *–WhatIf* parameter.
-
-Windows PowerShell
+When using wildcards, if you want to double-check the set of rules that is matched, you can use the *-WhatIf* parameter.
```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –WhatIf
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98*" -WhatIf
```
-If you only want to delete some of the matched rules, you can use the *–Confirm* parameter to get a rule-by-rule confirmation prompt.
-
-Windows PowerShell
+If you only want to delete some of the matched rules, you can use the *-Confirm* parameter to get a rule-by-rule confirmation prompt.
```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Confirm
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98*" -Confirm
```
You can also just perform the whole operation, displaying the name of each rule as the operation is performed.
-Windows PowerShell
-
```powershell
-Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Verbose
+Remove-NetFirewallRule -DisplayName "Contoso Messenger 98*" -Verbose
```
### Monitor
The following Windows PowerShell commands are useful in the update cycle of a deployment phase.
-
To allow you to view all the IPsec rules in a particular store, you can use the following commands. In Netsh, this command doesn't show rules where profile=domain,public or profile=domain,private. It only shows rules that have the single entry domain that is included in the rule. The following command examples will show the IPsec rules in all profiles.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+Show-NetIPsecRule -PolicyStore ActiveStore
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall consec show rule name=all
```
-Windows PowerShell
-
-```powershell
-Show-NetIPsecRule –PolicyStore ActiveStore
-```
+---
You can monitor main mode security associations for information such as which peers are currently connected to the device and which protection suite is used to form the security associations.
-
Use the following cmdlet to view existing main mode rules and their security associations:
-**Netsh**
-
-``` syntax
-netsh advfirewall monitor show mmsa all
-```
-
-Windows PowerShell
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
Get-NetIPsecMainModeSA
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
+netsh advfirewall monitor show mmsa all
+```
+
+---
+
### Find the source GPO of a rule
To view the properties of a particular rule or group of rules, you query for the rule. When a query returns fields that are specified as **NotConfigured**, you can determine which policy store a rule originates from.
-
-For objects that come from a GPO (the *–PolicyStoreSourceType* parameter is specified as **GroupPolicy** in the **Show** command), if *–TracePolicyStore* is passed, the name of the GPO is found and returned in the **PolicyStoreSource** field.
-
-Windows PowerShell
+For objects that come from a GPO (the *-PolicyStoreSourceType* parameter is specified as **GroupPolicy** in the **Show** command), if *-TracePolicyStore* is passed, the name of the GPO is found and returned in the **PolicyStoreSource** field.
```powershell
-Get-NetIPsecRule –DisplayName “Require Inbound Authentication” –TracePolicyStore
+Get-NetIPsecRule -DisplayName "Require Inbound Authentication" -TracePolicyStore
```
It's important to note that the revealed sources don't contain a domain name.
@@ -481,146 +412,140 @@ It's important to note that the revealed sources don't contain a domain name.
### Deploy a basic domain isolation policy
IPsec can be used to isolate domain members from non-domain members. Domain isolation uses IPsec authentication to require that the domain-joined devices positively establish the identities of the communicating devices to improve security of an organization. One or more features of IPsec can be used to secure traffic with an IPsec rule object.
-
To implement domain isolation on your network, the devices in the domain receive IPsec rules that block unsolicited inbound network traffic that isn't protected by IPsec. Here we create an IPsec rule that requires authentication by domain members. Through this authentication, you can isolate domain-joined devices from devices that aren't joined to a domain. In the following examples, Kerberos authentication is required for inbound traffic and requested for outbound traffic.
-**Netsh**
-
-``` syntax
-netsh advfirewall set store gpo=domain.contoso.com\domain_isolation
-netsh advfirewall consec add rule name=“Basic Domain Isolation Policy” profile=domain endpoint1=”any” endpoint2=”any” action=requireinrequestout auth1=”computerkerb”
-```
-
-Windows PowerShell
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
-$kerbprop = New-NetIPsecAuthProposal –Machine –Kerberos
-$Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop –PolicyStore domain.contoso.com\domain_isolation
-New-NetIPsecRule –DisplayName “Basic Domain Isolation Policy” –Profile Domain –Phase1AuthSet $Phase1AuthSet.Name –InboundSecurity Require –OutboundSecurity Request –PolicyStore domain.contoso.com\domain_isolation
+$kerbprop = New-NetIPsecAuthProposal -Machine -Kerberos
+$Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop -PolicyStore domain.contoso.com\domain_isolation
+New-NetIPsecRule -DisplayName "Basic Domain Isolation Policy" -Profile Domain -Phase1AuthSet $Phase1AuthSet.Name -InboundSecurity Require -OutboundSecurity Request -PolicyStore domain.contoso.com\domain_isolation
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
+netsh advfirewall set store gpo=domain.contoso.com\domain_isolation
+netsh advfirewall consec add rule name="Basic Domain Isolation Policy" profile=domain endpoint1="any" endpoint2="any" action=requireinrequestout auth1="computerkerb"
+```
+
+---
+
### Configure IPsec tunnel mode
The following command creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local device (1.1.1.1) attached to a public network to a second device through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is checked for integrity by using ESP/SHA1, and it's encrypted by using ESP/DES3.
-**Netsh**
-
-``` syntax
-netsh advfirewall consec add rule name="Tunnel from 192.168.0.0/16 to 192.157.0.0/16" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 localtunnelendpoint=1.1.1.1 remotetunnelendpoint=2.2.2.2 action=requireinrequireout qmsecmethods=esp:sha1-3des
-```
-
-Windows PowerShell
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
$QMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption DES3
-$QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “esp:sha1-des3” -Proposal $QMProposal
-New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name
+$QMCryptoSet = New-NetIPsecQuickModeCryptoSet -DisplayName "esp:sha1-des3" -Proposal $QMProposal
+New-NetIPSecRule -DisplayName "Tunnel from HQ to Dallas Branch" -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
+netsh advfirewall consec add rule name="Tunnel from 192.168.0.0/16 to 192.157.0.0/16" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 localtunnelendpoint=1.1.1.1 remotetunnelendpoint=2.2.2.2 action=requireinrequireout qmsecmethods=esp:sha1-3des
+```
+
+---
+
## Deploy secure firewall rules with IPsec
-In situations where only secure traffic can be allowed through the Windows Defender Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment.
+In situations where only secure traffic can be allowed through the Windows Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment.
### Create a secure firewall rule (allow if secure)
Configuring firewalls rule to allow connections if they're secure requires the corresponding traffic to be authenticated and integrity protected, and then optionally encrypted by IPsec.
-
The following example creates a firewall rule that requires traffic to be authenticated. The command permits inbound Telnet network traffic only if the connection from the remote device is authenticated by using a separate IPsec rule.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+New-NetFirewallRule -DisplayName "Allow Authenticated Telnet" -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall firewall add rule name="Allow Authenticated Telnet" dir=in program=%SystemRoot%\System32\tlntsvr.exe security=authenticate action=allow
```
-Windows PowerShell
-
-```powershell
-New-NetFirewallRule -DisplayName “Allow Authenticated Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow
-```
+---
The following command creates an IPsec rule that requires a first (computer) authentication and then attempts an optional second (user) authentication. Creating this rule secures and allows the traffic through the firewall rule requirements for the messenger program.
-**Netsh**
-
-``` syntax
-netsh advfirewall consec add rule name="Authenticate Both Computer and User" endpoint1=any endpoint2=any action=requireinrequireout auth1=computerkerb,computerntlm auth2=userkerb,userntlm,anonymous
-```
-
-Windows PowerShell
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
-$mkerbauthprop = New-NetIPsecAuthProposal -Machine –Kerberos
+$mkerbauthprop = New-NetIPsecAuthProposal -Machine -Kerberos
$mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM
-$P1Auth = New-NetIPsecPhase1AuthSet -DisplayName “Machine Auth” –Proposal $mkerbauthprop,$mntlmauthprop
+$P1Auth = New-NetIPsecPhase1AuthSet -DisplayName "Machine Auth" -Proposal $mkerbauthprop,$mntlmauthprop
$ukerbauthprop = New-NetIPsecAuthProposal -User -Kerberos
$unentlmauthprop = New-NetIPsecAuthProposal -User -NTLM
$anonyauthprop = New-NetIPsecAuthProposal -Anonymous
-$P2Auth = New-NetIPsecPhase2AuthSet -DisplayName “User Auth” -Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop
-New-NetIPSecRule -DisplayName “Authenticate Both Computer and User” -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $P1Auth.Name –Phase2AuthSet $P2Auth.Name
+$P2Auth = New-NetIPsecPhase2AuthSet -DisplayName "User Auth" -Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop
+New-NetIPSecRule -DisplayName "Authenticate Both Computer and User" -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $P1Auth.Name -Phase2AuthSet $P2Auth.Name
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
+netsh advfirewall consec add rule name="Authenticate Both Computer and User" endpoint1=any endpoint2=any action=requireinrequireout auth1=computerkerb,computerntlm auth2=userkerb,userntlm,anonymous
+```
+
+---
+
### Isolate a server by requiring encryption and group membership
To improve the security of the devices in an organization, you can deploy domain isolation in which domain-members are restricted. They require authentication when communicating among each other and reject non-authenticated inbound connections. To improve the security of servers with sensitive data, this data must be protected by allowing access only to a subset of devices within the enterprise domain.
-
IPsec can provide this extra layer of protection by isolating the server. In server isolation, sensitive data access is restricted to users and devices with legitimate business need, and the data is additionally encrypted to prevent eavesdropping.
### Create a firewall rule that requires group membership and encryption
To deploy server isolation, we layer a firewall rule that restricts traffic to authorized users or devices on the IPsec rule that enforces authentication.
-
-The following firewall rule allows Telnet traffic from user accounts that are members of a custom group called “Authorized to Access Server.” This access can additionally be restricted based on the device, user, or both by specifying the restriction parameters.
-
-A Security Descriptor Definition Language (SDDL) string is created by extending a user or group’s security identifier (SID). For more information about finding a group’s SID, see: [Finding the SID for a group account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753463(v=ws.10)#bkmk_FINDSID).
-
-Restricting access to a group allows administrations to extend strong authentication support through Windows Defender Firewall and/or IPsec policies.
-
+The following firewall rule allows Telnet traffic from user accounts that are members of a custom group called "Authorized to Access Server." This access can additionally be restricted based on the device, user, or both by specifying the restriction parameters.
+A Security Descriptor Definition Language (SDDL) string is created by extending a user or group's security identifier (SID). For more information about finding a group's SID, see: [Finding the SID for a group account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753463(v=ws.10)#bkmk_FINDSID).
+Restricting access to a group allows administrations to extend strong authentication support through Windows Firewall and/or IPsec policies.
The following example shows you how to create an SDDL string that represents security groups.
-Windows PowerShell
-
```powershell
-$user = new-object System.Security.Principal.NTAccount (“corp.contoso.com\Administrators”)
+$user = new-object System.Security.Principal.NTAccount ("corp.contoso.com\Administrators")
$SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value
$secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)"
```
By using the previous scriptlet, you can also get the SDDL string for a secure computer group as shown here:
-Windows PowerShell
-
```powershell
$secureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)"
```
For more information about how to create security groups or how to determine the SDDL string, see [Working with SIDs](/previous-versions/windows/it-pro/windows-powershell-1.0/ff730940(v=technet.10)).
-
Telnet is an application that doesn't provide encryption. This application can send data, such as names and passwords, over the network. This data can be intercepted by malicious users. If an administrator would like to allow the use of Telnet, but protect the traffic, a firewall rule that requires IPsec encryption can be created. This firewall rule is necessary so that the administrator can be certain that when this application is used, all of the traffic sent or received by this port is encrypted. If IPsec fails to authorize the connection, no traffic is allowed from this application.
-
In this example, we allow only authenticated and encrypted inbound Telnet traffic from a specified secure user group through the creation of the following firewall rule.
-**Netsh**
-
-``` syntax
-netsh advfirewall set store gpo=domain.contoso.com\Server_Isolation
-netsh advfirewall firewall add rule name=“Allow Encrypted Inbound Telnet to Group Members Only” program=%SystemRoot%\System32\tlntsvr.exe protocol=TCP dir=in action=allow localport=23 security=authenc rmtusrgrp ="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)"
-```
-
-Windows PowerShell
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
-New-NetFirewallRule -DisplayName "Allow Encrypted Inbound Telnet to Group Members Only" -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -Direction Inbound -Action Allow -LocalPort 23 -Authentication Required -Encryption Required –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\Server_Isolation
+New-NetFirewallRule -DisplayName "Allow Encrypted Inbound Telnet to Group Members Only" -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -Direction Inbound -Action Allow -LocalPort 23 -Authentication Required -Encryption Required -RemoteUser $secureUserGroup -PolicyStore domain.contoso.com\Server_Isolation
```
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
+netsh advfirewall set store gpo=domain.contoso.com\Server_Isolation
+netsh advfirewall firewall add rule name="Allow Encrypted Inbound Telnet to Group Members Only" program=%SystemRoot%\System32\tlntsvr.exe protocol=TCP dir=in action=allow localport=23 security=authenc rmtusrgrp ="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)"
+```
+
+---
+
### Endpoint security enforcement
The previous example showed end to end security for a particular application. In situations where endpoint security is required for many applications, having a firewall rule per application can be cumbersome and difficult to manage. Authorization can override the per-rule basis and be done at the IPsec layer.
-
In this example, we set the global IPsec setting to only allow transport mode traffic to come from an authorized user group with the following cmdlet. Consult the previous examples for working with security groups.
-Windows PowerShell
-
```powershell
Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGroup
```
@@ -628,59 +553,19 @@ Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGr
### Create firewall rules that allow IPsec-protected network traffic (authenticated bypass)
Authenticated bypass allows traffic from a specified trusted device or user to override firewall block rules. This override is helpful when an administrator wants to use scanning servers to monitor and update devices without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753463(v=ws.10)).
-
In this example, we assume that a blocking firewall rule exists. This example permits any network traffic on any port from any IP address to override the block rule, if the traffic is authenticated as originating from a device or user account that is a member of the specified device or user security group.
-**Netsh**
+# [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
-``` syntax
+```powershell
+New-NetFirewallRule -DisplayName "Inbound Secure Bypass Rule" -Direction Inbound -Authentication Required -OverrideBlockRules $true -RemoteMachine $secureMachineGroup -RemoteUser $secureUserGroup -PolicyStore domain.contoso.com\domain_isolation
+```
+
+# [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+``` cmd
netsh advfirewall set store gpo=domain.contoso.com\domain_isolation
netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in security=authenticate action="bypass" rmtcomputergrp="D:(A;;CC;;;S-1-5-21-2329867823-2610410949-1491576313-1114)" rmtusrgrp="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)"
```
-Windows PowerShell
-
-```powershell
-New-NetFirewallRule –DisplayName “Inbound Secure Bypass Rule" –Direction Inbound –Authentication Required –OverrideBlockRules $true -RemoteMachine $secureMachineGroup –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\domain_isolation
-```
-
-## Other resources
-
-
-For more information about Windows PowerShell concepts, see the following topics.
-
-- [Windows PowerShell Getting Started Guide](/powershell/scripting/overview)
-
-- [Windows PowerShell User Guide](/powershell/scripting/overview)
-
-- [Windows PowerShell About Help Topics](https://go.microsoft.com/fwlink/p/?linkid=113206)
-
-- [about\_Functions](/powershell/module/microsoft.powershell.core/about/about_functions)
-
-- [about\_Functions\_Advanced](/powershell/module/microsoft.powershell.core/about/about_functions_advanced)
-
-- [about\_Execution\_Policies](/powershell/module/microsoft.powershell.core/about/about_execution_policies)
-
-- [about\_Foreach](/powershell/module/microsoft.powershell.core/about/about_foreach)
-
-- [about\_Objects](/powershell/module/microsoft.powershell.core/about/about_objects)
-
-- [about\_Properties](/powershell/module/microsoft.powershell.core/about/about_properties)
-
-- [about\_While](/powershell/module/microsoft.powershell.core/about/about_while)
-
-- [about\_Scripts](/powershell/module/microsoft.powershell.core/about/about_scripts)
-
-- [about\_Signing](/powershell/module/microsoft.powershell.core/about/about_signing)
-
-- [about\_Throw](/powershell/module/microsoft.powershell.core/about/about_throw)
-
-- [about\_PSSessions](/powershell/module/microsoft.powershell.core/about/about_pssessions)
-
-- [about\_Modules](/powershell/module/microsoft.powershell.core/about/about_modules)
-
-- [about\_Command\_Precedence](/powershell/module/microsoft.powershell.core/about/about_command_precedence)
-
-
-
-
\ No newline at end of file
+---
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure.md b/windows/security/operating-system-security/network-security/windows-firewall/configure.md
new file mode 100644
index 0000000000..8d1b33190c
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure.md
@@ -0,0 +1,178 @@
+---
+title: Configure firewall rules with group policy
+description: Learn how to configure firewall rules using group policy with the Windows Firewall with Advanced Security console.
+ms.topic: how-to
+ms.date: 11/21/2023
+---
+
+# Configure rules with group policy
+
+This article contains examples how to configure Windows Firewall rules using the *Windows Firewall with Advanced Security* console.
+
+## Access the Windows Firewall with Advanced Security console
+
+If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**.
+
+If you are configuring a single device, you must have administrative rights on the device. In which case, to access the *Windows Firewall with Advanced Security* console, select START, type `wf.msc`, and press ENTER.
+
+## Create an inbound ICMP rule
+
+This type of rule allows ICMP requests and responses to be received by devices on the network. To create an inbound ICMP rule:
+
+1. Open the *Windows Firewall with Advanced Security* console
+1. In the navigation pane, select **Inbound Rules**
+1. Select **Action**, and then select **New rule**
+1. On the **Rule Type** page of the New Inbound Rule Wizard, select **Custom**, and then select **Next**
+1. On the **Program** page, select **All programs**, and then select **Next**
+1. On the **Protocol and Ports** page, select **ICMPv4** or **ICMPv6** from the **Protocol type** list. If you use both IPv4 and IPv6 on your network, you must create a separate ICMP rule for each
+1. Select **Customize**
+1. In the **Customize ICMP Settings** dialog box, do one of the following:
+ - To allow all ICMP network traffic, select **All ICMP types**, and then select **OK**
+ - To select one of the predefined ICMP types, select **Specific ICMP types**, and then select each type in the list that you want to allow. Select **OK**
+ - To select an ICMP type that does not appear in the list, select **Specific ICMP types**, select the **Type** number from the list, select the **Code** number from the list, select **Add**, and then select the newly created entry from the list. Select **OK**
+1. Select **Next**
+1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
+1. On the **Action** page, select **Allow the connection**, and then select **Next**
+1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
+1. On the **Name** page, type a name and description for your rule, and then select **Finish**
+
+## Create an inbound port rule
+
+This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. To create an inbound port rule:
+
+1. Open the *Windows Firewall with Advanced Security* console
+1. In the navigation pane, select **Inbound Rules**
+1. Select **Action**, and then select **New rule**
+1. On the **Rule Type** page of the New Inbound Rule Wizard, select **Custom**, and then select **Next**
+ > [!NOTE]
+ > Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
+1. On the **Program** page, select **All programs**, and then select **Next**
+ > [!NOTE]
+ > This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](#create-an-inbound-program-or-service-rule) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
+1. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number
+ If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall.\
+ To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.\
+ When you have configured the protocols and ports, select **Next**.
+1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
+1. On the **Action** page, select **Allow the connection**, and then select **Next**
+1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
+ > [!NOTE]
+ > If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card's cable. A disconnected network card is automatically assigned to the Public network location type.
+1. On the **Name** page, type a name and description for your rule, and then select **Finish**
+
+## Create an outbound port rule
+
+By default, Windows Firewall allows all outbound network traffic, unless it matches a rule that prohibits the traffic. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. To create an outbound port rule:
+
+1. Open the *Windows Firewall with Advanced Security* console
+1. In the navigation pane, select **Outbound Rules**
+1. Select **Action**, and then select **New rule**
+1. On the **Rule Type** page of the New Outbound Rule wizard, select **Custom**, and then select **Next**
+ > [!NOTE]
+ > Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
+1. On the **Program** page, select **All programs**, and then select **Next**
+1. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this rule is an outbound rule, you typically configure only the remote port number
+ If you select another protocol, then only packets whose protocol field in the IP header matches this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match don't block it. To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. When you've configured the protocols and ports, select **Next**
+1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
+1. On the **Action** page, select **Block the connection**, and then select **Next**
+1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
+1. On the **Name** page, type a name and description for your rule, and then select **Finish**
+
+## Create an inbound program or service rule
+
+This type of rule allows the program to listen and receive inbound network traffic on any port.
+
+> [!NOTE]
+> This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](#create-an-inbound-port-rule) procedure in addition to the steps in this procedure.
+
+To create an inbound firewall rule for a program or service:
+
+1. Open the *Windows Firewall with Advanced Security* console
+1. In the navigation pane, select **Inbound Rules**
+1. Select **Action**, and then select **New rule**
+1. On the **Rule Type** page of the New Inbound Rule Wizard, select **Custom**, and then select **Next**
+ > [!NOTE]
+ > Information the user should notice even if skimmingAlthough you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
+1. On the **Program** page, select **This program path**
+1. Type the path to the program in the text box. Use environment variables, where applicable, to ensure that programs installed in different locations on different computers work correctly.
+1. Do one of the following:
+ - If the executable file contains a single program, select **Next**
+ - If the executable file is a container for multiple services that must all be allowed to receive inbound network traffic, select **Customize**, select **Apply to services only**, select **OK**, and then select **Next**
+ - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, select **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, select **Apply to service with this service short name**, and then type the short name for the service in the text box. Select **OK**, and then select **Next**
+
+ > [!IMPORTANT]
+ > To use the **Apply to this service** or **Apply to service with this service short name** options, the service must be configured with a security identifier (SID) with a type of **RESTRICTED** or **UNRESTRICTED**. To check the SID type of a service, run the following command: `sc qsidtype
This setting is detailed with the [Set-NetFirewallHyperVVMSetting][PS-2] cmdlet. |
+| `LoopbackEnabled` | Tracks if loopback traffic between the host and the container is allowed, without requiring any Hyper-V Firewall rules. WSL enables it by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host.|
+| `AllowHostPolicyMerge` | Determines how Windows Host Firewall Enterprise Settings (GPO), Hyper-V Firewall Enterprise Settings (CSP), Windows Host Firewall Enterprise Settings (CSP), local Hyper-V Firewall settings, and local Host Firewall settings interact.
This setting is detailed with the [Set-NetFirewallHyperVVMSetting][PS-2] cmdlet.|
### Configure Hyper-V firewall settings
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/cmd.svg b/windows/security/operating-system-security/network-security/windows-firewall/images/cmd.svg
new file mode 100644
index 0000000000..0cddf31701
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/cmd.svg
@@ -0,0 +1,9 @@
+
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/control-panel.png b/windows/security/operating-system-security/network-security/windows-firewall/images/control-panel.png
new file mode 100644
index 0000000000..63a4c5b13b
Binary files /dev/null and b/windows/security/operating-system-security/network-security/windows-firewall/images/control-panel.png differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/corpnet.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/corpnet.gif
deleted file mode 100644
index f76182ee25..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/corpnet.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/domain-network.svg b/windows/security/operating-system-security/network-security/windows-firewall/images/domain-network.svg
new file mode 100644
index 0000000000..913bf739dd
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/domain-network.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/feedback.svg b/windows/security/operating-system-security/network-security/windows-firewall/images/feedback.svg
new file mode 100644
index 0000000000..2ecd143695
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/feedback.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/fw01-profiles.png b/windows/security/operating-system-security/network-security/windows-firewall/images/fw01-profiles.png
deleted file mode 100644
index c1aa416fdf..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/fw01-profiles.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/fw02-createrule.png b/windows/security/operating-system-security/network-security/windows-firewall/images/fw02-createrule.png
deleted file mode 100644
index 5c8f858f52..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/fw02-createrule.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/fw03-defaults.png b/windows/security/operating-system-security/network-security/windows-firewall/images/fw03-defaults.png
deleted file mode 100644
index cfc1daea37..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/fw03-defaults.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/fw04-userquery.png b/windows/security/operating-system-security/network-security/windows-firewall/images/fw04-userquery.png
deleted file mode 100644
index 85f7485479..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/fw04-userquery.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/fw05-rulemerge.png b/windows/security/operating-system-security/network-security/windows-firewall/images/fw05-rulemerge.png
deleted file mode 100644
index 74c49fab7b..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/fw05-rulemerge.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/grouppolicy-paste.png b/windows/security/operating-system-security/network-security/windows-firewall/images/grouppolicy-paste.png
deleted file mode 100644
index ba2de148f1..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/grouppolicy-paste.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/powershell.svg b/windows/security/operating-system-security/network-security/windows-firewall/images/powershell.svg
new file mode 100644
index 0000000000..f70257047f
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/powershell.svg
@@ -0,0 +1,9 @@
+
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/powershelllogosmall.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/powershelllogosmall.gif
deleted file mode 100644
index a27d8b9d9e..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/powershelllogosmall.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/private-network.svg b/windows/security/operating-system-security/network-security/windows-firewall/images/private-network.svg
new file mode 100644
index 0000000000..93648081fa
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/private-network.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/public-network.svg b/windows/security/operating-system-security/network-security/windows-firewall/images/public-network.svg
new file mode 100644
index 0000000000..4206f50489
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/images/public-network.svg
@@ -0,0 +1,3 @@
+
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-default-block-filter.png b/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-default-block-filter.png
deleted file mode 100644
index e57ad13f93..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-default-block-filter.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-interfaceindex1.png b/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-interfaceindex1.png
deleted file mode 100644
index d6679e1e0e..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/quarantine-interfaceindex1.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/query-user-default-block-filters.png b/windows/security/operating-system-security/network-security/windows-firewall/images/query-user-default-block-filters.png
deleted file mode 100644
index ca61aae7e2..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/query-user-default-block-filters.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/uac.png b/windows/security/operating-system-security/network-security/windows-firewall/images/uac.png
new file mode 100644
index 0000000000..e32ca05ca8
Binary files /dev/null and b/windows/security/operating-system-security/network-security/windows-firewall/images/uac.png differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-design2example1.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-design2example1.gif
deleted file mode 100644
index 3d44049fa2..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-design2example1.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-design3example1.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-design3example1.gif
deleted file mode 100644
index cd11758ff4..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-design3example1.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-designexample1.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-designexample1.gif
deleted file mode 100644
index f2f730c70f..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-designexample1.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-designflowchart1.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-designflowchart1.gif
deleted file mode 100644
index 369d0de563..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-designflowchart1.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainiso.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainiso.gif
deleted file mode 100644
index dd3040653f..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainiso.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainisoencrypt.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainisoencrypt.gif
deleted file mode 100644
index 3ba2beae45..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainisoencrypt.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainisohighsec.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainisohighsec.gif
deleted file mode 100644
index 49fae4ab6b..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainisohighsec.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainnag.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainnag.gif
deleted file mode 100644
index 9e35fbc193..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-domainnag.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-implement.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-implement.gif
deleted file mode 100644
index 5a90b2fb97..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas-implement.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfas.png b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas.png
new file mode 100644
index 0000000000..f1ff86b5ad
Binary files /dev/null and b/windows/security/operating-system-security/network-security/windows-firewall/images/wfas.png differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/wfasdomainisoboundary.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/wfasdomainisoboundary.gif
deleted file mode 100644
index 3c4c855649..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/wfasdomainisoboundary.gif and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/windows-firewall-intune.png b/windows/security/operating-system-security/network-security/windows-firewall/images/windows-firewall-intune.png
deleted file mode 100644
index bda6e08768..0000000000
Binary files a/windows/security/operating-system-security/network-security/windows-firewall/images/windows-firewall-intune.png and /dev/null differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/windows-security.png b/windows/security/operating-system-security/network-security/windows-firewall/images/windows-security.png
new file mode 100644
index 0000000000..7270e7e4e7
Binary files /dev/null and b/windows/security/operating-system-security/network-security/windows-firewall/images/windows-security.png differ
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/index.md b/windows/security/operating-system-security/network-security/windows-firewall/index.md
new file mode 100644
index 0000000000..f1d2d5e956
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/index.md
@@ -0,0 +1,91 @@
+---
+title: Windows Firewall overview
+description: Learn overview information about the Windows Firewall security feature.
+ms.topic: conceptual
+ms.date: 11/21/2023
+---
+
+# Windows Firewall overview
+
+Windows Firewall is a security feature that helps to protect your device by filtering network traffic that enters and exits your device. This traffic can be filtered based on several criteria, including source and destination IP address, IP protocol, or source and destination port number. Windows Firewall can be configured to block or allow network traffic based on the services and applications that are installed on your device. This allows you to restrict network traffic to only those applications and services that are explicitly allowed to communicate on the network.
+
+Windows Firewall is a host-based firewall that is included with the operating system and enabled by default on all Windows editions.
+
+Windows Firewall supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that can't be authenticated as a *trusted device* can't communicate with your device. You can use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
+
+:::row:::
+ :::column span="2":::
+ Windows Firewall also works with [Network Location Awareness][NLA] so that it can apply security settings appropriate to the types of networks to which the device is connected. For example, Windows Firewall can apply the *public network* profile when the device is connected a coffee shop wi-fi, and the *private network* profile when the device is connected to the home network. This allows you to apply more restrictive settings to public networks to help keep your device secure.
+
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/windows-security.png" alt-text="Screenshot showing the Windows Security app." lightbox="images/windows-security.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+## Practical applications
+
+Windows Firewall offers several benefits to address your organization's network security challenges:
+
+- Reduced risk of network security threats: By reducing the attack surface of a device, Windows Firewall provides an additional layer of defense to the defense-in-depth model. This increases manageability and decreases the likelihood of a successful attack
+- Protection of sensitive data and intellectual property: Windows Firewall integrates with IPsec to provide a simple way to enforce authenticated, end-to-end network communications. This allows for scalable, tiered access to trusted network resources, helping to enforce data integrity and, if necessary, protect data confidentiality
+- Extended value of existing investments: Windows Firewall is a host-based firewall included with the operating system, so no additional hardware or software is required. It's also designed to complement existing non-Microsoft network security solutions through a documented API
+
+[!INCLUDE [windows-firewall](../../../../../includes/licensing/windows-firewall.md)]
+
+## Concepts
+
+The default behavior of Windows Firewall is to:
+
+- block all incoming traffic, unless solicited or matching a *rule*
+- allow all outgoing traffic, unless matching a *rule*
+
+### Firewall rules
+
+*Firewall rules* identify allowed or blocked network traffic, and the conditions for this to happen. The rules offer an extensive selection of conditions to identify traffic, including:
+
+- Application, service or program name
+- Source and destination IP addresses
+- Can make use dynamic values, like default gateway, DHCP servers, DNS servers and local subnets
+- Protocol name or type. For transport layer protocols, TCP and UDP, you can specify ports or port ranges. For custom protocols, you can use a number between 0 and 255 representing the IP protocol
+- Interface type
+- ICMP/ICMPv6 traffic type and code
+
+### Firewall profiles
+
+Windows Firewall offers three network profiles: domain, private and public. The network profiles are used to assign rules. For example, you can allow a specific application to communicate on a private network, but not on a public network.
+
+#### :::image type="icon" source="images/domain-network.svg" border="false"::: Domain network
+
+The *domain network* profile is automatically applied to a device that is joined to an Active Directory domain, when it detects the availability of a domain controller. This network profile cannot be set manually.
+
+> [!TIP]
+> Another option to detect the *domain network* is to configure the policy settings in the [NetworkListManager Policy CSP][CSP-1], which applies to Microsoft Entra joined devices too.
+
+#### :::image type="icon" source="images/private-network.svg" border="false"::: Private network
+
+The *private network* profile is designed for private networks such as a home network. It can be set manually on a network interface by an administrator.
+
+#### :::image type="icon" source="images/public-network.svg" border="false"::: Public network
+
+The *public network* profile is designed with higher security in mind for public networks, like Wi-Fi hotspots, coffee shops, airports, hotels, etc. It's the default profile for unidentified networks.
+
+> [!TIP]
+> Use the PowerShell cmdlet `Get-NetConnectionProfile` to retrieve the active network category (`NetworkCategory`). Use the PowerShell cmdlet `Set-NetConnectionProfile` to switch the category between *private* and *public*.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> Learn about Windows Firewall rules and design recommendations:
+>
+> [Windows Firewall rules >](rules.md)
+
+## :::image type="icon" source="images/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for Windows Firewall, open [**Feedback Hub**][FHUB] (WIN+F) and use the category **Security and Privacy** > **Network protection**.
+
+
+
+[FHUB]: feedback-hub:?tabid=2&newFeedback=true
+[NLA]: /windows/win32/winsock/network-location-awareness-service-provider-nla--2
+[CSP-1]: /windows/client-management/mdm/policy-csp-networklistmanager
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/isolating-apps-on-your-network.md b/windows/security/operating-system-security/network-security/windows-firewall/isolating-apps-on-your-network.md
deleted file mode 100644
index 225ddf3542..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/isolating-apps-on-your-network.md
+++ /dev/null
@@ -1,244 +0,0 @@
----
-title: Isolating Microsoft Store Apps on Your Network
-description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Isolating Microsoft Store Apps on Your Network
-
-
-When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
-
-For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access.
-
-The ability to set and enforce these network boundaries ensures that apps that get compromised can only access networks where they have been explicitly granted access. This significantly reduces the scope of their impact on other apps, the device, and the network. In addition, apps can be isolated and protected from malicious access from the network.
-
-When creating new Microsoft Store apps, a developer can define the following network capabilities for their app:
-
-- **Home\\Work Networking**
-
- Provides inbound and outbound access to intranet networks that the user has designated as a home or a work network, or if the network has an authenticated domain controller.
-
-- **Internet (Client)**
-
- Provides outbound access to the Internet and untrusted networks, such as airports and coffee shops (for example, intranet networks where the user has designated the network as Public). Most apps that require Internet access should use this capability.
-
-- **Internet (Client and Server)**
-
- Provides inbound and outbound access to the Internet and untrusted networks, such as airports and coffee shops. This capability is a superset of the **Internet (Client)** capability, and **Internet (Client)** does not need to be enabled if this capability is enabled.
-
-- **Proximity**
-
- Provides near-field communication (NFC) with devices that are in close proximity to the device. Proximity may be used to send files or connect with an application on a proximate device.
-
-**In this topic**
-
-To isolate Microsoft Store apps on your network, you need to use Group Policy to define your network isolation settings and create custom Microsoft Store app firewall rules.
-
-- [Prerequisites](#prerequisites)
-
-- [Step 1: Define your network](#step-1-define-your-network)
-
-- [Step 2: Create custom firewall rules](#step-2-create-custom-firewall-rules)
-
-## Prerequisites
-
-- A domain controller is installed on your network, and your devices are joined to the Windows domain.
-
-- Your Microsoft Store app is installed on the client device.
-
-- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Microsoft Store app when you create Windows Defender Firewall rules.
-
- >**Note:** You can install the RSAT on your device running Windows from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
-
-
-## Step 1: Define your network
-
-The **Home\\Work Networking** capability enables access to intranet resources. Administrators can use Group Policy settings to define the scope of the intranet. This ensures that Microsoft Store apps can access intranet resources appropriately.
-
-A network endpoint is considered part of the **Home\\Work Network** if:
-
-- It is part of the local subnet of a trusted network.
-
- For example, home users generally flag their network as Trusted. Local devices will be designated as such.
-
-- A device is on a network, and it is authenticated to a domain controller.
-
- - Endpoints within the intranet address space are considered private.
-
- - Endpoints within the local subnet are considered private.
-
-- The device is configured for DirectAccess, and the endpoint is part of the intranet address space.
-
-The intranet address space is composed of configured Active Directory sites and subnets, and it is configured for Windows network isolation specifically by using Group Policy. You can disable the usage of Active Directory sites and subnets by using Group Policy by declaring that your subnet definitions are authoritative.
-
-Any proxies that you configure or that are automatically configured with proxy autoconfiguration (by using Web Proxy Auto-Discovery (WPAD) protocol) are exempt from the intranet zone. You can add proxy addresses by using Group Policy.
-
-All other endpoints that do not meet the previously stated criteria are considered endpoints on the Internet.
-
-**To configure a GPO that defines your intranet address space**
-
-1. Open the Group Policy Management snap-in (gpmc.msc), right click on the Group Policy you want to use to define your address space, and select **Edit**.
-
-2. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Administrative Templates**, expand **Network**, and click **Network Isolation**.
-
-3. In the right pane, double-click **Private network ranges for apps**.
-
-4. In the **Private network ranges for apps** dialog box, click **Enabled**. In the **Private subnets** text box, type the private subnets for your intranet, separated by commas if necessary.
-
- For example, if the Contoso intranet is defined as 10.0.0.0 with a subnet mask of 255.255.255.0, you would type 10.0.0.0/24 in the **Private subnets** text box.
-
-5. Double-click **Subnet definitions are authoritative**.
-
- If you want the subnet definitions that you previously created to be the single source for your subnet definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional subnets by using local settings or network isolation heuristics.
-
-**To configure the proxy addresses for the intranet and Internet**
-
-1. Double-click **Internet proxy servers for apps**. Click **Enabled**, and then in the **Domain Proxies** text box, type the IP addresses of your Internet proxy servers, separated by semicolons.
-
-2. Double-click **Intranet proxy servers for apps**. Click **Enabled**, and then in the IP address text box, type the IP addresses of your intranet proxy servers, separated by semicolons.
-
-3. Double-click **Proxy definitions are authoritative**.
-
- If you want the proxy definitions that you previously created to be the single source for your proxy definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional proxies by using local settings or network isolation heuristics.
-
-## Step 2: Create custom firewall rules
-
-Microsoft Store apps can declare many capabilities in addition to the network capabilities discussed previously. For example, apps can declare capabilities to access user identity, the local file system, and certain hardware devices.
-
-The following table provides a complete list of the possible app capabilities.
-
-| Capability | Name | Description |
-| - | - | - |
-| **Internet (Client)** | internetClient | Your outgoing Internet connection.|
-| **Internet (Client & Server)** | internetClientServer| Your Internet connection, including incoming unsolicited connections from the Internet The app can send information to or from your device through a firewall. You do not need to declare **internetClient** if this capability is declared.
-| **Home\Work Networking** |privateNetworkClientServer| A home or work network. The app can send information to or from your device and other devices on the same network.|
-| **Document Library Access**| documentsLibrary| Your Documents library, including the capability to add, change, or delete files. The package can only access file types that are declared in the manifest.|
-| **Picture Library Access**| picturesLibrary| Your Pictures library, including the capability to add, change, or delete files.|
-| **Video Library Access**| videosLibrary| Your Videos library, including the capability to add, change, or delete files.|
-| **Music Library Access**| musicLibrary|Your Music library, including the capability to add, change, or delete files.|
-| **Default Windows Credentials**| defaultWindowsCredentials| Your Windows credentials for access to a corporate intranet. This application can impersonate you on the network.|
-| **Removable Storage** | removableStorage| A removable storage device, such as an external hard disk, USB flash drive, or MTP portable device, including the capability to add, change, or delete specific files. This package can only access file types that are declared in the manifest.|
-| **Shared User Certificates**| sharedUserCertificates| Software and hardware certificates or a smart card, which the app uses to identify you. This capability can be used by an employer, a bank, or government services to identify you.|
-| **Location**| location| Provides access to the user's current location.|
-| **Microphone** | microphone| Provides access to the microphone's audio feed.|
-| **Near-field Proximity** | proximity| Required for near-field communication (NFC) between devices in close proximity. NFC can be used to send files or connect with an app on a proximate device.|
-| **Text Messaging** | sms| Provides access to text messaging functionality.|
-| **Webcam** | webcam| Provides access to the webcam's video feed.|
-| **Other devices (represented by GUIDs)** | <GUID>| Includes specialized devices and Windows Portable Devices.|
-
-You can create a Windows Defender Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Microsoft Store app.
-
-For example, you could create a Windows Defender Firewall policy to block Internet access for any apps on your network that have the Documents Library capability.
-
-**To block Internet access for any apps on your network that have the Documents Library capability**
-
-1. Open the Group Policy Management snap-in (gpmc.msc).
-
-2. In the left pane, right-click your domain name and click **Create a GPO in this domain, and link it here**.
-
-3. Type a name for the GPO in the **Name** text box, and then click **OK**.
-
-4. Right-click the new GPO, and then click **Edit**.
-
-5. In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall with Advanced Security**, and click **Windows Defender Firewall – LDAP://…**
-
-6. Right-click **Outbound Rules**, and then click **New Rule**.
-
-7. Click **Custom**, and then click **Next**.
-
-8. Click **Next** on the **Program** page, the **Protocols and Ports** page, and the **Scope** page.
-
-9. On the **Action** page, ensure that **Block the Connection** is selected, and then click **Next**.
-
-10. On the **Profile** page, click **Next**.
-
-11. On the **Name** page, type a name for your rule, and then click **Finish**.
-
-12. In the right pane, right-click your new rule and click **Properties**.
-
-13. Click the **Local Principals** tab, select the **Only allow connections from these users** check box, and then click **Add**.
-
-14. Click **Application Package Properties**, and then click **OK**.
-
-15. In the **Choose Capabilities** dialog box, click **APPLICATION PACKAGE AUTHORITY\\Your documents library**, and then click **OK**.
-
-16. Click the **Scope** tab under **Remote IP addresses**, and then click **Add**.
-
-17. Click **Predefined set of computers**, select **Internet**, and click **OK**.
-
- This scopes the rule to block traffic to Internet devices.
-
-18. Click the **Programs and Services** tab, and in the **Application Packages** area, click **Settings**.
-
-19. Click **Apply to application packages only**, and then click **OK**.
-
- >**Important:** You must do this to ensure that the rule applies only to Microsoft Store apps and not to other apps. Desktop apps declare all capabilities by default, and this rule would apply to them if you do not configure it this way.
-
-20. Click **OK** to close the **Properties** dialog box.
-
-21. Close the Group Policy Management Editor.
-
-22. In the Group Policy Management snap-in, ensure that your new GPO is selected, and in the right pane under **Security Filtering**, select **Authenticated Users**. Click **Remove**, and then click **OK**.
-
-23. Under **Security Filtering**, click **Add**.
-
-24. Type **domain computers** in the text box, and then click **OK**.
-
-25. Close the Group Policy Management snap-in.
-
-Use the following procedure if you want to block intranet access for a specific media sharing app on your network.
-
-**To block intranet access for a specific media sharing app on your network**
-
-1. Open the Group Policy Management snap-in (gpmc.msc).
-
-2. In the left pane, right-click your domain name, and then click **Create a GPO in this domain, and link it here**.
-
-3. Type a name for your GPO in the **Name** text box, and then click **OK**.
-
-4. Right-click your new GPO, and then click **Edit**.
-
-5. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall**, and then click **Windows Defender Firewall – LDAP://**…
-
-6. Right-click **Outbound Rules**, and then click **New Rule**.
-
-7. Click **Custom**, and then click **Next**.
-
-8. Click **Next** on the **Program** page, the **Protocols and Ports** page, and the **Scope** page.
-
-9. On the **Action** page, ensure **Block the Connection** is selected, and then click **Next**.
-
-10. On the **Profile** page, click **Next**.
-
-11. On the **Name** page, type a name for your rule, and then click **Finish**.
-
-12. In the right pane, right-click your new rule, and then click **Properties**.
-
-13. Click the **Local Principals** tab, select the **Only allow connections from these users** check box, and then click **Add**.
-
-14. Click **Application Package Properties**, and then click **OK**.
-
-15. In the **Choose Capabilities** dialog box, click **APPLICATION PACKAGE AUTHORITY\\A home or work network**, and then click **OK**.
-
-16. Click the **Programs and Services** tab under **Application Packages**, and then click **Settings**.
-
-17. Click **Apply to this application package**, select the app in the text box, and then click **OK**.
-
-18. Click **OK** to close the **Properties** dialog box.
-
-19. Close the Group Policy Management Editor.
-
-20. In Group Policy Management, ensure that your new GPO is selected, and in the right pane under **Security Filtering**, select **Authenticated Users**, click **Remove**, and then click **OK**.
-
-21. Under **Security Filtering**, click **Add**.
-
-22. Type **domain computers** in the text box and click **OK**.
-
-23. Close Group Policy Management.
-
-## See also
-
-- [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md b/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md
index 093f4274fb..83f92a658f 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/quarantine.md
@@ -1,22 +1,19 @@
---
title: Quarantine behavior
-description: Quarantine behavior is explained in detail.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
+description: Learn about Windows Firewall and the quarantine feature behavior.
+ms.topic: concept-article
+ms.date: 11/21/2023
---
# Quarantine behavior
-One of the security challenges that network admins face is configuring a machine properly after a network change.
+One of the security challenges that network admins face is configuring a device properly after a network change.
-Network changes can happen frequently. Additionally, the operations required to recategorize the network after a change and apply the correct security policies on a machine are non-trivial and may require considerable CPU time. This requirement by operations is especially true for machines that are part of the domain. In the past, the delay in applying security policies during network recategorization has been successfully exploited for vulnerabilities.
+Network changes can happen frequently. The operations required to recategorize the network after a change, and apply the correct security policies on a device, are nontrivial and might require considerable CPU time. This requirement by operations is especially true for devices that are part of a domain. The delay in applying security policies during network recategorization can be exploited for vulnerabilities.
-To counter this potential exploitation, Windows Firewall will quarantine an interface until the system has successfully recategorized the network, and Windows Filtering Platform (WFP) has the correct filters applied for the updated interface configuration. During quarantine, all new inbound connections without exceptions are blocked to the machine.
+To counter the potential exploitation, Windows Firewall quarantines an interface until the system successfully recategorizes the network, and Windows Filtering Platform (WFP) has the correct filters applied for the updated interface configuration. During quarantine, all new inbound connections without exceptions are blocked.
-While the quarantine feature has long been a part of Windows Firewall, the feature behavior has often caused confusion for customers unaware of quarantine and its motivations.
-
-Ultimately, the goal of this document is to describe the quarantine feature at a high level and help network admins understand why the application traffic is sometimes blocked by quarantine.
+This document describes the quarantine feature and explains why the application traffic could be blocked by quarantine.
## Quarantine filters
@@ -24,58 +21,50 @@ The quarantine feature creates filters that can be split into three categories:
- Quarantine default inbound block filter
- Quarantine default exception filters
-- Interface un-quarantine filters
+- Interface unquarantine filters
-These filters are added in the FWPM_SUBLAYER_MPSSVC_QUARANTINE sublayer and these layers are:
+These filters are added in the `FWPM_SUBLAYER_MPSSVC_QUARANTINE` sublayer and these layers are:
-1. FWPM_LAYER_ALE_AUTH_CONNECT_V4
-
-2. FWPM_LAYER_ALE_AUTH_CONNECT_V6
-
-3. FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
-
-4. FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
+1. `FWPM_LAYER_ALE_AUTH_CONNECT_V4`
+1. `FWPM_LAYER_ALE_AUTH_CONNECT_V6`
+1. `FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4`
+1. `FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6`
>[!NOTE]
-> Any firewall rules added by the customers will not affect the filters in the quarantine sublayer as filters from Firewall rules are added in the FWPM_SUBLAYER_MPSSVC_WF sublayer. In other words, customers cannot add their own exception filters to prevent packets from being evaluated by quarantine filters.
+> Any firewall rules added by policy settings don't affect the filters in the quarantine sublayer. Filters from firewall rules are added in the `FWPM_SUBLAYER_MPSSVC_WF` sublayer. In other words, you can't add your own exception filters to prevent packets from being evaluated by quarantine filters.
For more information about WFP layers and sublayers, see [WFP Operation](/windows/win32/fwp/basic-operation).
### Quarantine default inbound block filter
-The quarantine default inbound block filter effectively blocks any new non-loopback inbound connections if the packet isn't explicitly permitted by another filter in the quarantine sublayer.
+The *quarantine default inbound block filter* blocks any new nonloopback inbound connections, unless the packet isn't explicitly permitted by another filter in the quarantine sublayer.
### Quarantine default exception filters
-When the interface is in quarantine state, the quarantine default exception filters will permit new inbound connections given that they meet the conditions of an exception filter. One example of the exception filters is the quarantine default inbound loopback exception filter. This exception filter allows all loopback packets when the interface is in quarantine state.
+When the interface is in quarantine state, the quarantine default exception filters permit new inbound connections given that they meet the conditions of an exception filter. One example of the exception filters is the quarantine default inbound loopback exception filter. This exception filter allows all loopback packets when the interface is in quarantine state.
-### Interface un-quarantine filter
+### Interface unquarantine filter
-The interface un-quarantine filters allow all non-loopback packets if the interface is successfully categorized.
+The interface unquarantine filters allow all nonloopback packets if the interface is successfully categorized.
## Quarantine flow
-The following events describe the general flow of quarantine:
+The following events describe the general flow of quarantine:
-1. There's some change on the current network interface.
-
-2. The interface un-quarantine filters will no longer permit new inbound connections. The interface is now in quarantine state.
-
-3. All non-loopback inbound connections are either permitted by quarantine default exception filters or dropped by the quarantine default inbound block filter.
-
-4. The WFP filters applicable to the old interface state are removed.
-
-5. The WFP filters applicable to the new interface state are added, which include the un-quarantine filters for this interface. These filters are updated to match the interface's current state.
-
-6. The interface has now exited quarantine state as the interface un-quarantine filters permit any new non-loopback packets.
+1. There's some change on the current network interface
+1. The interface unquarantine filters don't permit new inbound connections. The interface is now in quarantine state
+1. All nonloopback inbound connections are either permitted by quarantine default exception filters or dropped by the quarantine default inbound block filter
+1. The WFP filters applicable to the old interface state are removed
+1. The WFP filters applicable to the new interface state are added, which include the unquarantine filters for this interface. These filters are updated to match the interface's current state
+1. The interface has now exited quarantine state as the interface unquarantine filters permit any new nonloopback packets
## Quarantine diagnostics
There are two methods of identifying packet drops from the quarantine default inbound block filter.
-Given that the network connectivity issue is reproducible, diagnostic traces can be collected by running the following in an administrative command prompt:
+Given that the network connectivity issue is reproducible, diagnostic traces can be collected by running the following in an administrative command prompt:
-```console
+```cmd
Netsh wfp cap start
Private Profile`./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/`[AllowLocalPolicyMerge](/windows/client-management/mdm/firewall-csp#mdmstoreprivateprofileallowlocalpolicymerge)
Public Profile `./Vendor/MSFT/Firewall/MdmStore/PublicProfile/`[AllowLocalPolicyMerge](/windows/client-management/mdm/firewall-csp#mdmstorepublicprofileallowlocalipsecpolicymerge) |
+| **GPO** | **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security**|
+
+Administrators may disable *LocalPolicyMerge* in high-security environments to maintain tighter control over endpoints. This setting can impact some applications and services that automatically generate a local firewall policy upon installation.
+
+> [!IMPORTANT]
+> If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity.
+
+It's important to create and maintain a list of such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex deployments, a thorough analysis might be needed using network packet capture tools.
+
+In general, to maintain maximum security, admins should only deploy firewall exceptions for apps and services determined to serve legitimate purposes.
+
+> [!NOTE]
+> The use of wildcard patterns, such as `C:\*\teams.exe` isn't supported in application rules. You can only create rules using the full path to the application(s).
+
+## Firewall rules recommendations
+
+Here's a list of recommendations when designing your firewall rules:
+
+- Maintain the default Windows Firewall settings whenever possible. The settings are designed to secure your device for use in most network scenarios. One key example is the default *block behavior* for inbound connections.
+- Create your rules in all three profiles, but only enable the firewall rule group on the profiles that suit your scenarios. For example, if you are installing a sharing application that is only used on a private network, then it would be best to create firewall rules in all three profiles, but only enable the firewall rule group containing your rules on the private profile.
+- Configure restrictions on your firewall rules depending on which profile the rules are applied to. For applications and services that are designed to only be accessed by devices within a home or small business network, it's best to modify the remote address restriction to specify *Local Subnet* only. The same application or service wouldn't have this restriction when used in an enterprise environment. This can be done by adding the remote address restriction to rules that are added to the private and public profiles, while leaving them unrestricted in the domain profile. This remote address restriction shouldn't apply to applications or services that require global Internet connectivity.
+- A general security recommended practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.
+- When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins.
+- To maintain maximum security, admins should only deploy firewall exceptions for apps and services determined to serve legitimate purposes.
+
+### Known issues with automatic rule creation
+
+When designing a set of firewall policies for your network, it's a recommended practice to configure *allow rules* for any networked applications deployed on the host. Having the rules in place before the user first launches the application helps to ensure a seamless experience.
+
+The absence of these staged rules doesn't necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practices and provide these rules before the application's first launch to avoid unexpected networking issues.
+
+To determine why some applications are blocked from communicating in the network, check for the following instances:
+
+1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt
+1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes
+1. [Local policy merge](#local-policy-merge-and-application-rules) is disabled, preventing the application or network service from creating local rules
+
+Creation of application rules at runtime can also be prohibited by administrators using the Settings app or policy settings.
+
+### Outbound rules considerations
+
+What follows are a few general guidelines for configuring outbound rules.
+
+- Changing the outbound rules to *blocked* can be considered for certain highly secure environments. However, the inbound rule configuration should never be changed in a way that allows all traffic by default
+- It's recommended to *allow outbound* by default for most deployments for the sake of simplification with app deployments, unless the organization prefers tight security controls over ease-of-use
+- In high security environments, an inventory of all apps should be logged and maintained. Records must include whether an app used requires network connectivity. Administrators need to create new rules specific to each app that needs network connectivity and push those rules centrally, via GPO or CSP
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> Learn about the tools to configure Windows Firewall and firewall rules:
+>
+> [Configuration tools >](tools.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/operating-system-security/network-security/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
deleted file mode 100644
index 43e2f9523d..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ /dev/null
@@ -1,178 +0,0 @@
----
-title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
-description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Securing End-to-End IPsec connections by using IKEv2
-
-
-IKEv2 offers the following:
-
-- Supports IPsec end-to-end transport mode connections
-
-- Provides interoperability for Windows with other operating systems that use IKEv2 for end-to-end security
-
-- Supports Suite B (RFC 4869) requirements
-
-- Coexists with existing policies that deploy AuthIP/IKEv1
-
-- Uses the Windows PowerShell interface exclusively for configuration. You cannot configure IKEv2 through the user interface.
-
-- Uses certificates for the authentication mechanism
-
-You can use IKEv2 as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection.
-
-**In this document**
-
-- [Prerequisites](#prerequisites)
-
-- [Devices joined to a domain](#devices-joined-to-a-domain)
-
-- [Device not joined to a domain](#devices-not-joined-to-a-domain)
-
-- [Troubleshooting](#troubleshooting)
-
->**Note:** This topic includes sample Windows PowerShell cmdlets. For more info, see [How to Run a Windows PowerShell Cmdlet](/previous-versions//bb648607(v=vs.85)).
-
-## Prerequisites
-
-These procedures assume that you already have a public key infrastructure (PKI) in place for device authentication.
-
-## Devices joined to a domain
-
-The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1.
-
-
-
-**Figure 1** The Contoso corporate network
-
-This script does the following:
-
-- Creates a security group called **IPsec client and servers** and adds CLIENT1 and SERVER1 as members.
-
-- Creates a Group Policy Object (GPO) called **IPsecRequireInRequestOut** and links it to the corp.contoso.com domain.
-
-- Sets the permissions to the GPO so that they apply only to the computers in **IPsec client and servers** and not to **Authenticated Users**.
-
-- Indicates the certificate to use for authentication.
-
- >**Important:** The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
-
-- Creates the IKEv2 connection security rule called **My IKEv2 Rule**.
-
-**Windows PowerShell commands**
-
-Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
-
-```powershell
-# Create a Security Group for the computers that will get the policy
-$pathname = (Get-ADDomain).distinguishedname
-New-ADGroup -name "IPsec client and servers" -SamAccountName "IPsec client and servers" `
--GroupCategory security -GroupScope Global -path $pathname
-
-# Add test computers to the Security Group
-$computer = Get-ADComputer -LDAPFilter "(name=client1)"
-Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer
-$computer = Get-ADComputer -LDAPFilter "(name=server1)"
-Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer
-
-# Create and link the GPO to the domain
-$gpo = New-gpo IPsecRequireInRequestOut
-$gpo | new-gplink -target "dc=corp,dc=contoso,dc=com" -LinkEnabled Yes
-
-# Set permissions to security group for the GPO
-$gpo | Set-GPPermissions -TargetName "IPsec client and servers" -TargetType Group -PermissionLevel GpoApply -Replace
-$gpo | Set-GPPermissions -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None -Replace
-
-#Set up the certificate for authentication
-$gponame = "corp.contoso.com\IPsecRequireInRequestOut"
-$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA"
-$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop –PolicyStore GPO:$gponame
-
-#Create the IKEv2 Connection Security rule
-New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID `
--InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2 -PolicyStore GPO:$gponame
-```
-
-## Devices not joined to a domain
-
-Use a Windows PowerShell script similar to the following to create a local IPsec policy on the devices that you want to include in the secure connection.
-
->**Important:** The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
-
-**Windows PowerShell commands**
-
-Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
-
-```powershell
-#Set up the certificate
-$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA"
-$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop
-
-#Create the IKEv2 Connection Security rule
-New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID `
--InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2
-```
-
-Make sure that you install the required certificates on the participating computers.
-
-> **Note:**
-> - For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](https://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys).
-> - You need a root certificate and a computer certificate on all devices that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder.
-> - For remote devices, you can create a secure website to facilitate access to the script and certificates.
-
-## Troubleshooting
-
-Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections:
-
-**Use the Windows Defender Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.**
-
-1. Open the Windows Defender Firewall with Advanced Security console.
-
-2. In the left pane of the Windows Defender Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule.
-
-3. Expand **Monitoring**, and then click **Connection Security Rules** to verify that your IKEv2 rule is active for your currently active profile.
-
-**Use Windows PowerShell cmdlets to display the security associations.**
-
-1. Open a Windows PowerShell command prompt.
-
-2. Type **get-NetIPsecQuickModeSA** to display the Quick Mode security associations.
-
-3. Type **get-NetIPsecMainModeSA** to display the Main Mode security associations.
-
-**Use netsh to capture IPsec events.**
-
-1. Open an elevated command prompt.
-
-2. At the command prompt, type **netsh wfp capture start**.
-
-3. Reproduce the error event so that it can be captured.
-
-4. At the command prompt, type **netsh wfp capture stop**.
-
- A wfpdiag.cab file is created in the current folder.
-
-5. Open the cab file, and then extract the wfpdiag.xml file.
-
-6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file:
-
- ```xml
-
**Disabled** for all other devices. | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence |
+| Service Enabled | **Enabled** | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. |
+| Notify Malicious | **Disabled** for devices onboarded to MDE.
**Enabled** for all other devices. | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. |
+| Notify Password Reuse | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. |
+| Notify Unsafe App | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. |
+
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
+
+| Setting | Default Value | Recommendation |
+|---------------------------|------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Automatic Data Collection | **Disabled** for domain joined devices or devices enrolled with MDM.
**Enabled** for all other devices. | **Enabled**: Turns on collection of additional content when users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious. |
+| Service Enabled | **Enabled** | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. |
+| Notify Malicious | **Disabled** for devices onboarded to MDE.
**Enabled** for all other devices. | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. |
+| Notify Password Reuse | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. |
+| Notify Unsafe App | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. |
+
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
-|Settings catalog element|Recommendation|
-|---------|---------|
-|Service Enabled|**Enable**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
-|Notify Malicious|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
-|Notify Password Reuse|**Enable**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
-|Notify Unsafe App|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
+| Settings catalog element | Recommended value |
+|---------------------------|-------------------|
+| Automatic Data Collection | **Enabled** |
+| Service Enabled | **Enabled** |
+| Notify Malicious | **Enabled** |
+| Notify Password Reuse | **Enabled** |
+| Notify Unsafe App | **Enabled** |
#### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
-|Group Policy setting|Recommendation|
-|---------|---------|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled| **Enable**: Enhanced Phishing Protection is enabled in audit mode and your users are unable to turn it off.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|**Enable**: Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate. It encourages users to change their password.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.|
+| Group Policy setting | Recommended value |
+|---------------------------|-------------------|
+| Automatic Data Collection | **Enabled** |
+| Service Enabled | **Enabled** |
+| Notify Malicious | **Enabled** |
+| Notify Password Reuse | **Enabled** |
+| Notify Unsafe App | **Enabled** |
#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp)
-|MDM setting|Recommendation|
-|---------|---------|
-|ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
-|NotifyMalicious|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
-|NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
-|NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
-
+| MDM setting | Recommended value |
+|-------------------------|-------------------|
+| AutomaticDataCollection | **1** |
+| ServiceEnabled | **1** |
+| NotifyMalicious | **1** |
+| NotifyPasswordReuse | **1** |
+| NotifyUnsafeApp | **1** |
---
@@ -121,7 +148,4 @@ To better help you protect your organization, we recommend turning on and using
[WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense
-
[MEM-2]: /mem/intune/configuration/settings-catalog
-
-
diff --git a/windows/security/security-foundations/certification/windows-platform-common-criteria.md b/windows/security/security-foundations/certification/windows-platform-common-criteria.md
index d342773f2c..adfc44645c 100644
--- a/windows/security/security-foundations/certification/windows-platform-common-criteria.md
+++ b/windows/security/security-foundations/certification/windows-platform-common-criteria.md
@@ -4,7 +4,7 @@ description: This topic details how Microsoft supports the Common Criteria certi
ms.author: sushmanemali
author: s4sush
ms.topic: reference
-ms.date: 11/4/2022
+ms.date: 11/22/2023
ms.reviewer: paoloma
ms.collection:
- tier3
@@ -30,7 +30,7 @@ Certified against the Protection Profile for General Purpose Operating Systems,
- [Administrative Guide](https://download.microsoft.com/download/9/1/7/9178ce6a-8117-42e7-be0d-186fc4a89ca6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(21H2%20et%20al).pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/4/1/6/416151fe-63e7-48c0-a485-1d87148c71fe/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Assurance%20Activity%20Report%20(21H2%20et%20al).pdf)
- [Validation Report](https://download.microsoft.com/download/e/3/7/e374af1a-3c5d-42ee-8e19-df47d2c0e3d6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(21H2%20et%20al).pdf)
-
+
### Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack)
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients
@@ -101,7 +101,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Security Target](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
- [Administrative Guide](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
- [Certification Report](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
-- [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1607, Windows Server 2016
@@ -145,9 +145,9 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Security Target](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
- [Administrative Guide](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
- [Validation Report](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
-- [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf)
-### Windows 10, version 1607, Windows Server 2016
+### Windows 10, version 1607, Windows Server 2016 (VPN)
Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
@@ -269,7 +269,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
-- [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf)
+- [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf)
### Windows Server 2003 Certificate Server
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index 3648c69063..eaa7ed73d3 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -1,5 +1,5 @@
---
-title: Advanced security audit policy settings
+title: Advanced security audit policy settings
description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
ms.author: vinpa
@@ -10,7 +10,7 @@ ms.pagetype: security
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -26,7 +26,7 @@ The security audit policy settings under **Security Settings\\Advanced Audit Pol
- A group administrator has modified settings or data on servers that contain finance information.
- An employee within a defined group has accessed an important file.
- The correct system access control list (SACL) - as a verifiable safeguard against undetected access - is applied to either of the following:
- - every file and folder
+ - every file and folder
- registry key on a computer
- file share.
@@ -34,7 +34,7 @@ You can access these audit policy settings through the Local Security Policy sna
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for the following types of behaviors:
- That are of little or no concern to you
-- That create an excessive number of log entries.
+- That create an excessive number of log entries.
In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
@@ -63,7 +63,7 @@ The security audit policy settings in this category can be used to monitor chang
Detailed Tracking security policy settings and audit events can be used for the following purposes:
- To monitor the activities of individual applications and users on that computer
-- To understand how a computer is being used.
+- To understand how a computer is being used.
This category includes the following subcategories:
@@ -161,12 +161,12 @@ Global Object Access Auditing policy settings allow administrators to define com
Auditors can prove that every resource in the system is protected by an audit policy. They can do this task by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
Resource SACLs are also useful for diagnostic scenarios. For example, administrators quickly identify which object in a system is denying a user access by:
-- Setting the Global Object Access Auditing policy to log all the activities for a specific user
+- Setting the Global Object Access Auditing policy to log all the activities for a specific user
- Enabling the policy to track "Access denied" events for the file system or registry can help
> [!NOTE]
> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
-
+
This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
index b6bf8dec61..1aed416fd1 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md
@@ -1,8 +1,8 @@
---
-title: Advanced security audit policies
-description: Advanced security audit policy settings may appear to overlap with basic policies, but they are recorded and applied differently. Learn more about them here.
+title: Advanced security audit policies
+description: Advanced security audit policy settings might appear to overlap with basic policies, but they're recorded and applied differently. Learn more about them here.
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,21 +12,21 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/6/2021
ms.technology: itpro-security
---
# Advanced security audit policies
-Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently.
-When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
+Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they're recorded and applied differently.
+When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you're editing the effective audit policy, so changes made to basic audit policy settings appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
## In this section
-| Topic | Description |
+| Article | Description |
| - | - |
-| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies |
-| [Advanced security auditing FAQ](advanced-security-auditing-faq.yml) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
+| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This article for IT professionals explains the options that security policy planners must consider, and the tasks that they must complete, to deploy an effective security audit policy in a network that includes advanced security audit policies |
+| [Advanced security auditing FAQ](advanced-security-auditing-faq.yml) | This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
-| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
+| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings in Windows and the audit events that they generate.
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index c613a28ed2..d8dcb28e30 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -1,8 +1,8 @@
---
-title: Apply a basic audit policy on a file or folder
+title: Apply a basic audit policy on a file or folder
description: Apply audit policies to individual files and folders on your computer by setting the permission type to record access attempts in the security log.
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -40,18 +40,18 @@ To complete this procedure, you must be signed in as a member of the built-in Ad
- To audit failure events, select **Fail.**
- To audit all events, select **All.**
-
+
6. In the **Applies to** box, select the object(s) to which the audit of events will apply. These objects include:
-
+
- **This folder only**
- **This folder, subfolders and files**
- **This folder and subfolders**
- **This folder and files**
- **Subfolders and files only**
- - **Subfolders only**
+ - **Subfolders only**
- **Files only**
-
+
7. By default, the selected **Basic Permissions** to audit are the following:
- **Read and execute**
- **List folder contents**
@@ -60,8 +60,8 @@ To complete this procedure, you must be signed in as a member of the built-in Ad
- **Full control**
- **Modify**
- **Write**
-
-> [!IMPORTANT]
+
+> [!IMPORTANT]
> Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
## More considerations
diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
index fd97b2de5e..1b9208a8d5 100644
--- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
+++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
@@ -1,5 +1,5 @@
---
-title: Audit Token Right Adjusted
+title: Audit Token Right Adjusted
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Token Right Adjusted, which determines whether the operating system generates audit events when specific changes are made to the privileges of a token.
manager: aaroncz
author: vinaypamnani-msft
@@ -8,13 +8,13 @@ ms.pagetype: security
ms.prod: windows-client
ms.technology: itpro-security
ms.date: 12/31/2017
-ms.topic: article
+ms.topic: reference
---
# Audit Token Right Adjusted
-Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
+Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
For more information, see [Security Monitoring: A Possible New Way to Detect Privilege Escalation](/archive/blogs/nathangau/security-monitoring-a-possible-new-way-to-detect-privilege-escalation).
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
index 7773933079..017fb5ec82 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
@@ -1,8 +1,8 @@
---
-title: Audit account logon events
+title: Audit account logon events
description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -45,9 +45,9 @@ You can configure this security setting by opening the appropriate policy under
| 681 | Logon failure. A domain account logon was attempted. This event is not generated in Windows XP or in the Windows Server 2003 family. |
| 682 | A user has reconnected to a disconnected terminal server session. |
| 683 | A user disconnected a terminal server session without logging off. |
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index 9a6340c3a8..e3e8fa199c 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -1,8 +1,8 @@
---
-title: Audit account management
+title: Audit account management
description: Determines whether to audit each event of account management on a device.
ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ Examples of account management events include:
- A user account is renamed, disabled, or enabled.
- A password is set or changed.
-If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To
+If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To
set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Default:**
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index 6da1a9c54e..82647ef71b 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -1,8 +1,8 @@
---
-title: Basic audit directory service access
+title: Basic audit directory service access
description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -26,7 +26,7 @@ By default, this value is set to no auditing in the Default Domain Controller Gr
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a SACL specified. To set this value to **No auditing,** in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
> **Note:** You can set a SACL on an Active Directory object by using the **Security** tab in that object's **Properties** dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.
-
+
**Default:**
- Success on domain controllers.
@@ -41,9 +41,9 @@ There is only one directory service access event, which is identical to the Obje
| Directory service access events | Description |
|---------------------------------|----------------------------------------|
| 566 | A generic object operation took place. |
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index 523fee4769..4b5e68258f 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -1,8 +1,8 @@
---
-title: Audit logon events
+title: Audit logon events
description: Determines whether to audit each instance of a user logging on to or logging off from a device.
ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -41,11 +41,11 @@ You can configure this security setting by opening the appropriate policy under
| - | - |
| 4624 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
| 4625 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
-| 4634 | The logoff process was completed for a user. |
+| 4634 | The logoff process was completed for a user. |
| 4647 | A user initiated the logoff process. |
| 4648 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. |
| 4779 | A user disconnected a terminal server session without logging off. |
-
+
When event 4624 (Legacy Windows Event ID 528) is logged, a logon type is also listed in the event log. The following table describes each logon type.
@@ -60,9 +60,9 @@ When event 4624 (Legacy Windows Event ID 528) is logged, a logon type is also li
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.|
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index c9e7094492..66a2833e20 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -1,8 +1,8 @@
---
-title: Audit object access
+title: Audit object access
description: The policy setting, Audit object access, determines whether to audit the event generated when a user accesses an object that has its own SACL specified.
ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
index bd7e9a9b7e..4db162688d 100644
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
@@ -1,8 +1,8 @@
---
-title: Audit policy change
+title: Audit policy change
description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -37,30 +37,30 @@ You can configure this security setting under Computer Configuration\\Windows Se
| Policy change events | Description |
| - | - |
-| 608 | A user right was assigned.|
+| 608 | A user right was assigned.|
| 609 | A user right was removed. |
-| 610 | A trust relationship with another domain was created.|
-| 611 | A trust relationship with another domain was removed.|
-| 612 | An audit policy was changed.|
-| 613 | An Internet Protocol security (IPSec) policy agent started.|
+| 610 | A trust relationship with another domain was created.|
+| 611 | A trust relationship with another domain was removed.|
+| 612 | An audit policy was changed.|
+| 613 | An Internet Protocol security (IPSec) policy agent started.|
| 614 | An IPSec policy agent was disabled. |
| 615 | An IPSec policy agent changed. |
-| 616 | An IPSec policy agent encountered a potentially serious failure.|
+| 616 | An IPSec policy agent encountered a potentially serious failure.|
| 617 | A Kerberos policy changed. |
-| 618 | Encrypted Data Recovery policy changed.|
-| 620 | A trust relationship with another domain was modified.|
+| 618 | Encrypted Data Recovery policy changed.|
+| 620 | A trust relationship with another domain was modified.|
| 621 | System access was granted to an account. |
-| 622 | System access was removed from an account.|
-| 623 | Per user auditing policy was set for a user.|
+| 622 | System access was removed from an account.|
+| 623 | Per user auditing policy was set for a user.|
| 625 | Per user audit policy was refreshed. |
| 768 | A collision was detected between a namespace element in one forest and a namespace element in another forest.
**Note** When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName'.|
| 769 | Trusted forest information was added.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".|
| 770 | Trusted forest information was deleted.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".|
| 771 | Trusted forest information was modified.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".|
-| 805 | The event log service read the security log configuration for a session.
-
+| 805 | The event log service read the security log configuration for a session.
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
index 1382bf0fcb..11a05ab720 100644
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
@@ -1,8 +1,8 @@
---
-title: Audit privilege use
+title: Audit privilege use
description: Determines whether to audit each instance of a user exercising a user right.
ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -46,10 +46,10 @@ You can configure this security setting under Computer Configuration\\Windows Se
| - | - |
| 576 | Specified privileges were added to a user's access token.
**Note:** This event is generated when the user logs on.|
| 577 | A user attempted to perform a privileged system service operation. |
-| 578 | Privileges were used on an already open handle to a protected object. |
-
+| 578 | Privileges were used on an already open handle to a protected object. |
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
index b7eb7ea1fd..796e7f323f 100644
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
@@ -1,8 +1,8 @@
---
-title: Audit process tracking
+title: Audit process tracking
description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -34,20 +34,20 @@ You can configure this security setting under Computer Configuration\\Windows Se
| Process tracking events | Description |
| - | - |
-| 592 | A new process was created.|
+| 592 | A new process was created.|
| 593 | A process exited. |
-| 594 | A handle to an object was duplicated.|
-| 595 | Indirect access to an object was obtained.|
+| 594 | A handle to an object was duplicated.|
+| 595 | Indirect access to an object was obtained.|
| 596 | A data protection master key was backed up.
**Note:** The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created. (The default setting is 90 days.) The key is usually backed up to a domain controller.|
-| 597 | A data protection master key was recovered from a recovery server.|
+| 597 | A data protection master key was recovered from a recovery server.|
| 598 | Auditable data was protected. |
-| 599 | Auditable data was unprotected.|
-| 600 | A process was assigned a primary token.|
+| 599 | Auditable data was unprotected.|
+| 600 | A process was assigned a primary token.|
| 601 | A user attempted to install a service. |
| 602 | A scheduler job was created. |
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
index 0af90ae965..c3a231e65c 100644
--- a/windows/security/threat-protection/auditing/basic-audit-system-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md
@@ -1,8 +1,8 @@
---
-title: Audit system events
+title: Audit system events
description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -37,14 +37,14 @@ You can configure this security setting by opening the appropriate policy under
| Logon events | Description |
| - | - |
-| 512 | Windows is starting up. |
+| 512 | Windows is starting up. |
| 513 | Windows is shutting down. |
-| 514 | An authentication package was loaded by the Local Security Authority.|
-| 515 | A trusted logon process has registered with the Local Security Authority.|
-| 516 | Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.|
+| 514 | An authentication package was loaded by the Local Security Authority.|
+| 515 | A trusted logon process has registered with the Local Security Authority.|
+| 516 | Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.|
| 517 | The audit log was cleared. |
-| 518 | A notification package was loaded by the Security Accounts Manager.|
-| 519 | A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.|
+| 518 | A notification package was loaded by the Security Accounts Manager.|
+| 519 | A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.|
| 520 | The system time was changed.
**Note:** This audit normally appears twice.|
## Related topics
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index 95d4e51fe0..93ea3850e5 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -1,8 +1,8 @@
---
-title: Basic security audit policies
+title: Basic security audit policies
description: Learn about basic security audit policies that specify the categories of security-related events that you want to audit for the needs of your organization.
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -34,15 +34,15 @@ The event categories that you can choose to audit are:
- Audit process tracking
- Audit system events
-If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category (for auditing objects on a domain controller), or the audit object access category (for auditing objects on a member server or workstation). Once you have enabled the object access category, you can specify the types of access you want to audit for each group or user.
+If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category, for auditing objects on a domain controller, or the audit object access category, for auditing objects on a member server or workstation. After you enable the object access category, you can specify the types of access you want to audit for each group or user.
## In this section
-| Topic | Description |
+| Article | Description |
| - | - |
| [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md) | By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. |
-| [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md) | You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. |
-| [View the security event log](view-the-security-event-log.md) | The security log records each event as defined by the audit policies you set on each object.|
+| [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md) | You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful or failed access attempts in the security log. |
+| [View the security event log](view-the-security-event-log.md) | The security log records each event as defined by the audit policies you set on each object.|
| [Basic security audit policy settings](basic-security-audit-policy-settings.md) | Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.|
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
index 9c9d050b55..70b4c9c798 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Basic security audit policy settings
+title: Basic security audit policy settings
description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -26,18 +26,18 @@ Basic security audit policy settings are found under Computer Configuration\\Win
| Topic | Description |
| - | - |
-| [Audit account logon events](basic-audit-account-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.|
-| [Audit account management](basic-audit-account-management.md) | Determines whether to audit each event of account management on a device.|
-| [Audit directory service access](basic-audit-directory-service-access.md) | Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.|
+| [Audit account logon events](basic-audit-account-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.|
+| [Audit account management](basic-audit-account-management.md) | Determines whether to audit each event of account management on a device.|
+| [Audit directory service access](basic-audit-directory-service-access.md) | Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.|
| [Audit logon events](basic-audit-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from a device. |
-| [Audit object access](basic-audit-object-access.md) | Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.|
+| [Audit object access](basic-audit-object-access.md) | Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.|
| [Audit policy change](basic-audit-policy-change.md) | Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. |
| [Audit privilege use](basic-audit-privilege-use.md) | Determines whether to audit each instance of a user exercising a user right. |
-| [Audit process tracking](basic-audit-process-tracking.md) | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.|
+| [Audit process tracking](basic-audit-process-tracking.md) | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.|
| [Audit system events](basic-audit-system-events.md) | Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. |
-
+
## Related topics
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
index 9a49d95bbe..90f66f7720 100644
--- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -1,8 +1,8 @@
---
-title: Create a basic audit policy for an event category
+title: Create a basic audit policy for an event category
description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization.
ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/07/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index 726f71bbbd..5ca11d5d60 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -166,83 +166,9 @@ Typically, **Primary Group** field for new user accounts has the following value
> **Note** **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. **Old UAC value** always **“0x0”** for new user accounts. This parameter contains the previous value of **userAccountControl** attribute of user object.
+- **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts.
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the value of **userAccountControl** attribute of new user object.
-
-To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
-
-- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new user accounts, when the object for this account was created, the **userAccountControl** value was considered to be **“0x0”**, and then it was changed from **“0x0”** to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4720 event.
-
-| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text |
-|------------------------------------|-----------------------------------|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|
-| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4720 events. |
-| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled
Account Enabled |
-| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4720 events. |
-| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
'Home Directory Required' - Disabled |
-| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4720 events. |
-| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
'Password Not Required' - Disabled |
-| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4720 events. |
-| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
'Encrypted Text Password Allowed' - Enabled |
-| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. |
-| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
'Normal Account' - Enabled |
-| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. |
-| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
'Workstation Trust Account' - Enabled |
-| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
'Server Trust Account' - Disabled |
-| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
'Don't Expire Password' - Enabled |
-| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
'MNS Logon Account' - Enabled |
-| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
'Smartcard Required' - Enabled |
-| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
'Trusted For Delegation' - Disabled |
-| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
'Not Delegated' - Enabled |
-| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
'Use DES Key Only' - Enabled |
-| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
'Don't Require Preauth' - Enabled |
-| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4720 events. |
-| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
'Trusted To Authenticate For Delegation' - Enabled |
-| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. |
-
-For new, manually created, domain or local user accounts typical flags are:
-
-- Account Disabled
-
-- 'Password Not Required' - Enabled
-
-- 'Normal Account' – Enabled
-
- After new user creation event you will typically see couple of “[4738](event-4738.md): A user account was changed.” events with new flags:
-
-- 'Password Not Required' – Disabled
-
-- Account Enabled
-
-
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4738](event-4738.md): A user account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index 61cd4e80e6..be3bf1a1e5 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -192,39 +192,9 @@ Typical **Primary Group** values for user accounts:
> [!NOTE]
> **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of **userAccountControl** attribute of user object.
+- **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD).
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. If the value of **userAccountControl** attribute of user object was changed, you will see the new value here.
-
-To decode this value, you can go through the property value definitions in the [User’s or Computer’s account UAC flags.](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties) from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: [User’s or Computer’s account UAC flags](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties). In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event.
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index a245d7e5ce..e26b0c96b3 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -170,69 +170,9 @@ Typically, **Primary Group** field for new computer accounts has the following v
> [!NOTE]
> **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. **Old UAC value** always `0x0` for new computer accounts. This parameter contains the previous value of **userAccountControl** attribute of computer object.
+- **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts.
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of **userAccountControl** attribute of new computer object.
-
-To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
-
-- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new computer accounts, when the object for this account was created, the **userAccountControl** value was considered to be `0x0`, and then it was changed from `0x0` to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4741 event.
-
-| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text |
-|---|---|---|---|---|
-| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4741 events. |
-| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled
Account Enabled |
-| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4741 events. |
-| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
'Home Directory Required' - Disabled |
-| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4741 events. |
-| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
'Password Not Required' - Disabled |
-| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4741 events. |
-| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
'Encrypted Text Password Allowed' - Enabled |
-| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. |
-| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
'Normal Account' - Enabled |
-| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. |
-| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
'Workstation Trust Account' - Enabled |
-| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
'Server Trust Account' - Disabled |
-| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
'Don't Expire Password' - Enabled |
-| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
'MNS Logon Account' - Enabled |
-| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
'Smartcard Required' - Enabled |
-| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
'Trusted For Delegation' - Disabled |
-| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
'Not Delegated' - Enabled |
-| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
'Use DES Key Only' - Enabled |
-| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
'Don't Require Preauth' - Enabled |
-| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4741 events. |
-| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
'Trusted To Authenticate For Delegation' - Enabled |
-| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. |
-
-> Table 7. User’s or Computer’s account UAC flags.
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `
Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy|
| Patient medical records| MedRec-2| Doctors and Nurses: Read/write on Med/Rec-2
Lab Assistants: Write only on MedRec-2
Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards|
| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/write on Web-Ext-1
Public: Read only on Web-Ext-1| Low| Public education and corporate image|
-
+
### Users
Many organizations find it useful to classify the types of users they have and then base permissions on this classification. This classification can help you identify which user activities should be the subject of security auditing and the amount of audit data that they'll generate.
@@ -140,7 +140,7 @@ The following table illustrates an analysis of users on a network. Our example c
| Account administrators| User accounts and security groups| Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. |
| Members of the Finance OU| Financial records| Users in Finance have read/write access to critical financial records but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. |
| External partners | Project Z| Employees of partner organizations have read/write access to certain project data and servers relating to Project Z but not to other servers or data on the network.|
-
+
### Computers
Security and auditing requirements and audit event volume can vary considerably for different types of computers in an organization. These requirements can be based on:
@@ -151,14 +151,14 @@ Security and auditing requirements and audit event volume can vary considerably
> [!NOTE]
> For more information about auditing:
> - In Exchange Server, see [Exchange 2010 Security Guide](/previous-versions/office/exchange-server-2010/bb691338(v=exchg.141)).
- > - In SQL Server 2008, see [Auditing (Database Engine)](/previous-versions/sql/sql-server-2008-r2/cc280526(v=sql.105)).
+ > - In SQL Server 2008, see [Auditing (Database Engine)](/previous-versions/sql/sql-server-2008-r2/cc280526(v=sql.105)).
> - In SQL Server 2012, see [SQL Server Audit (Database Engine)](/sql/relational-databases/security/auditing/sql-server-audit-database-engine).
-
+
- The operating system versions
> [!NOTE]
> The operating system version determines which auditing options are available and the volume of audit event data.
-
+
- The business value of the data
For example, a web server that's accessed by external users requires different audit settings than a root certification authority (CA) that's never exposed to the public internet or even to regular users on the organization's network.
@@ -171,7 +171,7 @@ The following table illustrates an analysis of computers in an organization.
| File servers | Windows Server 2012| Separate resource OUs by department and (in some cases) by location|
| Portable computers | Windows Vista and Windows 7| Separate portable computer OUs by department and (in some cases) by location|
| Web servers | Windows Server 2008 R2 | WebSrv OU|
-
+
### Regulatory requirements
Many industries and locales have specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, strict guidelines control who can access records and how the records are used. Many countries/regions have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that you can use to comply with these regulations and verify compliance.
@@ -199,7 +199,7 @@ By using Group Policy, you can apply your security audit policy to defined group
> Whether you apply advanced audit policies by using Group Policy or logon scripts, don't use both the basic audit policy settings under **Local Policies\Audit Policy** and the advanced settings under **Security Settings\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
If you use **Advanced Audit Policy Configuration** settings or logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This configuration will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
-
+
The following examples show how you can apply audit policies to an organization's OU structure:
@@ -210,8 +210,8 @@ The following examples show how you can apply audit policies to an organization'
## Map your security auditing goals to a security audit policy configuration
After you identify your security auditing goals, you can map them to a security audit policy configuration. This audit policy configuration must address your security auditing goals. But it also must reflect your organization's constraints, such as the numbers of:
-- Computers that need to be monitored
-- Activities that you want to audit
+- Computers that need to be monitored
+- Activities that you want to audit
- Audit events that your audit configuration will generate
- Administrators available to analyze and act upon audit data
@@ -230,7 +230,7 @@ You can view and configure security audit policy settings in the supported versi
- *Security Settings\\Local Policies\\Audit Policy*
- *Security Settings\\Local Policies\\Security Options*
- *Security Settings\\Advanced Audit Policy Configuration*
-
+
For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
### Choose audit settings to use
@@ -255,16 +255,16 @@ Compromise to an organization's data resources can cause tremendous financial lo
> [!NOTE]
> To audit user attempts to access all file system objects on a computer, use the *Global Object Access Auditing* settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).
-
+
- **Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md)**: This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events and only if the attempted handle operation matches the SACL.
Event volume can be high, depending on how the SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy setting, the **Audit Handle Manipulation** policy setting can provide useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a *read-only* resource but a user tries to save changes to the file, the audit event will log the event *and* the permissions that were used (or attempted to be used) to save the file changes.
-
+
- **Global Object Access Auditing**: Many organizations use security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system. These settings can't be overridden or circumvented.
> [!IMPORTANT]
> The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.
-
+
### User activity
The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network. The settings in this section focus on the users who may try to access those resources, including employees, partners, and customers.
@@ -279,7 +279,7 @@ In most cases, these attempts are legitimate, and the network needs to make data
> [!NOTE]
> There's no failure event for logoff activity, because failed logoffs (such as when a system abruptly shuts down) don't generate an audit record. Logoff events aren't 100-percent reliable. For example, a computer can be turned off without a proper logoff and shut down, so a logoff event isn't generated.
-
+
- **Logon/Logoff\\[Audit Special Logon](audit-special-logon.md)**: A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It's recommended to track these types of logons.
- **Object Access\\[Audit Certification Services](audit-certification-services.md)**: This policy setting enables you to monitor activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users do these tasks and only authorized or desirable tasks are done.
- **Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md)**: These policy settings are described in the previous section.
@@ -288,7 +288,7 @@ In most cases, these attempts are legitimate, and the network needs to make data
> [!IMPORTANT]
> On critical systems where all attempts to change registry settings should be tracked, you can combine the **Audit Registry** and **Global Object Access Auditing** policy settings to track all attempts to modify registry settings on a computer.
-
+
- **Object Access\\[Audit SAM](audit-sam.md)**: The Security Accounts Manager (SAM) is a database on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events.
- **Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)**: These policy settings and audit events enable you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made.
@@ -301,7 +301,7 @@ The following network activity policy settings enable you to monitor security-re
>[!NOTE]
>**Account Logon** policy settings apply only to specific domain account activities, regardless of which computer is accessed. **Logon/Logoff** policy settings apply to the computer that hosts the resources that are accessed.
-
+
- **Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md)**: This policy setting can be used to track various network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections.
- **DS Access**: Policy settings in this category enable you to monitor AD DS role services. These services provide account data, validate logons, maintain network access permissions, and provide other functionality that's critical to secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. One of the key tasks that AD DS performs is replication of data between domain controllers.
- **Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)**, **Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md)**, and **Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)**: Networks often support many external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the internet. It enables network-level peer authentication, data origin authentication, data integrity checks, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly.
diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
index ac19f5355d..b82b7aa8de 100644
--- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
@@ -1,8 +1,8 @@
---
-title: Registry (Global Object Access Auditing)
+title: Registry (Global Object Access Auditing)
description: The Advanced Security Audit policy setting, Registry (Global Object Access Auditing), enables you to configure a global system access control list (SACL).
ms.assetid: 953bb1c1-3f76-43be-ba17-4aed2304f578
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md
index da20ec1bb0..a4e0800569 100644
--- a/windows/security/threat-protection/auditing/security-auditing-overview.md
+++ b/windows/security/threat-protection/auditing/security-auditing-overview.md
@@ -1,8 +1,8 @@
---
-title: Security auditing
+title: Security auditing
description: Learn about security auditing features in Windows, and how your organization can benefit from using them to make your network more secure and easily managed.
ms.assetid: 2d9b8142-49bd-4a33-b246-3f0c2a5f32d4
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
index 0d0c6e1fb7..076763b3d8 100644
--- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
+++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
@@ -1,8 +1,8 @@
---
-title: Using advanced security auditing options to monitor dynamic access control objects
+title: Using advanced security auditing options to monitor dynamic access control objects
description: Domain admins can set up advanced security audit options in Windows 10 to target specific users, or monitor potentially significant activity on multiple devices
ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -40,9 +40,9 @@ Domain administrators can create and deploy expression-based security audit poli
| [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)| This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you're using advanced security auditing options to monitor dynamic access control objects. |
| [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)| This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects. |
| [Monitor claim types](monitor-claim-types.md) | This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options.|
-
+
>**Important:** This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment.
-
+
## Related topics
- [Security auditing](security-auditing-overview.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md
index 25265ee877..88b1438852 100644
--- a/windows/security/threat-protection/auditing/view-the-security-event-log.md
+++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md
@@ -1,8 +1,8 @@
---
-title: View the security event log
+title: View the security event log
description: The security log records each event as defined by the audit policies you set on each object.
ms.assetid: 20DD2ACD-241A-45C5-A92F-4BE0D9F198B9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
index ef99d2c066..2ede0f5748 100644
--- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
+++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
@@ -1,8 +1,8 @@
---
-title: Which editions of Windows support advanced audit policy configuration
+title: Which editions of Windows support advanced audit policy configuration
description: This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies.
ms.assetid: 87c71cc5-522d-4771-ac78-34a2a0825f31
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -20,7 +20,7 @@ ms.technology: itpro-security
# Which editions of Windows support advanced audit policy configuration
-Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista.
-There's no difference in security auditing support between 32-bit and 64-bit versions.
-Windows editions that can't join a domain, such as Windows 10 Home edition, don't have access to these features.
+Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista.
+There's no difference in security auditing support between 32-bit and 64-bit versions.
+Windows editions that can't join a domain, such as Windows 10 Home edition, don't have access to these features.
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index ffc754aaf6..aafae23e17 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -26,7 +26,7 @@ See the following articles to learn more about the different areas of Windows th
- [Network Protection](/microsoft-365/security/defender-endpoint/network-protection)
- [Virtualization-Based Protection of Code Integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
- [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
-- [Windows Firewall](../operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md)
+- [Windows Firewall](../operating-system-security/network-security/windows-firewall/index.md)
- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)
## Next-generation protection
diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
index dc6bf37ae5..81f50b4fda 100644
--- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
+++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
@@ -1,8 +1,8 @@
---
-title: Access Credential Manager as a trusted caller
+title: Access Credential Manager as a trusted caller
description: Describes best practices, security considerations, and more for the security policy setting, Access Credential Manager as a trusted caller.
ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,7 +56,7 @@ The following table shows the default value for the server type or Group Policy
| Domain controller effective default settings | Not defined |
| Member server effective default settings | Not defined |
| Client computer effective default settings | Not defined |
-
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -93,4 +93,4 @@ None. Not defined is the default configuration.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
index b5ace4fc62..f8a0e483fd 100644
--- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
@@ -1,8 +1,8 @@
---
-title: Access this computer from the network - security policy setting
+title: Access this computer from the network - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting.
ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/11/2021
ms.technology: itpro-security
---
@@ -69,7 +69,7 @@ The following table lists the actual and effective default policy values for the
| Domain controller effective default settings | Everyone, Administrators, Authenticated Users, Enterprise Domain Controllers, Pre-Windows 2000 Compatible Access |
| Member server effective default settings | Everyone, Administrators, Users, Backup Operators |
| Client computer effective default settings |Everyone, Administrators, Users, Backup Operators |
-
+
## Policy management
When you modify this user right, the following actions might cause users and services to experience network access issues:
@@ -103,11 +103,11 @@ Users who can connect from their device to the network can access resources on t
### Countermeasure
-Restrict the **Access this computer from the network** user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the **Administrators** and **Users** groups, users who sign in to the domain can access resources that are shared
+Restrict the **Access this computer from the network** user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the **Administrators** and **Users** groups, users who sign in to the domain can access resources that are shared
from servers in the domain if members of the **Domain Users** group are included in the local **Users** group.
> **Note** If you are using IPsec to help secure network communications in your organization, ensure that a group that includes machine accounts is given this right. This right is required for successful computer authentication. Assigning this right to **Authenticated Users** or **Domain Computers** meets this requirement.
-
+
### Potential impact
If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can sign in to the domain or use network resources. If you remove this user right on member servers, users can't connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to other accounts that are required by those components. It's important to verify that authorized users are assigned this user right for the devices that they need to access the network.
@@ -116,5 +116,5 @@ If running Windows Server or Azure Stack HCI Failover Clustering, don't remove A
## Related topics
[User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
index 89634c3e27..ab6ba1901c 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
@@ -1,8 +1,8 @@
---
-title: Account lockout duration
+title: Account lockout duration
description: Describes the best practices, location, values, and security considerations for the Account lockout duration security policy setting.
ms.assetid: a4167bf4-27c3-4a9b-8ef0-04e3c6ec3aa4
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/16/2021
ms.technology: itpro-security
---
@@ -40,7 +40,7 @@ This policy setting is dependent on the **Account lockout threshold** policy set
If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If the **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually.
-It's advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0.
+It's advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0.
### Location
@@ -58,7 +58,7 @@ The following table lists the actual and effective default policy values. Defaul
| Domain controller effective default settings | Not defined |
| Member server effective default settings | Not defined |
| Client computer effective default settings | Not applicable |
-
+
## Security considerations
More than a few unsuccessful password submissions during an attempt to sign in to a computer might represent an attacker's attempts to determine an account password by trial and error. The Windows and Windows Server operating systems can track sign-in attempts, and you can configure the operating system to disable the account for a preset period of time after a specified number of failed attempts. Account lockout policy settings control the threshold for this response and what action to take after the threshold is reached.
@@ -78,5 +78,5 @@ Configuring the **Account lockout duration** policy setting to 0 so that account
## Related topics
[Account Lockout Policy](account-lockout-policy.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
index fe39bbcede..1872b25b41 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
@@ -1,8 +1,8 @@
---
-title: Account Lockout Policy
+title: Account Lockout Policy
description: Describes the Account Lockout Policy settings and links to information about each policy setting.
ms.assetid: eb968c28-17c5-405f-b413-50728cb7b724
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 10/11/2018
ms.technology: itpro-security
---
@@ -41,9 +41,9 @@ The following topics provide a discussion of each policy setting's implementatio
| [Account lockout threshold](account-lockout-threshold.md) | Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. |
| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. |
| [Reset account lockout counter after](reset-account-lockout-counter-after.md) | Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. |
-
+
## Related topics
[Configure security policy settings](how-to-configure-security-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
index a735631952..2bae54f4e2 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
@@ -1,8 +1,8 @@
---
-title: Account lockout threshold
+title: Account lockout threshold
description: Describes the best practices, location, values, and security considerations for the Account lockout threshold security policy setting.
ms.assetid: 4904bb40-a2bd-4fef-a102-260ba8d74e30
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 11/02/2018
ms.technology: itpro-security
---
@@ -52,7 +52,7 @@ The threshold that you select is a balance between operational efficiency and se
As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this article.
-
+
### Location
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**
@@ -69,7 +69,7 @@ The following table lists the actual and effective default policy values. Defaul
| Domain controller effective default settings | 0 invalid sign-in attempts |
| Member server effective default settings |0 invalid sign-in attempts |
| Effective GPO default settings on client computers |0 invalid sign-in attempts |
-
+
### Policy management
This section describes features and tools that are available to help you manage this policy setting.
@@ -88,7 +88,7 @@ Implementation of this policy setting depends on your operational environment. C
- Not all apps that are used in your environment effectively manage how many times a user can attempt to sign in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold.
-For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
+For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
## Security considerations
@@ -105,7 +105,7 @@ However, a DoS attack could be performed on a domain that has an account lockout
> [!NOTE]
> Offline password attacks are not countered by this policy setting.
-
+
### Countermeasure
Because vulnerabilities can exist when this value is configured and when it's not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are:
@@ -114,11 +114,11 @@ Because vulnerabilities can exist when this value is configured and when it's no
- The password policy setting requires all users to have complex passwords of eight or more characters.
- A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occurs in the environment.
-
+
- Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account.
[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack.
-
+
Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it's needed to help mitigate massive lockouts caused by an attack on your systems.
### Potential impact
diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md
index a3fdbe5a3f..4504d333df 100644
--- a/windows/security/threat-protection/security-policy-settings/account-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/account-policies.md
@@ -1,8 +1,8 @@
---
-title: Account Policies
+title: Account Policies
description: An overview of account policies in Windows and provides links to policy descriptions.
ms.assetid: 711b3797-b87a-4cd9-a2e3-1f8ef18688fb
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ An overview of account policies in Windows and provides links to policy descript
All account policies settings applied by using Group Policy are applied at the domain level. Default values are present in the built-in default domain controller policy for Password Policy settings, Account Lockout Policy settings, and Kerberos Policy settings. The domain account policy becomes the default local account policy of any device that is a member of the domain. If these policies are set at any level below the domain level in Active Directory Domain Services (AD DS), they affect only local accounts on member servers.
> [!NOTE]
> Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).
-
+
The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users sign in to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where both an OU account policy and a domain policy don't apply.
## In this section
@@ -38,7 +38,7 @@ The only exception is when another account policy is defined for an organization
| [Password Policy](password-policy.md) | An overview of password policies for Windows and links to information for each policy setting. |
| [Account Lockout Policy](account-lockout-policy.md) | Describes the Account Lockout Policy settings and links to information about each policy setting. |
| [Kerberos Policy](kerberos-policy.md) | Describes the Kerberos Policy settings and provides links to policy setting descriptions. |
-
+
## Related topics
[Configure security policy settings](how-to-configure-security-policy-settings.md)
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
index 23e43f6d45..179f5ba556 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
@@ -1,8 +1,8 @@
---
-title: Accounts Administrator account status
+title: Accounts Administrator account status
description: Describes the best practices, location, values, and security considerations for the Accounts Administrator account status security policy setting.
ms.assetid: 71a3bd48-1014-49e0-a936-bfe9433af23e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/01/2017
ms.technology: itpro-security
---
@@ -87,7 +87,7 @@ When you start a device in safe mode, the disabled administrator account is enab
### How to access a disabled Administrator account
You can use the following methods to access a disabled Administrator account:
-- For non-domain joined computers: when all the local administrator accounts are disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the default local administrator account on that computer.
+- For non-domain joined computers: when all the local administrator accounts are disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the default local administrator account on that computer.
- For domain-joined computers: remotely run the command **net user administrator /active: yes** by using psexec to enable the default local administrator account.
## Security considerations
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
index ab6175a99f..1ac6245b9b 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
@@ -1,8 +1,8 @@
---
-title: Accounts Block Microsoft accounts
+title: Accounts Block Microsoft accounts
description: Describes the best practices, location, values, management, and security considerations for the Accounts Block Microsoft accounts security policy setting.
ms.assetid: 94c76f45-057c-4d80-8d01-033cf28ef2f7
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/10/2017
ms.technology: itpro-security
---
@@ -67,7 +67,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Disabled |
| Member Server Effective Default Settings | Disabled |
| Client Computer Effective Default Settings | Disabled |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -95,4 +95,4 @@ Establishing greater control over accounts in your organization can give you mor
## Related topics
[Security Options](security-options.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
index ca1a50819a..6c768ad6d6 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
@@ -1,8 +1,8 @@
---
-title: Accounts Guest account status - security policy setting
+title: Accounts Guest account status - security policy setting
description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting.
ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,7 +56,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Disabled |
| Member Server Effective Default Settings | Disabled |
| Client Computer Effective Default Settings | Disabled |
-
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
@@ -76,5 +76,5 @@ All network users must be authenticated before they can access shared resources.
## Related topics
[Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
index 05b4e8f3ea..947a4c0f6f 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
@@ -1,8 +1,8 @@
---
-title: Accounts Limit local account use of blank passwords
+title: Accounts Limit local account use of blank passwords
description: Learn best practices, security considerations, and more for the policy setting, Accounts Limit local account use of blank passwords to console logon only.
ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -62,7 +62,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Enabled |
| Member Server Effective Default Settings | Enabled |
| Client Computer Effective Default Settings | Enabled |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
index 0e9b3c3257..44905ab096 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
@@ -1,8 +1,8 @@
---
-title: Accounts Rename administrator account
+title: Accounts Rename administrator account
description: This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.
ms.assetid: d21308eb-7c60-4e48-8747-62b8109844f9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,7 +55,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Administrator |
| Member Server Effective Default Settings | Administrator |
| Client Computer Effective Default Settings | Administrator |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -93,5 +93,5 @@ You must provide users who are authorized to use this account with the new accou
## Related topics
[Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
index da35071790..d034cdf835 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
@@ -1,8 +1,8 @@
---
-title: Accounts Rename guest account - security policy setting
+title: Accounts Rename guest account - security policy setting
description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting.
ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,7 +55,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Guest |
| Member Server Effective Default Settings | Guest |
| Client Computer Effective Default Settings | *User-defined text* |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The guest account exists in all Windows server and client operating system versions beginning with Windows Server 2003 and Windows XP Professional. Because the account name is well known, it provides a vector for a malicious user to get access to network resources and attempt to elevate privileges
+The guest account exists in all Windows server and client operating system versions beginning with Windows Server 2003 and Windows XP Professional. Because the account name is well known, it provides a vector for a malicious user to get access to network resources and attempt to elevate privileges
or install software that could be used for a later attack on your system.
### Countermeasure
@@ -92,5 +92,5 @@ There should be little impact because the Guest account is disabled by default i
## Related topics
[Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
index d8915c4e18..1bdbf787f1 100644
--- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
+++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
@@ -1,8 +1,8 @@
---
-title: Act as part of the operating system
+title: Act as part of the operating system
description: Describes the best practices, location, values, policy management, and security considerations for the Act as part of the operating system security policy setting.
ms.assetid: c1b7e084-a9f7-4377-b678-07cc913c8b0c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -21,7 +21,7 @@ ms.technology: itpro-security
**Applies to**
- Windows 11
-- Windows 10
+- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Act as part of the operating system** security policy setting.
@@ -51,11 +51,11 @@ The following table lists the actual and effective default policy values for the
| - | - |
| Default domain policy | Not defined |
| Default domain controller policy| Not defined |
-| Stand-alone server default settings | Not defined |
+| Stand-alone server default settings | Not defined |
| Domain controller effective default settings | Not defined |
| Member server effective default settings | Not defined |
| Client computer effective default settings | Not defined |
-
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
@@ -90,4 +90,4 @@ There should be little or no impact because the **Act as part of the operating s
## Related topics
[User Rights Assignment](user-rights-assignment.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
index 139d15f4ec..fb594e8748 100644
--- a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
@@ -1,13 +1,13 @@
---
title: Add workstations to domain
description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -81,7 +81,7 @@ This policy has the following security considerations:
### Vulnerability
-The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization doesn't want its users to have administrative
+The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization doesn't want its users to have administrative
privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could sign in with that account, and then add a personal domain account to the local Administrators group.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
index 5ec3171725..5c9b499b8b 100644
--- a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
+++ b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
@@ -1,8 +1,8 @@
---
-title: Adjust memory quotas for a process
+title: Adjust memory quotas for a process
description: Describes the best practices, location, values, policy management, and security considerations for the Adjust memory quotas for a process security policy setting.
ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,7 +53,7 @@ By default, members of the Administrators, Local Service, and Network Service gr
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
-| Server type or GPO | Default value |
+| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Administrators
Local Service
Network Service |
| Default Domain Controller Policy | Administrators
Local Service
Network Service |
@@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values. Defaul
| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service |
| Member Server Effective Default Settings | Administrators
Local Service
Network Service |
| Client Computer Effective Default Settings | Administrators
Local Service
Network Service |
-
+
## Policy management
A restart of the device is not required for this policy setting to be effective.
@@ -97,5 +97,5 @@ Organizations that have not restricted users to roles with limited privileges ma
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
index bca371957d..3a11417c5b 100644
--- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Administer security policy settings
+title: Administer security policy settings
description: This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
ms.assetid: 7617d885-9d28-437a-9371-171197407599
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -250,7 +250,7 @@ For example, a workstation that is joined to a domain will have its local securi
both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence.
> [!NOTE]
-> Use gpresult.exe to find out what policies are applied to a device and in what order.
+> Use gpresult.exe to find out what policies are applied to a device and in what order.
For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.
**Persistence in security settings**
@@ -300,10 +300,10 @@ To avoid continued flagging of settings that you've investigated and determined
You can resolve discrepancies between analysis database and system settings by:
- Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**.
-- Configuring the system to the analysis database values, if you determine the system isn't in compliance with valid security levels.
-- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
-Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
-You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies.
+- Configuring the system to the analysis database values, if you determine the system isn't in compliance with valid security levels.
+- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
+Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
+You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies.
In general, don't use **Configure Computer Now** when you're analyzing security for domain-based clients, since you'll have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
### Automating security configuration tasks
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
index 5c246fea41..ec8dd1980d 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
index aa212b8064..b76363e1b5 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
@@ -1,8 +1,8 @@
---
-title: Allow log on through Remote Desktop Services
+title: Allow log on through Remote Desktop Services
description: Best practices, location, values, policy management, and security considerations for the security policy setting. Allow a sign-in through Remote Desktop Services.
ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,11 +55,11 @@ The following table lists the actual and effective default policy values. Defaul
| Default Domain Policy | Not Defined |
| Default Domain Controller Policy | Not Defined |
| Domain Controller Local Security Policy | Administrators |
-| Stand-Alone Server Default Settings | Administrators
Remote Desktop Users |
-| Domain Controller Effective Default Settings | Administrators |
+| Stand-Alone Server Default Settings | Administrators
Remote Desktop Users |
+| Domain Controller Effective Default Settings | Administrators |
| Member Server Effective Default Settings | Administrators
Remote Desktop Users |
| Client Computer Effective Default Settings | Administrators
Remote Desktop Users |
-
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -96,7 +96,7 @@ Any account with the **Allow log on through Remote Desktop Services** user right
For domain controllers, assign the **Allow log on through Remote Desktop Services** user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and don't run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups.
> **Caution:** For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.
-
+
Alternatively, you can assign the **Deny log on through Remote Desktop Services** user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the **Deny log on through Remote Desktop Services** user right.
### Potential impact
@@ -106,5 +106,5 @@ Removal of the **Allow log on through Remote Desktop Services** user right from
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
index 5957adf4ab..25ef7bc3d6 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
@@ -1,8 +1,8 @@
---
-title: Audit the access of global system objects
+title: Audit the access of global system objects
description: Describes the best practices, location, values, and security considerations for the audit of the access to global system objects security policy setting.
ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Disabled |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -86,22 +86,22 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf
| Event ID | Event message |
| - | - |
-| 4659 | A handle to an object was requested with intent to delete. |
-| 4660 | An object was deleted. |
-| 4661 | A handle to an object was requested. |
-| 4663 | An attempt was made to access an object. |
-
+| 4659 | A handle to an object was requested with intent to delete. |
+| 4660 | An object was deleted. |
+| 4661 | A handle to an object was requested. |
+| 4663 | An attempt was made to access an object. |
+
If the [Audit Object Access](../auditing/basic-audit-object-access.md) setting is configured, the following events are generated:
| Event ID | Event message |
| - | - |
-| 560 | Access was granted to an already existing object. |
-| 562 | A handle to an object was closed. |
+| 560 | Access was granted to an already existing object. |
+| 562 | A handle to an object was closed. |
| 563 | An attempt was made to open an object with the intent to delete it.
**Note:** This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() |
| 564 | A protected object was deleted. |
-| 565 | Access was granted to an already existing object type. |
+| 565 | Access was granted to an already existing object type. |
| 567 | A permission associated with a handle was used.
**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
-| 569 | The resource manager in Authorization Manager attempted to create a client context. |
+| 569 | The resource manager in Authorization Manager attempted to create a client context. |
| 570 | A client attempted to access an object.
**Note:** An event will be generated for every attempted operation on the object. |
## Security considerations
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
index 7d38765755..011e035679 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
@@ -2,7 +2,7 @@
title: "Audit: Audit the use of Backup and Restore privilege (Windows 10)"
description: "Describes the best practices, location, values, and security considerations for the 'Audit: Audit the use of Backup and Restore privilege' security policy setting."
ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/01/2019
ms.technology: itpro-security
---
@@ -51,11 +51,11 @@ The following table lists the actual and effective default values for this polic
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
-
+| Stand-Alone Server Default Settings | Disabled |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -92,4 +92,4 @@ If you enable this policy setting, a large number of security events could be ge
## Related topics
- [Security Options](security-options.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
index 5caf39e495..663cfb1d30 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
@@ -1,8 +1,8 @@
---
-title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
+title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
description: Learn more about the security policy setting, Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,12 +51,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | Enabled |
| DC Effective Default Settings | Enabled |
-| Member Server Effective Default Settings | Enabled |
-| Client Computer Effective Default Settings | Enabled |
-
+| Member Server Effective Default Settings | Enabled |
+| Client Computer Effective Default Settings | Enabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -93,12 +93,12 @@ Enable audit policy subcategories as needed to track specific events.
### Potential impacts
-If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the
+If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the
**SCENoApplyLegacyAuditPolicy** key.
> **Important:** Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events that are generated can make it difficult to find other types of entries in the security event log. Such a configuration could also have a significant impact on system performance.
-
+
## Related topics
- [Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/audit-policy.md b/windows/security/threat-protection/security-policy-settings/audit-policy.md
index a542276f2e..bf27ff18aa 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-policy.md
@@ -1,8 +1,8 @@
---
-title: Audit Policy
+title: Audit Policy
description: Provides information about basic audit policies that are available in Windows and links to information about each setting.
ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
index 61bd4aecfc..da06353caf 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
@@ -1,8 +1,8 @@
---
-title: Audit Shut down system immediately if unable to log security audits
+title: Audit Shut down system immediately if unable to log security audits
description: Best practices, security considerations, and more for the security policy setting, Audit Shut down system immediately if unable to log security audits.
ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined
-| Default Domain Controller Policy | Not defined
-| Stand-Alone Server Default Settings | Disabled
-| DC Effective Default Settings | Disabled
-| Member Server Effective Default Settings | Disabled
-| Client Computer Effective Default Settings | Disabled
-
+| Default Domain Policy | Not defined
+| Default Domain Controller Policy | Not defined
+| Stand-Alone Server Default Settings | Disabled
+| DC Effective Default Settings | Disabled
+| Member Server Effective Default Settings | Disabled
+| Client Computer Effective Default Settings | Disabled
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -96,5 +96,5 @@ If you enable this policy setting, the administrative burden can be significant,
## Related topics
- [Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
index 40d4bdfda2..3bd99b5590 100644
--- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
@@ -1,8 +1,8 @@
---
-title: Back up files and directories - security policy setting
+title: Back up files and directories - security policy setting
description: Describes the recommended practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting.
ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -78,7 +78,7 @@ The following table lists the actual and effective default policy values for the
| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators|
| Member Server Effective Default Settings | Administrators
Backup Operators|
| Client Computer Effective Default Settings | Administrators
Backup Operators|
-
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
@@ -115,5 +115,5 @@ Changes in the membership of the groups that have the user right to back up file
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
index 6f06c8e9a2..f4a8745518 100644
--- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
+++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
@@ -1,8 +1,8 @@
---
-title: Bypass traverse checking
+title: Bypass traverse checking
description: Describes the best practices, location, values, policy management, and security considerations for the Bypass traverse checking security policy setting.
ms.assetid: 1c828655-68d3-4140-aa0f-caa903a7087e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not Defined |
-| Default Domain Controller Policy | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
-| Domain Controller Effective Default Settings | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
-| Member Server Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
-| Client Computer Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
-
+| Default Domain Policy| Not Defined |
+| Default Domain Controller Policy | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
+| Domain Controller Effective Default Settings | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
+| Member Server Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
+| Client Computer Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
+
## Policy management
Permissions to files and folders are controlled through the appropriate configuration of file system access control lists (ACLs). The ability to traverse the folder doesn't provide any Read or Write permissions to the user.
@@ -98,4 +98,4 @@ The Windows operating systems and many applications were designed with the expec
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
index e09a09a6bb..d985a6eaf9 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
@@ -1,8 +1,8 @@
---
-title: Change the system time - security policy setting
+title: Change the system time - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Change the system time security policy setting.
ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not Defined |
+| Default Domain Policy| Not Defined |
| Default Domain Controller Policy | Administrators
Server Operators
Local Service|
| Stand-Alone Server Default Settings | Administrators
Local Service|
-| DC Effective Default Settings | Administrators
Server Operators
Local Service|
+| DC Effective Default Settings | Administrators
Server Operators
Local Service|
| Member Server Effective Default Settings | Administrators
Local Service|
-| Client Computer Effective Default Settings | Administrators
Local Service|
-
+| Client Computer Effective Default Settings | Administrators
Local Service|
+
## Policy management
This section describes features, tools and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
index dffd58d25b..3ac7b50a9c 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
@@ -1,8 +1,8 @@
---
-title: Change the time zone - security policy setting
+title: Change the time zone - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting.
ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not Defined|
-| Default Domain Controller Policy | Administrators
Users|
-| Stand-Alone Server Default Settings | Administrators
Users|
-| Domain Controller Effective Default Settings | Administrators
Users|
-| Member Server Effective Default Settings | Administrators
Users|
-| Client Computer Effective Default Settings | Administrators
Users|
-
+| Default Domain Policy| Not Defined|
+| Default Domain Controller Policy | Administrators
Users|
+| Stand-Alone Server Default Settings | Administrators
Users|
+| Domain Controller Effective Default Settings | Administrators
Users|
+| Member Server Effective Default Settings | Administrators
Users|
+| Client Computer Effective Default Settings | Administrators
Users|
+
## Policy management
A restart of the device is not required for this policy setting to be effective.
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
index 0a179de698..a28a19a33f 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
@@ -1,8 +1,8 @@
---
-title: Create a pagefile - security policy setting
+title: Create a pagefile - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting.
ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Administrators |
-| Default Domain Controller Policy | Administrators |
-| Stand-Alone Server Default Settings | Administrators |
-| Domain Controller Effective Default Settings | Administrators |
-| Member Server Effective Default Settings | Administrators |
-| Client Computer Effective Default Settings | Administrators |
-
+| Default Domain Policy | Administrators |
+| Default Domain Controller Policy | Administrators |
+| Stand-Alone Server Default Settings | Administrators |
+| Domain Controller Effective Default Settings | Administrators |
+| Member Server Effective Default Settings | Administrators |
+| Client Computer Effective Default Settings | Administrators |
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
index 90c8d547a4..6c50cc0ce0 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
@@ -1,8 +1,8 @@
---
-title: Create a token object
+title: Create a token object
description: Describes the best practices, location, values, policy management, and security considerations for the Create a token object security policy setting.
ms.assetid: bfbf52fc-6ba4-442a-9df7-bd277e55729c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined |
-| Default Domain Controller Policy | Not Defined |
-| Stand-Alone Server Default Settings | Not Defined |
-| Domain Controller Effective Default Settings | Local System |
-| Member Server Effective Default Settings | Local System |
-| Client Computer Effective Default Settings | Local System |
-
+| Default Domain Policy | Not Defined |
+| Default Domain Controller Policy | Not Defined |
+| Stand-Alone Server Default Settings | Not Defined |
+| Domain Controller Effective Default Settings | Local System |
+| Member Server Effective Default Settings | Local System |
+| Client Computer Effective Default Settings | Local System |
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
@@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
>**Caution:** A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.
-
+
Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users sign in to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change isn't reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any account on a computer if they're currently logged on. They could escalate their privileges or create a DoS condition.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
index 748588c0e1..18fb5d25ad 100644
--- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
@@ -1,8 +1,8 @@
---
-title: Create global objects
+title: Create global objects
description: Describes the best practices, location, values, policy management, and security considerations for the Create global objects security policy setting.
ms.assetid: 9cb6247b-44fc-4815-86f2-cb59b6f0221e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined |
-| Default Domain Controller Policy | Administrators
Local Service
Network Service
Service|
-| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
-| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
-
+| Default Domain Policy | Not Defined |
+| Default Domain Controller Policy | Administrators
Local Service
Network Service
Service|
+| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
+| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
+
## Policy management
A restart of the device isn't required for this policy setting to take effect.
@@ -86,7 +86,7 @@ This section describes how an attacker might exploit a feature or its configurat
The **Create global objects** user right is required for a user account to create global objects in Remote Desktop sessions. Users can still create session-specfic objects without being assigned this user right. Assigning this right can be a security risk.
-By default, members of the **Administrators** group, the System account, and services that are started by the Service Control Manager are assigned the **Create global objects** user right. Users who are added to the **Remote Desktop Users** group also have this user right.
+By default, members of the **Administrators** group, the System account, and services that are started by the Service Control Manager are assigned the **Create global objects** user right. Users who are added to the **Remote Desktop Users** group also have this user right.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
index 29994f1b96..e5d58fc80d 100644
--- a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
@@ -1,8 +1,8 @@
---
-title: Create permanent shared objects
+title: Create permanent shared objects
description: Describes the best practices, location, values, policy management, and security considerations for the Create permanent shared objects security policy setting.
ms.assetid: 6a58438d-65ca-4c4a-a584-450eed976649
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined|
-| Default Domain Controller Policy | Not Defined |
-| Stand-Alone Server Default Settings | Not Defined|
-| Domain Controller Effective Default Settings | **LocalSystem**|
-| Member Server Effective Default Settings | **LocalSystem**|
-| Client Computer Effective Default Settings | **LocalSystem**|
-
+| Default Domain Policy | Not Defined|
+| Default Domain Controller Policy | Not Defined |
+| Stand-Alone Server Default Settings | Not Defined|
+| Domain Controller Effective Default Settings | **LocalSystem**|
+| Member Server Effective Default Settings | **LocalSystem**|
+| Client Computer Effective Default Settings | **LocalSystem**|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
index e728e58567..970e2ddfd7 100644
--- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
+++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
@@ -1,8 +1,8 @@
---
-title: Create symbolic links
+title: Create symbolic links
description: Describes the best practices, location, values, policy management, and security considerations for the Create symbolic links security policy setting.
ms.assetid: 882922b9-0ff8-4ee9-8afc-4475515ee3fd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined|
-| Default Domain Controller Policy | Not Defined|
-| Stand-Alone Server Default Settings | Not Defined|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy | Not Defined|
+| Default Domain Controller Policy | Not Defined|
+| Stand-Alone Server Default Settings | Not Defined|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index 03d85f19cb..6426a749bf 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -1,8 +1,8 @@
---
-title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
+title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
description: Learn about best practices and more for the syntax policy setting, DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL).
ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,12 +55,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value
| - | - |
| Default Domain Policy | Blank |
-| Default Domain Controller Policy | Blank |
-| Stand-Alone Server Default Settings | Blank |
-| DC Effective Default Settings | Not defined |
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined |
-
+| Default Domain Controller Policy | Blank |
+| Stand-Alone Server Default Settings | Blank |
+| DC Effective Default Settings | Not defined |
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -72,7 +72,7 @@ None. Changes to this policy become effective without a computer restart when th
The registry settings that are created as a result of enabling the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting take precedence over the previous registry settings when this policy setting was configured. The Remote Procedure Call (RPC) service checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This precedence means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, device access permissions for users aren't changed. Use care in configuring the list of users and groups.
-If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This setting will restore control of the DCOM application to the administrator and users. To define this setting, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click
+If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This setting will restore control of the DCOM application to the administrator and users. To define this setting, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click
**Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This information defines the setting and sets the appropriate SDDL value.
## Security considerations
@@ -96,5 +96,5 @@ Windows implements default COM ACLs when they're installed. Modifying these ACLs
## Related topics
- [Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index d4c07f3415..5accd3bbbc 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -1,8 +1,8 @@
---
-title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
+title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
description: Best practices and more for the security policy setting, DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax.
ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) setting in that it allows you to define more computer-wide controls that govern access to all DCOM–based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an extra access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server.
These device-wide ACLs provide a way to override weak security settings that are specified by an application through CoInitializeSecurity or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific COM-based server. These ACLs provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers.
-The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local
+The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local
Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you're running.
### Possible values
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Blank |
-| Default Domain Controller Policy | Blank|
-| Stand-Alone Server Default Settings |Blank |
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Blank |
+| Default Domain Controller Policy | Blank|
+| Stand-Alone Server Default Settings |Blank |
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md
index d5058a6e3f..c65db98a6f 100644
--- a/windows/security/threat-protection/security-policy-settings/debug-programs.md
+++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md
@@ -1,8 +1,8 @@
---
-title: Debug programs
+title: Debug programs
description: Describes the best practices, location, values, policy management, and security considerations for the Debug programs security policy setting.
ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Administrators |
-| Stand-Alone Server Default Settings | Administrators |
-| Domain Controller Effective Default Settings | Administrators |
-| Member Server Effective Default Settings | Administrators |
-| Client Computer Effective Default Settings | Administrators |
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Administrators |
+| Stand-Alone Server Default Settings | Administrators |
+| Domain Controller Effective Default Settings | Administrators |
+| Member Server Effective Default Settings | Administrators |
+| Client Computer Effective Default Settings | Administrators |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware.
+The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware.
By default, the **Debug programs** user right is assigned only to administrators, which helps mitigate risk from this vulnerability.
### Countermeasure
@@ -93,7 +93,7 @@ Remove the accounts of all users and groups that do not require the **Debug prog
### Potential impact
-If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU)
+If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU)
temporarily and assign the **Debug programs** user right to a separate Group Policy for that OU.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
index b069fd1da1..09c0633dea 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
@@ -1,8 +1,8 @@
---
-title: Deny access to this computer from the network
+title: Deny access to this computer from the network
description: Best practices, location, values, policy management, and security considerations for the Deny access to this computer from the network security policy setting.
ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 05/19/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
index 42bdc8d2a2..c4bc52c008 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
@@ -1,8 +1,8 @@
---
-title: Deny log on as a batch job
+title: Deny log on as a batch job
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a batch job security policy setting.
ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Not defined |
-| Domain Controller Effective Default Settings | Not defined |
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined |
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined |
+| Domain Controller Effective Default Settings | Not defined |
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined |
+
## Policy management
This section describes features and tools available to help you manage this policy.
@@ -73,7 +73,7 @@ This policy setting might conflict with and negate the **Log on as a batch job**
On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting.
-For example, to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account isn't present in the **Deny log on as a batch job** setting.
+For example, to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account isn't present in the **Deny log on as a batch job** setting.
User Rights Assignment and also correctly configured in the **Log on as a batch job** setting.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
index 8e61df03d2..7bdd2075ca 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
@@ -1,8 +1,8 @@
---
-title: Deny log on as a service
+title: Deny log on as a service
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a service security policy setting.
ms.assetid: f1114964-df86-4278-9b11-e35c66949794
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined |
-| Domain Controller Effective Default Settings | Not defined |
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined |
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined |
+| Domain Controller Effective Default Settings | Not defined |
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined |
+
## Policy management
This section describes features and tools available to help you manage this policy.
@@ -89,7 +89,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Accounts that can sign in to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is reduced by the fact that only users with administrative rights can install and configure
+Accounts that can sign in to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is reduced by the fact that only users with administrative rights can install and configure
services, and an attacker who already has that level of access could configure the service to run by using the System account.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
index 8cc1881127..263496c85d 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
@@ -1,8 +1,8 @@
---
-title: Deny log on locally
+title: Deny log on locally
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on locally security policy setting.
ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
index 6a3f748155..24e896eb79 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
@@ -1,8 +1,8 @@
---
-title: Deny log on through Remote Desktop Services
+title: Deny log on through Remote Desktop Services
description: Best practices, location, values, policy management, and security considerations for the security policy setting, Deny log on through Remote Desktop Services.
ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,12 +51,12 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
index c0ec06ad12..abbf2b5679 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Devices Allow undock without having to log on
+title: Devices Allow undock without having to log on
description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to sign in security policy setting.
ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must sign in to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission.
>**Note:** Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.
-
+
Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that don't have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices
### Possible values
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings| Enabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings| Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
index c27928a04e..c2b35adf67 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
@@ -1,8 +1,8 @@
---
-title: Devices Allowed to format and eject removable media
+title: Devices Allowed to format and eject removable media
description: Describes the best practices, location, values, and security considerations for the Devices Allowed to format and eject removable media security policy setting.
ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Administrators|
-| DC Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Administrators|
+| DC Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -73,7 +73,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button
+Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button
is pressed diminishes the advantage of this policy setting.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
index 40487ac65b..9a909d447c 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
@@ -1,8 +1,8 @@
---
-title: Devices Prevent users from installing printer drivers
+title: Devices Prevent users from installing printer drivers
description: Describes the best practices, location, values, and security considerations for the Devices Prevent users from installing printer drivers security policy setting.
ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/05/2022
ms.technology: itpro-security
---
@@ -44,7 +44,7 @@ Although it might be appropriate in some organizations to allow users to install
- It's advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting doesn't affect a user's ability to add a local printer.
> [!NOTE]
-> After applying the [July 6, 2021 updates](https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server.
+> After applying the [July 6, 2021 updates](https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server.
### Location
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -77,7 +77,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less
+It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less
stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
index 2f3acd5122..30a9097f46 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
@@ -1,8 +1,8 @@
---
-title: Restrict CD-ROM access to locally logged-on user
+title: Restrict CD-ROM access to locally logged-on user
description: Describes the best practices, location, values, and security considerations for the Devices Restrict CD-ROM access to locally logged-on user only security policy setting.
ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Disabled |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -75,7 +75,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives aren't automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run
+A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives aren't automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run
applications from removable media on the server.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
index 511ccc907f..0a4d6c2250 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
@@ -1,8 +1,8 @@
---
-title: Devices Restrict floppy access to locally logged-on user only
+title: Devices Restrict floppy access to locally logged-on user only
description: Describes the best practices, location, values, and security considerations for the Devices Restrict floppy access to locally logged-on user only security policy setting.
ms.assetid: 92997910-da95-4c03-ae6f-832915423898
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
index 28361156ef..8d5b95d46a 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
@@ -1,13 +1,13 @@
---
title: Domain controller Allow server operators to schedule tasks
description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -24,7 +24,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting determines whether server operators can use the **at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that account is the Local System account.
>**Note:** This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool.
-
+
Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is, the Local System account. This synchronization with the local account means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group.
The impact of enabling this policy setting should be small for most organizations. Users, including those users in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job.
@@ -49,13 +49,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
index 24614ad5c4..af6812e273 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
@@ -7,7 +7,7 @@ ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/26/2023
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
index 39803ce695..0745e54ec3 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
@@ -1,13 +1,13 @@
---
title: Domain controller LDAP server signing requirements
description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ This setting doesn't have any impact on LDAP simple bind through SSL (LDAP TCP/6
If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389).
>**Caution:** If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.
-
+
### Possible values
- None. Data signatures aren't required to bind with the server. If the client computer requests data signing, the server supports it.
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | None|
-| Member Server Effective Default Settings | None|
-| Client Computer Effective Default Settings | None|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | None|
+| Member Server Effective Default Settings | None|
+| Client Computer Effective Default Settings | None|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
index 63d863c555..dcc3e3be66 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
@@ -1,13 +1,13 @@
---
title: Refuse machine account password changes policy
description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.technology: itpro-security
ms.date: 12/31/2017
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
|---|---|
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Not defined |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Not applicable |
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Not applicable |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
index d918369b03..820c7facca 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
@@ -1,8 +1,8 @@
---
-title: Domain member Digitally encrypt or sign secure channel data (always)
+title: Domain member Digitally encrypt or sign secure channel data (always)
description: Best practices, location, values, and security considerations for the policy setting, Domain member Digitally encrypt or sign secure channel data (always).
ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,7 +49,7 @@ When a device joins a domain, a machine account is created. After being connecte
- Enabled
- The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This enablement ensures that the domain member attempts to negotiate at least signing of the secure
+ The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This enablement ensures that the domain member attempts to negotiate at least signing of the secure
channel traffic.
- Disabled
@@ -67,7 +67,7 @@ When a device joins a domain, a machine account is created. After being connecte
- Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**.
>**Note:** You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications.
-
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -78,13 +78,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Enabled |
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Enabled |
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -103,7 +103,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and
+When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and
sensitive information such as passwords are encrypted—but the channel isn't integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller can't sign or encrypt any portion of the secure channel data, the computer and domain controller can't establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
index c277be4b30..0086d01e2c 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
@@ -1,8 +1,8 @@
---
-title: Domain member Digitally encrypt secure channel data (when possible)
+title: Domain member Digitally encrypt secure channel data (when possible)
description: Best practices, security considerations, and more for the security policy setting, Domain member Digitally encrypt secure channel data (when possible).
ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
-This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Sign-in information that is transmitted over
+This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Sign-in information that is transmitted over
the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic:
@@ -54,7 +54,7 @@ When a device joins a domain, a machine account is created. After the device is
The domain member won't attempt to negotiate secure channel encryption.
>**Note:** If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten.
-
+
- Not defined
### Best practices
@@ -74,12 +74,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Enabled|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Controller Policy | Enabled|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
index 302edcac50..cadfa2282e 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
@@ -1,8 +1,8 @@
---
-title: Domain member Digitally sign secure channel data (when possible)
+title: Domain member Digitally sign secure channel data (when possible)
description: Best practices, location, values, and security considerations for the security policy setting, Domain member Digitally sign secure channel data (when possible).
ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
-This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Sign-in information that is transmitted over the
+This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Sign-in information that is transmitted over the
secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
The following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic:
@@ -60,7 +60,7 @@ When a device joins a domain, a machine account is created. After the device is
- Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
- Set **Domain member: Digitally sign secure channel data (when possible)** to **Enabled**.
>**Note:** You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.
-
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -71,13 +71,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Enabled |
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Enabled |
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
index 72e15d7783..324f36b008 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
@@ -1,8 +1,8 @@
---
-title: Domain member Disable machine account password changes
+title: Domain member Disable machine account password changes
description: Describes the best practices, location, values, and security considerations for the Domain member Disable machine account password changes security policy setting.
ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/27/2019
ms.technology: itpro-security
---
@@ -44,8 +44,8 @@ Verify that the **Domain member: Disable machine account password changes** opti
3. You may want to consider using this policy setting in specific environments, such as the following ones:
- Non-persistent Virtual Desktop Infrastructure implementations. In such implementations, each session starts from a read-only base image.
- - Embedded devices that don't have write access to the OS volume.
-
+ - Embedded devices that don't have write access to the OS volume.
+
In either case, a password change that was made during normal operations would be lost as soon as the session ends. We strongly recommend that you plan password changes for maintenance windows. Add the password changes to the updates and modifications that Windows performs during maintenance windows. To trigger a password update on a specific OS volume, run the following command:
```
@@ -62,15 +62,15 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-| Server type or GPO | Default value |
+| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Disabled |
-| Default Domain Controller Policy | Disabled|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Disabled |
+| Default Domain Controller Policy | Disabled|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices
+By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices
that can't automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
index aacfa76378..278f2854fa 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
@@ -1,8 +1,8 @@
---
-title: Domain member Maximum machine account password age
+title: Domain member Maximum machine account password age
description: Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting.
ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 05/29/2020
ms.technology: itpro-security
---
@@ -31,8 +31,8 @@ The **Domain member: Maximum machine account password age** policy setting deter
In Active Directory–based domains, each device has an account and password. By default, the domain members submit a password change every 30 days. You can extend or reduce this interval. Additionally, you can use the **Domain member: Disable machine account password changes** policy to disable the password change requirement completely. However, before you consider this option, review the implications as described in [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md).
-> [!IMPORTANT]
-> Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts.
+> [!IMPORTANT]
+> Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts.
For more information, see [Machine Account Password Process](https://techcommunity.microsoft.com/t5/Ask-the-Directory-Services-Team/Machine-Account-Password-Process/ba-p/396026).
@@ -43,7 +43,7 @@ For more information, see [Machine Account Password Process](https://techcommuni
### Best practices
-We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The extra replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
+We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The extra replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
### Location
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | 30 days|
-| DC Effective Default Settings | 30 days|
-| Member Server Effective Default Settings|30 days|
-| Client Computer Effective Default Settings | 30 days|
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | 30 days|
+| DC Effective Default Settings | 30 days|
+| Member Server Effective Default Settings|30 days|
+| Client Computer Effective Default Settings | 30 days|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
index d5c4b65fcc..5f03addc62 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
@@ -1,8 +1,8 @@
---
-title: Domain member Require strong (Windows 2000 or later) session key
+title: Domain member Require strong (Windows 2000 or later) session key
description: Best practices, location, values, and security considerations for the security policy setting, Domain member Require strong (Windows 2000 or later) session key.
ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,7 +55,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-| Server type or GPO
+| Server type or GPO
| Default value |
|--------------------------------------------|
diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
index 8f52bd244e..2580f51ed8 100644
--- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
+++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
@@ -1,8 +1,8 @@
---
-title: Trust computer and user accounts for delegation
+title: Trust computer and user accounts for delegation
description: Learn about best practices, security considerations and more for the security policy setting, Enable computer and user accounts to be trusted for delegation.
ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools and guidance to help you manage this policy.
@@ -94,7 +94,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Misuse of the **Enable computer and user accounts to be trusted for delegation** user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened
+Misuse of the **Enable computer and user accounts to be trusted for delegation** user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened
after a security incident.
### Countermeasure
@@ -102,7 +102,7 @@ after a security incident.
The **Enable computer and user accounts to be trusted for delegation** user right should be assigned only if there's a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default.
>**Note:** There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone computers.
-
+
### Potential impact
None. Not defined is the default configuration.
diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
index 69915eba98..b2b87b7314 100644
--- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
+++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
@@ -1,8 +1,8 @@
---
-title: Enforce password history
+title: Enforce password history
description: Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting.
ms.assetid: 8b2ab871-3e52-4dd1-9776-68bb1e935442
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default domain policy | 24 passwords remembered|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | 0 passwords remembered|
-| Domain controller effective default settings | 24 passwords remembered|
-| Member server effective default settings | 24 passwords remembered|
-| Effective GPO default settings on client computers | 24 passwords remembered|
-
+| Default domain policy | 24 passwords remembered|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | 0 passwords remembered|
+| Domain controller effective default settings | 24 passwords remembered|
+| Member server effective default settings | 24 passwords remembered|
+| Effective GPO default settings on client computers | 24 passwords remembered|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -79,7 +79,7 @@ The longer a user uses the same password, the greater the chance that an attacke
If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you don't also configure the [Minimum password age](minimum-password-age.md) policy setting, users might repeatedly change their passwords until they can reuse their original password.
>**Note:** After an account has been compromised, a simple password reset might not be enough to restrict a malicious user because the malicious user might have modified the user's environment so that the password is changed back to a known value automatically at a certain time. If an account has been compromised, it is best to delete the account and assign the user a new account after all affected systems have been restored to normal operations and verified that they are no longer compromised.
-
+
### Countermeasure
Configure the **Enforce password history** policy setting to 24 (the maximum setting) to help minimize the number of vulnerabilities that are caused by password reuse.
diff --git a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
index a119f6c131..faf39c7570 100644
--- a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
+++ b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
@@ -1,8 +1,8 @@
---
-title: Enforce user logon restrictions
+title: Enforce user logon restrictions
description: Describes the best practices, location, values, policy management, and security considerations for the Enforce user logon restrictions security policy setting.
ms.assetid: 5891cb73-f1ec-48b9-b703-39249e48a29f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server Type or GPO | Default Value |
| - | - |
-| Default Domain Policy | Enabled|
+| Default Domain Policy | Enabled|
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings| Not applicable |
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
index bb10d2ce82..fbf329985c 100644
--- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
+++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
@@ -1,8 +1,8 @@
---
-title: Force shutdown from a remote system
+title: Force shutdown from a remote system
description: Describes the best practices, location, values, policy management, and security considerations for the Force shutdown from a remote system security policy setting.
ms.assetid: 63129243-31ea-42a4-a598-c7064f48a3df
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators
Server Operators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators
Server Operators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators
Server Operators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators
Server Operators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
index 5b8810a11e..9b9ab36731 100644
--- a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
@@ -1,8 +1,8 @@
---
-title: Generate security audits
+title: Generate security audits
description: Describes the best practices, location, values, policy management, and security considerations for the Generate security audits security policy setting.
ms.assetid: c0e1cd80-840e-4c74-917c-5c2349de885f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Local Service
Network Service|
-| Stand-Alone Server Default Settings | Local Service
Network Service|
-| Domain Controller Effective Default Settings | Local Service
Network Service|
-| Member Server Effective Default Settings | Local Service
Network Service|
-| Client Computer Effective Default Settings | Local Service
Network Service|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Local Service
Network Service|
+| Stand-Alone Server Default Settings | Local Service
Network Service|
+| Domain Controller Effective Default Settings | Local Service
Network Service|
+| Member Server Effective Default Settings | Local Service
Network Service|
+| Client Computer Effective Default Settings | Local Service
Network Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
index 6dcfe5687d..37573dfb33 100644
--- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
@@ -8,7 +8,7 @@ manager: aaroncz
ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/07/2023
appliesto:
- ✅ Windows 11
diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
index 698d38e82a..918c634443 100644
--- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
@@ -1,8 +1,8 @@
---
-title: Impersonate a client after authentication
+title: Impersonate a client after authentication
description: Describes the best practices, location, values, policy management, and security considerations for the Impersonate a client after authentication security policy setting.
ms.assetid: 4cd241e2-c680-4b43-8ed0-3b391925cec5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -65,12 +65,12 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not defined |
-| Default Domain Controller Policy| Administrators
Local Service
Network Service
Service|
-| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
-| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
-
+| Default Domain Controller Policy| Administrators
Local Service
Network Service
Service|
+| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
+| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
index 0d6a6d694f..b383d4e733 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
@@ -1,8 +1,8 @@
---
-title: Increase a process working set
+title: Increase a process working set
description: Describes the best practices, location, values, policy management, and security considerations for the Increase a process working set security policy setting.
ms.assetid: b742ad96-37f3-4686-b8f7-f2b48367105b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,11 +54,11 @@ The following table lists the actual and effective default policy values. Defaul
| - | - |
| Default Domain Policy| Not Defined|
| Default Domain Controller Policy | Users|
-| Stand-Alone Server Default Settings| Users|
-| Domain Controller Effective Default Settings| Users|
-| Member Server Effective Default Settings | Users|
-| Client Computer Effective Default Settings | Users|
-
+| Stand-Alone Server Default Settings| Users|
+| Domain Controller Effective Default Settings| Users|
+| Member Server Effective Default Settings | Users|
+| Client Computer Effective Default Settings | Users|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
index 1bcfcdb42e..e0afba5ecc 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
@@ -1,8 +1,8 @@
---
-title: Increase scheduling priority
+title: Increase scheduling priority
description: Describes the best practices, location, values, policy management, and security considerations for the Increase scheduling priority security policy setting.
ms.assetid: fbec5973-d35e-4797-9626-d0d56061527f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 2/6/2020
ms.technology: itpro-security
---
@@ -46,7 +46,7 @@ Constant: SeIncreaseBasePriorityPrivilege
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
-
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -82,9 +82,9 @@ Verify that only Administrators and Window Manager\Window Manager Group have the
None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager\Window Manager Group is the default configuration.
-> [!Warning]
-> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
->
+> [!Warning]
+> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
+>
> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
index a1ee602ed9..6b6a223a3c 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Display user information when the session is locked
+title: Interactive logon Display user information when the session is locked
description: Best practices, security considerations, and more for the security policy setting, Interactive logon Display user information when the session is locked.
ms.assetid: 9146aa3d-9b2f-47ba-ac03-ff43efb10530
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -66,7 +66,7 @@ This setting has these possible values:
For a domain sign in only, the domain\username is displayed.
The **Privacy** setting is automatically on and grayed out.
-
+
- **Blank**
Default setting.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
index 1917c4b70b..6d7880e8fe 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.reviewer:
ms.author: vinpa
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index e4c4d49b0a..a13d25cd15 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Do not require CTRL+ALT+DEL
+title: Interactive logon Do not require CTRL+ALT+DEL
description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not require CTRL+ALT+DEL security policy setting.
ms.assetid: 04e2c000-2eb2-4d4b-8179-1e2cb4793e18
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
index eadc6514fe..85cca7c7f1 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
index bc3ee80c44..a9c3a468db 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Machine account lockout threshold
+title: Interactive logon Machine account lockout threshold
description: Best practices, location, values, management, and security considerations for the security policy setting, Interactive logon Machine account lockout threshold.
ms.assetid: ebbd8e22-2611-4ebe-9db9-d49344e631e4
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings| Disabled|
-| DC Effective Default Settings | Disabled|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings| Disabled|
+| DC Effective Default Settings | Disabled|
| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled|
-
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index 40c0bcb254..499c8ea921 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Machine inactivity limit
+title: Interactive logon Machine inactivity limit
description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine inactivity limit security policy setting.
ms.assetid: 7065b4a9-0d52-41d5-afc4-5aedfc4162b5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/18/2018
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
index 7f6a3535a6..9ea2643a8c 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Interactive Logon Message text
+title: Interactive Logon Message text
description: Learn about best practices, security considerations and more for the security policy setting, Interactive logon Message text for users attempting to log on.
ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
index fc861f5e80..f97c4515e8 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Message title for users attempting to log on
+title: Interactive logon Message title for users attempting to log on
description: Best practices, security considerations, and more for the security policy setting, Interactive logon Message title for users attempting to log on.
ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
index 079531c038..60159d1dd5 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Number of previous logons to cache (in case domain controller is not available)
+title: Interactive logon Number of previous logons to cache (in case domain controller is not available)
description: Best practices and more for the security policy setting, Interactive logon Number of previous logons to cache (in case domain controller is not available).
ms.assetid: 660e925e-cc3e-4098-a41e-eb8db8062d8d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/27/2018
ms.technology: itpro-security
---
@@ -39,7 +39,7 @@ The system can't log you on now because the domain *DOMAIN NAME* isn't available
The value of this policy setting indicates the number of users whose sign-in information the server caches locally. If the value is 10, the server caches sign-in information for 10 users. When an 11th user signs in to the device, the server overwrites the oldest cached sign-in session.
-Users who access the server console will have their sign-in credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by
+Users who access the server console will have their sign-in credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by
encrypting the information and keeping the cached credentials in the system's registries, which are spread across numerous physical locations.
> [!NOTE]
@@ -52,7 +52,7 @@ encrypting the information and keeping the cached credentials in the system's re
### Best practices
-The [Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) don't recommend configuring this setting.
+The [Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) don't recommend configuring this setting.
### Location
@@ -64,13 +64,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | 10 logons|
-| DC Effective Default Settings | No effect|
-| Member Server Effective Default Settings | 10 logons|
-| Client Computer Effective Default Settings| 10 logons|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | 10 logons|
+| DC Effective Default Settings | No effect|
+| Member Server Effective Default Settings | 10 logons|
+| Client Computer Effective Default Settings| 10 logons|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -105,7 +105,7 @@ Configure the **Interactive logon: Number of previous logons to cache (in case d
### Potential impact
-Users can't sign in to any devices if there's no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's sign-in information is still in the cache, even if a
+Users can't sign in to any devices if there's no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's sign-in information is still in the cache, even if a
member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to sign in to their computers when they aren't connected to the organization's network.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
index b63d35d0b2..1c2bd90367 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -1,8 +1,8 @@
---
-title: Interactive log-on prompt user to change password before expiration
+title: Interactive log-on prompt user to change password before expiration
description: Best practices and security considerations for an interactive log-on prompt for users to change passwords before expiration.
ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the default values for this policy. Default values are
| Server type or Group Policy Object | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Five days|
-| DC Effective Default Settings | Five days |
+| DC Effective Default Settings | Five days |
| Member Server Effective Default Settings| Five days |
-| Client Computer Effective Default Settings | Five days|
-
+| Client Computer Effective Default Settings | Five days|
+
## Policy management
This section describes features and tools that you can use to manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
index c418e7adeb..12c079fced 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Require Domain Controller authentication to unlock workstation
+title: Interactive logon Require Domain Controller authentication to unlock workstation
description: Best practices security considerations, and more for the policy setting, Interactive logon Require Domain Controller authentication to unlock workstation.
ms.assetid: 97618ed3-e946-47db-a212-b5e7a4fc6ffc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
index 8d49c17278..7175af2912 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
@@ -4,11 +4,11 @@ description: "Describes the best practices, location, values, policy management,
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
-ms.reviewer:
+ms.reviewer:
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/13/2023
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
index 55213f035f..4ae503eb5d 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Smart card removal behavior
+title: Interactive logon Smart card removal behavior
description: Best practices, location, values, policy management, and security considerations for the security policy setting, Interactive logon Smart card removal behavior.
ms.assetid: 61487820-9d49-4979-b15d-c7e735999460
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -67,13 +67,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | No Action|
-| DC Effective Default Settings | No Action|
-| Member Server Effective Default Settings | No Action|
-| Client Computer Effective Default Settings | No Action|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | No Action|
+| DC Effective Default Settings | No Action|
+| Member Server Effective Default Settings | No Action|
+| Client Computer Effective Default Settings | No Action|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
index b63e17c8c2..c8b07ad5e2 100644
--- a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
@@ -1,8 +1,8 @@
---
-title: Kerberos Policy
+title: Kerberos Policy
description: Describes the Kerberos Policy settings and provides links to policy setting descriptions.
ms.assetid: 94017dd9-b1a3-4624-af9f-b29161b4bf38
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ The Kerberos version 5 authentication protocol provides the default mechanism f
These policy settings are located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**.
-The following topics provide a discussion of implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible settings vulnerabilities of each setting),
+The following topics provide a discussion of implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible settings vulnerabilities of each setting),
countermeasures you can take, and the potential impact for each setting.
## In this section
@@ -40,7 +40,7 @@ countermeasures you can take, and the potential impact for each setting.
| [Maximum lifetime for user ticket](maximum-lifetime-for-user-ticket.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket** policy setting. |
| [Maximum lifetime for user ticket renewal](maximum-lifetime-for-user-ticket-renewal.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket renewal** security policy setting. |
| [Maximum tolerance for computer clock synchronization](maximum-tolerance-for-computer-clock-synchronization.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum tolerance for computer clock synchronization** security |
-
+
## Related topics
- [Configure security policy settings](how-to-configure-security-policy-settings.md)
diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
index 1e9c0d4b8b..7a97507fb3 100644
--- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
@@ -1,8 +1,8 @@
---
-title: Load and unload device drivers
+title: Load and unload device drivers
description: Describes the best practices, location, values, policy management, and security considerations for the Load and unload device drivers security policy setting.
ms.assetid: 66262532-c610-470c-9792-35ff4389430f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators
Print Operators|
-| Stand-Alone Server Default Settings | Administrators|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators
Print Operators|
+| Stand-Alone Server Default Settings | Administrators|
| Domain Controller Effective Default Settings | Administrators
Print Operators |
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -91,7 +91,7 @@ This section describes how an attacker might exploit a feature or its configurat
Device drivers run as highly privileged code. A user who has the **Load and unload device drivers** user right could unintentionally install malware that masquerades as a device driver. Administrators should exercise care and install only drivers with verified digital signatures.
>**Note:** You must have this user right or be a member of the local Administrators group to install a new driver for a local printer or to manage a local printer and configure defaults for options such as duplex printing.
-
+
### Countermeasure
Don't assign the **Load and unload device drivers** user right to any user or group other than Administrators on member servers. On domain controllers, don't assign this user right to any user or group other than Domain Admins.
diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
index c591706f9c..6be9e7a10f 100644
--- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
+++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
@@ -1,8 +1,8 @@
---
-title: Lock pages in memory
+title: Lock pages in memory
description: Describes the best practices, location, values, policy management, and security considerations for the Lock pages in memory security policy setting.
ms.assetid: cc724979-aec0-496d-be4e-7009aef660a3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -35,7 +35,7 @@ Enabling this policy setting for a specific account (a user account or a process
> [!NOTE]
> By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system.
-
+
Constant: SeLockMemoryPrivilege
### Possible values
@@ -57,13 +57,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
index cecd34e77c..cd62546d27 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
@@ -1,8 +1,8 @@
---
-title: Log on as a batch job
+title: Log on as a batch job
description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a batch job security policy setting.
ms.assetid: 4eaddb51-0a18-470e-9d3d-5e7cd7970b41
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators
Backup Operators
Performance Log Users|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators
Performance Log Users|
-| Domain Controller Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
-| Member Server Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators
Backup Operators
Performance Log Users|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators
Performance Log Users|
+| Domain Controller Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
+| Member Server Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
index d1f486957c..f96d6aad98 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
@@ -1,8 +1,8 @@
---
-title: Log on as a service
+title: Log on as a service
description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a service security policy setting.
ms.assetid: acc9a9e0-fd88-4cda-ab54-503120ba1f42
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. The po
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Network Service|
-| Member Server Effective Default Settings| Network Service|
-| Client Computer Effective Default Settings | Network Service|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Network Service|
+| Member Server Effective Default Settings| Network Service|
+| Client Computer Effective Default Settings | Network Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced because only users who have administrative privileges can install and configure services. An
+The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced because only users who have administrative privileges can install and configure services. An
attacker who has already reached that level of access could configure the service to run with the Local System account.
### Countermeasure
@@ -93,7 +93,7 @@ By definition, the Network Service account has the **Log on as a service** user
### Potential impact
-On most computers, the **Log on as a service** user right is restricted to the Local System, Local Service, and Network Service built-in accounts by default, and there's no negative impact. But if you have optional components such as ASP.NET or IIS, you might need to
+On most computers, the **Log on as a service** user right is restricted to the Local System, Local Service, and Network Service built-in accounts by default, and there's no negative impact. But if you have optional components such as ASP.NET or IIS, you might need to
assign the user right to the additional accounts that those components require. IIS requires this user right to be explicitly granted to the ASPNET user account.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
index a2be818c7d..180e73d52d 100644
--- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
+++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
@@ -1,8 +1,8 @@
---
-title: Manage auditing and security log
+title: Manage auditing and security log
description: Describes the best practices, location, values, policy management, and security considerations for the Manage auditing and security log security policy setting.
ms.assetid: 4b946c0d-f904-43db-b2d5-7f0917575347
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings| Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings| Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -100,7 +100,7 @@ Ensure that only the local Administrators group has the **Manage auditing and se
Restricting the **Manage auditing and security log** user right to the local Administrators group is the default configuration.
>**Warning:** If groups other than the local Administrators group have been assigned this user right, removing this user right might cause performance issues with other applications. Before removing this right from a group, investigate whether applications are dependent on this right.
-
+
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
index bdc180ccf0..a750dcb65c 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
@@ -1,8 +1,8 @@
---
-title: Maximum lifetime for service ticket
+title: Maximum lifetime for service ticket
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for service ticket security policy setting.
ms.assetid: 484bf05a-3858-47fc-bc02-6599ca860247
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server Type or GPO | Default Value |
| - | - |
-| Default Domain Policy| 600 minutes|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| DC Effective Default Settings | 600 minutes|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 600 minutes|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| DC Effective Default Settings | 600 minutes|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
index 43935998f5..6dc4d1607b 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
@@ -1,8 +1,8 @@
---
-title: Maximum lifetime for user ticket renewal
+title: Maximum lifetime for user ticket renewal
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket renewal security policy setting.
ms.assetid: f88cd819-3dd1-4e38-b560-13fe6881b609
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,13 +49,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| 7 days|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| Domain Controller Effective Default Settings | 7 days|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 7 days|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| Domain Controller Effective Default Settings | 7 days|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
### Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -91,7 +91,7 @@ Configure the **Maximum lifetime for user ticket renewal** setting to 7 days.
### Potential impact
-Seven (7) days is the default configuration. Changing the default configuration is a tradeoff between user convenience and security. A shorter time period requires users to authenticate with a DC more often, but remote users who authenticate with a DC infrequently can be locked out of services until they reauthenticate.
+Seven (7) days is the default configuration. Changing the default configuration is a tradeoff between user convenience and security. A shorter time period requires users to authenticate with a DC more often, but remote users who authenticate with a DC infrequently can be locked out of services until they reauthenticate.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
index 1d6f14a767..238e860228 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
@@ -1,8 +1,8 @@
---
-title: Maximum lifetime for user ticket
+title: Maximum lifetime for user ticket
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket policy setting.
ms.assetid: bcb4ff59-334d-4c2f-99af-eca2b64011dc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,13 +49,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server Type or GPO | Default Value |
| - | - |
-| Default Domain Policy| 10 hours|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| Domain Controller Effective Default Settings | 10 hours|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 10 hours|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| Domain Controller Effective Default Settings | 10 hours|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
index 1e3180694c..a416e4543c 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
@@ -1,8 +1,8 @@
---
-title: Maximum password age
+title: Maximum password age
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting.
ms.assetid: 2d6e70e7-c8b0-44fb-8113-870c6120871d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, policy management, and security
The **Maximum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a certain number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If **Maximum password age** is between 1 and 999 days, the minimum password age must be less than the maximum password age. If **Maximum password age** is set to 0, [Minimum password age](minimum-password-age.md) can be any value between 0 and 998 days.
>**Note:** Setting **Maximum password age** to -1 is equivalent to 0, which means it never expires. Setting it to any other negative number is equivalent to setting it to **Not Defined**.
-
+
### Possible values
- User-specified number of days between 0 and 999
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| 42 days|
-| Default domain controller policy| Not defined|
-| Stand-alone server default settings | 42 days|
-| Domain controller effective default settings | 42 days|
-| Member server effective default settings | 42 days|
-| Effective GPO default settings on client computers| 42 days|
-
+| Default domain policy| 42 days|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | 42 days|
+| Domain controller effective default settings | 42 days|
+| Member server effective default settings | 42 days|
+| Effective GPO default settings on client computers| 42 days|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -74,7 +74,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords allows a compromised password to be used by the malicious user for as long as the valid user is authorized access.
+The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords allows a compromised password to be used by the malicious user for as long as the valid user is authorized access.
### Considerations
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
index 5b2ae28406..fd26c1fd58 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
@@ -1,8 +1,8 @@
---
-title: Maximum tolerance for computer clock synchronization
+title: Maximum tolerance for computer clock synchronization
description: Best practices, location, values, policy management, and security considerations for the policy setting, Maximum tolerance for computer clock synchronization.
ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ Describes the best practices, location, values, policy management, and security
This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication.
-To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date.
+To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date.
Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any timestamp that's used in a session between the two devices is considered to be authentic.
The possible values for this Group Policy setting are:
@@ -50,13 +50,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| 5 minutes|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| Domain Controller Effective Default Settings| 5 minutes|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 5 minutes|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| Domain Controller Effective Default Settings| 5 minutes|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index e4f7c05351..687a39281d 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -1,7 +1,7 @@
---
title: Microsoft network client Digitally sign communications (always)
description: Best practices and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 01/13/2023
ms.technology: itpro-security
-ms.topic: conceptual
+ms.topic: reference
---
# Microsoft network client: Digitally sign communications (always)
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
index 343e8a2eb7..a3d215db1a 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network client Send unencrypted password
+title: Microsoft network client Send unencrypted password
description: Learn about best practices and more for the security policy setting, Microsoft network client Send unencrypted password to third-party SMB servers.
ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings| Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings| Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
index 72d11c51b4..e79a912300 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Amount of idle time required before suspending session
+title: Microsoft network server Amount of idle time required before suspending session
description: Best practices, security considerations, and more for the policy setting, Microsoft network server Amount of idle time required before suspending session.
ms.assetid: 8227842a-569d-480f-b43c-43450bbaa722
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
index f8096dec04..8fcc7102c7 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Attempt S4U2Self
+title: Microsoft network server Attempt S4U2Self
description: Learn about the security policy setting, Microsoft network server Attempt S4U2Self to obtain claim information.
ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, management, and security conside
## Reference
-This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers
+This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers
and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012.
When enabled, this security setting causes the Windows file server to examine the access token of an authenticated network client principal and determines if claim information is present. If claims aren't present, the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain and obtain a claims-enabled access token for the client principal. A claims-enabled token might be needed to access files or folders that have claim-based access control policy applied.
@@ -64,13 +64,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings| Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings| Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -89,7 +89,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-None. Enabling this policy setting allows you to take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012
+None. Enabling this policy setting allows you to take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012
and Windows 8.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index 4685a285de..030123cf61 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -3,12 +3,12 @@ title: Microsoft network server Digitally sign communications (always)
description: Best practices, security considerations, and more for the security policy setting, Microsoft network server Digitally sign communications (always).
author: vinaypamnani-msft
ms.author: vinpa
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/13/2023
---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
index c560912610..b7f738611b 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Disconnect clients when sign-in hours expire
+title: Microsoft network server Disconnect clients when sign-in hours expire
description: Best practices, location, values, and security considerations for the policy setting, Microsoft network server Disconnect clients when sign-in hours expire.
ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
| DC Effective Default Settings| Enabled |
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
index b0119771b5..c10cf64969 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Server SPN target name validation level
+title: Microsoft network server Server SPN target name validation level
description: Best practices, security considerations, and more for the security policy setting, Microsoft network server Server SPN target name validation level.
ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,7 +54,7 @@ The default setting is Off.
This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities.
>**Note:** All Windows operating systems support a client-side SMB component and a server-side SMB component.
-
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -65,13 +65,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy object (GPO) | Default value |
| - | - |
-| Default domain policy | Off |
-| Default domain controller policy| Off|
-| Stand-alone server default settings | Off|
-| Domain controller effective default settings| Validation level check not implemented|
-| Member server effective default settings | Validation level check not implemented|
-| Effective GPO default settings on client computers | Validation level check not implemented|
-
+| Default domain policy | Off |
+| Default domain controller policy| Off|
+| Stand-alone server default settings | Off|
+| Domain controller effective default settings| Validation level check not implemented|
+| Member server effective default settings | Validation level check not implemented|
+| Effective GPO default settings on client computers | Validation level check not implemented|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
index e42c7f62fc..67cf3aac2e 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
@@ -1,8 +1,8 @@
---
-title: Minimum password age
+title: Minimum password age
description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting.
ms.assetid: 91915cb2-1b3f-4fb7-afa0-d03df95e8161
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
@@ -13,7 +13,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 11/13/2018
ms.technology: itpro-security
-ms.topic: conceptual
+ms.topic: reference
---
# Minimum password age
@@ -35,15 +35,15 @@ The **Minimum password age** policy setting determines the period of time (in da
### Best practices
-[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend setting **Minimum password age** to one day.
+[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend setting **Minimum password age** to one day.
-Setting the number of days to 0 allows immediate password changes. This setting isn't recommended.
-Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again.
-For example, suppose a password is "Ra1ny day!" and the history requirement is 24.
-If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!".
+Setting the number of days to 0 allows immediate password changes. This setting isn't recommended.
+Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again.
+For example, suppose a password is "Ra1ny day!" and the history requirement is 24.
+If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!".
The minimum password age of 1 day prevents that.
-If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box.
+If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box.
Otherwise, the user won't be able to change the password until the number of days specified by **Minimum password age**.
### Location
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| 1 day|
-| Default domain controller policy| Not defined|
-| Stand-alone server default settings | 0 days|
-| Domain controller effective default settings | 1 day|
-| Member server effective default settings | 1 day|
-| Effective GPO default settings on client computers| 1 day|
-
+| Default domain policy| 1 day|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | 0 days|
+| Domain controller effective default settings | 1 day|
+| Member server effective default settings | 1 day|
+| Effective GPO default settings on client computers| 1 day|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
index 4ef50144bc..d264ff4033 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
@@ -1,8 +1,8 @@
---
-title: Minimum password length
+title: Minimum password length
description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting.
ms.assetid: 3d22eb9a-859a-4b6f-82f5-c270c427e17e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 03/30/2022
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
index 0fe460d50d..e3f1d6decd 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
@@ -1,8 +1,8 @@
---
-title: Modify an object label
+title: Modify an object label
description: Describes the best practices, location, values, policy management, and security considerations for the Modify an object label security policy setting.
ms.assetid: 3e5a97dd-d363-43a8-ae80-452e866ebfd5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security
This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
-The integrity label is used by the Windows Integrity Controls (WIC) feature, which was introduced in Windows Server 2008 and Windows Vista. WIC keeps lower integrity processes from modifying higher integrity processes by assigning one of six possible labels to objects on the system. Although
+The integrity label is used by the Windows Integrity Controls (WIC) feature, which was introduced in Windows Server 2008 and Windows Vista. WIC keeps lower integrity processes from modifying higher integrity processes by assigning one of six possible labels to objects on the system. Although
similar to NTFS file and folder permissions, which are discretionary controls on objects, the WIC integrity levels are mandatory controls that are put in place and enforced by the operating system. The following list describes the integrity levels from lowest to highest:
- **Untrusted** Default assignment for processes that are logged on anonymously.
@@ -62,13 +62,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -94,7 +94,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by
+Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by
Windows Integrity Controls and makes your system vulnerable to attacks by malicious software.
If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts don't have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be relabeled. However, the relabeling must occur by using a process that is at the same or a higher level of integrity than the object that you're attempting to relabel.
diff --git a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
index faff714347..5a2d90eb2c 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
@@ -1,8 +1,8 @@
---
-title: Modify firmware environment values
+title: Modify firmware environment values
description: Describes the best practices, location, values, policy management, and security considerations for the Modify firmware environment values security policy setting.
ms.assetid: 80bad5c4-d9eb-4e3a-a5dc-dcb742b83fca
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -61,13 +61,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO |Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Adminstrators|
-| Stand-Alone Server Default Settings | Adminstrators|
-| Domain Controller Effective Default Settings | Adminstrators|
-| Member Server Effective Default Settings | Adminstrators|
-| Client Computer Effective Default Settings | Adminstrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Adminstrators|
+| Stand-Alone Server Default Settings | Adminstrators|
+| Domain Controller Effective Default Settings | Adminstrators|
+| Member Server Effective Default Settings | Adminstrators|
+| Client Computer Effective Default Settings | Adminstrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
index 164da34ecf..16e357e6c1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
@@ -1,8 +1,8 @@
---
-title: Network access Allow anonymous SID/Name translation
+title: Network access Allow anonymous SID/Name translation
description: Best practices, location, values, policy management and security considerations for the policy setting, Network access Allow anonymous SID/Name translation.
ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
### Operating system version differences
The default value of this setting has changed between operating systems as follows:
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
index caccbb931a..9f3219cb41 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
@@ -1,8 +1,8 @@
---
-title: Network access Do not allow anonymous enumeration
+title: Network access Do not allow anonymous enumeration
description: Learn about best practices and more for the security policy setting, Network access Do not allow anonymous enumeration of SAM accounts and shares.
ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
index 83888d29df..e737e440d1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
@@ -1,8 +1,8 @@
---
-title: Network access Do not allow anonymous enumeration of SAM accounts
+title: Network access Do not allow anonymous enumeration of SAM accounts
description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts security policy setting.
ms.assetid: 6ee25b33-ad43-4097-b031-7be680f64c7c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
index 770a44407d..07e8b5d1cb 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
@@ -1,8 +1,8 @@
---
-title: Network access Do not allow storage of passwords and credentials for network authentication
+title: Network access Do not allow storage of passwords and credentials for network authentication
description: Learn about best practices and more for the security policy setting, Network access Do not allow storage of passwords and credentials for network authentication
ms.assetid: b9b64360-36ea-40fa-b795-2d6558c46563
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 07/01/2021
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy| Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings| Disabled|
-| Member server effective default settings | Disabled|
-| Effective GPO default settings on client computers |Disabled|
-
+| Default domain policy| Not defined|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings| Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers |Disabled|
+
### Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -83,7 +83,7 @@ This section describes how an attacker might exploit a feature or its configurat
Passwords that are cached can be accessed by the user when logged on to the device. Although this information may sound obvious, a problem can arise if the user unknowingly runs malicious software that reads the passwords and forwards them to another, unauthorized user.
>**Note:** The chances of success for this exploit and others that involve malicious software are reduced significantly for organizations that effectively implement and manage an enterprise antivirus solution combined with sensible software restriction policies.
-
+
Regardless of what encryption algorithm is used to encrypt the password verifier, a password verifier can be overwritten so that an attacker can authenticate as the user to whom the verifier belongs. Therefore, the administrator's password may be overwritten. This procedure requires physical access to the device. Utilities exist that can help overwrite the cached verifier. With the help of one of these utilities, an attacker can authenticate by using the overwritten value.
Overwriting the administrator's password doesn't help the attacker access data that is encrypted by using that password. Also, overwriting the password doesn't help the attacker access any Encrypting File System (EFS) data that belongs to other users on that device. Overwriting the password doesn't help an attacker replace the verifier, because the base keying material is incorrect. Therefore, data that is encrypted by using Encrypting File System or by using the Data Protection API (DPAPI) won't decrypt.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
index 618f7ffbc0..65f3d3d7c6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
@@ -1,8 +1,8 @@
---
-title: Let Everyone permissions apply to anonymous users
+title: Let Everyone permissions apply to anonymous users
description: Learn about best practices, security considerations and more for the security policy setting, Network access Let Everyone permissions apply to anonymous users.
ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
index 7a1acb165d..311f70c3ef 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
@@ -1,8 +1,8 @@
---
-title: Network access Named Pipes that can be accessed anonymously
+title: Network access Named Pipes that can be accessed anonymously
description: Describes best practices, security considerations and more for the security policy setting, Network access Named Pipes that can be accessed anonymously.
ms.assetid: 8897d2a4-813e-4d2b-8518-fcee71e1cf2c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Netlogon, samr, lsarpc|
-| Stand-Alone Server Default Settings | Null|
-| DC Effective Default Settings | Netlogon, samr, lsarpc|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Netlogon, samr, lsarpc|
+| Stand-Alone Server Default Settings | Null|
+| DC Effective Default Settings | Netlogon, samr, lsarpc|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -79,15 +79,15 @@ You can restrict access over named pipes such as COMNAP and LOCATOR to help prev
| Named pipe | Purpose |
| - | - |
-| COMNAP | SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.|
-| COMNODE| SNA Server named pipe.|
-| SQL\QUERY | Default named pipe for SQL Server.|
-| SPOOLSS | Named pipe for the Print Spooler service.|
-| EPMAPPER | End Point Mapper named pipe.|
-| LOCATOR | Remote Procedure Call Locator service named pipe.|
-| TrlWks | Distributed Link Tracking Client named pipe.|
-| TrkSvr | Distributed Link Tracking Server named pipe.|
-
+| COMNAP | SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.|
+| COMNODE| SNA Server named pipe.|
+| SQL\QUERY | Default named pipe for SQL Server.|
+| SPOOLSS | Named pipe for the Print Spooler service.|
+| EPMAPPER | End Point Mapper named pipe.|
+| LOCATOR | Remote Procedure Call Locator service named pipe.|
+| TrlWks | Distributed Link Tracking Client named pipe.|
+| TrkSvr | Distributed Link Tracking Server named pipe.|
+
### Countermeasure
Configure the **Network access: Named Pipes that can be accessed anonymously** setting to a null value (enable the setting but don't specify named pipes in the text box).
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
index 9c968a3f5c..12988a2e90 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
@@ -1,8 +1,8 @@
---
-title: Network access Remotely accessible registry paths and subpaths
+title: Network access Remotely accessible registry paths and subpaths
description: Describes best practices, location, values, and security considerations for the policy setting, Network access Remotely accessible registry paths and subpaths.
ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting determines which registry paths and subpaths are accessible when an application or process references the WinReg key to determine access permissions.
-The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive,
+The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive,
and they help protect it from access by unauthorized users.
To allow remote access, you must also enable the Remote Registry service.
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | See the following registry key combination|
-| DC Effective Default Settings | See the following registry key combination|
-| Member Server Effective Default Settings | See the following registry key combination|
-| Client Computer Effective Default Settings | See the following registry key combination|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | See the following registry key combination|
+| DC Effective Default Settings | See the following registry key combination|
+| Member Server Effective Default Settings | See the following registry key combination|
+| Client Computer Effective Default Settings | See the following registry key combination|
+
The combination of all the following registry keys apply to the previous settings:
1. System\\CurrentControlSet\\Control\\Print\\Printers
@@ -99,7 +99,7 @@ Configure the **Network access: Remotely accessible registry paths and sub-paths
Remote management tools such as MBSA and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail.
>**Note:** If you want to allow remote access, you must also enable the Remote Registry service.
-
+
## Related topics
- [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
index dd86f8a026..3a1924da9a 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
@@ -1,8 +1,8 @@
---
-title: Network access Remotely accessible registry paths
+title: Network access Remotely accessible registry paths
description: Best practices, location, values, policy management and security considerations for the policy setting, Network access Remotely accessible registry paths.
ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | See the following registry key combination|
-| DC Effective Default Settings | See the following registry key combination|
-| Member Server Effective Default Settings | See the following registry key combination|
-| Client Computer Effective Default Settings | See the following registry key combination|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | See the following registry key combination|
+| DC Effective Default Settings | See the following registry key combination|
+| Member Server Effective Default Settings | See the following registry key combination|
+| Client Computer Effective Default Settings | See the following registry key combination|
+
The combination of all the following registry keys apply to the previous settings:
1. System\\CurrentControlSet\\Control\\ProductOptions
@@ -90,7 +90,7 @@ Configure the **Network access: Remotely accessible registry paths** setting to
Remote management tools such as the Microsoft Baseline Security Analyzer (MBSA) and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail.
>**Note:** If you want to allow remote access, you must also enable the Remote Registry service.
-
+
## Related topics
- [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
index 30cbc5b78f..e45ad66787 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
@@ -1,8 +1,8 @@
---
-title: Network access Restrict anonymous access to Named Pipes and Shares
+title: Network access Restrict anonymous access to Named Pipes and Shares
description: Best practices, security considerations, and more for the security policy setting, Network access Restrict anonymous access to Named Pipes and Shares.
ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -32,7 +32,7 @@ Describes the best practices, location, values, policy management and security c
## Reference
-This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key
+This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key
**HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters**. This registry value toggles null session shared folders on or off to control whether the Server service restricts unauthenticated clients' access to named resources.
Null sessions are a weakness that can be exploited through the various shared folders on the devices in your environment.
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings| Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings| Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 6b65885d98..587ae7e3a5 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -7,12 +7,12 @@ ms.localizationpriority: medium
ms.date: 09/17/2018
author: vinaypamnani-msft
ms.author: vinpa
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
---
# Network access: Restrict clients allowed to make remote calls to SAM
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
index dc0a2dda77..57882060a6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
@@ -1,8 +1,8 @@
---
-title: Network access Shares that can be accessed anonymously
+title: Network access Shares that can be accessed anonymously
description: Learn about best practices, security considerations, and more for the security policy setting, Network access Shares that can be accessed anonymously.
ms.assetid: f3e4b919-8279-4972-b415-5f815e2f0a1a
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -48,13 +48,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
index c11be07eab..9665aaaaf7 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
@@ -1,8 +1,8 @@
---
-title: Network access Sharing and security model for local accounts
+title: Network access Sharing and security model for local accounts
description: Best practices, security considerations, and more for the security policy setting, Network access Sharing and security model for local accounts.
ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -31,7 +31,7 @@ This policy setting determines how network logons that use local accounts are au
>**Note:** This policy setting does not affect network logons that use domain accounts. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services.
When the device is not joined to a domain, this policy setting also tailors the **Sharing** and **Security** tabs in Windows Explorer to correspond to the sharing and security model that is being used.
-
+
When the value of this policy setting is **Guest only - local users authenticate as Guest**, any user who can access your device over the network does so with Guest user rights. This privilege means that they'll probably be unable to write to shared folders. Although this restriction does increase security, it makes it impossible for authorized users to access shared resources on those systems. When the value is **Classic - local users authenticate as themselves**, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources.
### Possible values
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Classic (local users authenticate as themselves)|
-| DC Effective Default Settings | Classic (local users authenticate as themselves)|
-| Member Server Effective Default Settings | Classic (local users authenticate as themselves)|
-| Client Computer Effective Default Settings | Classic (local users authenticate as themselves)|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Classic (local users authenticate as themselves)|
+| DC Effective Default Settings | Classic (local users authenticate as themselves)|
+| Member Server Effective Default Settings | Classic (local users authenticate as themselves)|
+| Client Computer Effective Default Settings | Classic (local users authenticate as themselves)|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
index a946a20ae9..04167671df 100644
--- a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
@@ -1,8 +1,8 @@
---
-title: Network List Manager policies
+title: Network List Manager policies
description: Network List Manager policies are security settings that configure different aspects of how networks are listed and displayed on one device or on many devices.
ms.assetid: bd8109d4-b07c-4beb-a9a6-affae2ba2fda
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -36,7 +36,7 @@ The following policy settings are provided for Network List Manager Policies. Th
### Unidentified Networks
-This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the
+This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the
network. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting:
- **Location type**. For this item, the following options are available:
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
index bdd1418a71..509602f606 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
@@ -2,7 +2,7 @@
title: "Network security: Allow Local System to use computer identity for NTLM (Windows 10)"
description: Location, values, policy management, and security considerations for the policy setting, Network security Allow Local System to use computer identity for NTLM.
ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 10/04/2021
ms.technology: itpro-security
---
@@ -34,11 +34,11 @@ When a service connects with the device identity, signing and encryption are sup
### Possible values
| Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 |
-| - | - | - |
+| - | - | - |
| Enabled | Services running as Local System that use Negotiate will use the computer identity. This value might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This behavior is the default behavior. |
| Disabled| Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. This behavior is the default behavior.| Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously.|
-|Neither|Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that uses Negotiate will use the computer identity. This behavior might cause some authentication requests between Windows operating systems to fail and log an error.|
-
+|Neither|Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that uses Negotiate will use the computer identity. This behavior might cause some authentication requests between Windows operating systems to fail and log an error.|
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -48,13 +48,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not applicable|
-| Member server effective default settings | Not applicable|
-| Effective GPO default settings on client computers | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not applicable|
+| Member server effective default settings | Not applicable|
+| Effective GPO default settings on client computers | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
index fd87daba06..02d157f8db 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
@@ -1,8 +1,8 @@
---
-title: Network security Allow LocalSystem NULL session fallback
+title: Network security Allow LocalSystem NULL session fallback
description: Describes the best practices, location, values, and security considerations for the Network security Allow LocalSystem NULL session fallback security policy setting.
ms.assetid: 5b72edaa-bec7-4572-b6f0-648fc38f5395
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
-This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local
+This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local
System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session doesn't establish a unique session key for each authentication; and thus, it can't provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility.
### Possible values
@@ -38,7 +38,7 @@ System will fall back to using NULL session authentication when they transmit da
- **Disabled**
- When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a
+ When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a
NULL session will still have full use of session security.
- Not defined. When this policy isn't defined, the default takes effect. This policy is Enabled for versions of the Windows operating system earlier than Windows Server 2008 R2 and Windows 7, and it's Disabled otherwise.
@@ -57,13 +57,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not applicable|
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not applicable|
| Member server effective default settings | Not applicable |
-| Effective GPO default settings on client computers | Not applicable|
-
+| Effective GPO default settings on client computers | Not applicable|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index abc5d527cd..202d37d4e5 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -1,8 +1,8 @@
---
-title: Network security Allow PKU2U authentication requests to this computer to use online identities
+title: Network security Allow PKU2U authentication requests to this computer to use online identities
description: Best practices for the Network Security Allow PKU2U authentication requests to this computer to use online identities security setting.
ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/03/2022
ms.technology: itpro-security
---
@@ -33,7 +33,7 @@ When devices are configured to accept authentication requests by using online ID
> [!NOTE]
> Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager.
-
+
This policy isn't configured by default on domain-joined devices. This disablement would disallow the online identities to authenticate to domain-joined computers from Windows 7 up to Windows 10, Version 1607. This policy is enabled by default in Windows 10, Version 1607, and later.
### Possible values
@@ -61,21 +61,21 @@ The following table lists the effective default values for this policy. Default
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Disabled|
-| Member server effective default settings | Disabled|
-| Effective GPO default settings on client computers prior to Windows 10, Version 1607 | Disabled|
-| Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers prior to Windows 10, Version 1607 | Disabled|
+| Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure.
### Vulnerability
-Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or a Microsoft Entra account. That account can then sign in to a peer device (if the peer device is likewise configured) without the use of a Windows sign-in account (domain or local). This setup isn't only beneficial, but required for Microsoft Entra joined devices, where they're signed in with an online identity and are issued certificates by Microsoft Entra ID. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it doesn't pose any threats in a hybrid environment where Microsoft Entra ID is used as it relies on the user's online identity and Microsoft Entra ID to authenticate.
+Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or a Microsoft Entra account. That account can then sign in to a peer device (if the peer device is likewise configured) without the use of a Windows sign-in account (domain or local). This setup isn't only beneficial, but required for Microsoft Entra joined devices, where they're signed in with an online identity and are issued certificates by Microsoft Entra ID. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it doesn't pose any threats in a hybrid environment where Microsoft Entra ID is used as it relies on the user's online identity and Microsoft Entra ID to authenticate.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index 465adda6a7..5e1c37d2b4 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -1,16 +1,16 @@
---
title: Network security Configure encryption types allowed for Kerberos
description: Best practices, location, values and security considerations for the policy setting, Network security Configure encryption types allowed for Kerberos Win7 only.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -32,7 +32,7 @@ For more information, see [KDC event ID 16 or 27 is logged if DES for Kerberos i
The following table lists and explains the allowed encryption types.
-
+
| Encryption type | Description and version support |
| - | - |
| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows 11, Windows Server 2008 R2, and later operating systems don't support DES by default. |
@@ -91,7 +91,7 @@ Don't configure this policy. This disablement will force the computers running W
### Potential impact
If you don't select any of the encryption types, computers running Windows Server 2008 R2, Windows 7 and Windows 10, might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
-
+
If you do select any encryption type, you'll lower the effectiveness of encryption for Kerberos authentication but you'll improve interoperability with computers running older versions of Windows.
Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
index 7402fd0df1..c708a656d1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
@@ -1,8 +1,8 @@
---
-title: Network security Do not store LAN Manager hash value on next password change
+title: Network security Do not store LAN Manager hash value on next password change
description: Best practices, security considerations, and more for the security policy setting, Network security Do not store LAN Manager hash value on next password change.
ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings|Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings|Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
index 99826613ed..665eee915f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
@@ -1,8 +1,8 @@
---
-title: Network security Force logoff when logon hours expire
+title: Network security Force logoff when logon hours expire
description: Best practices, location, values, policy management, and security considerations for the policy setting, Network security Force logoff when logon hours expire.
ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Disabled|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Disabled|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
index c6847770d4..57246a6f27 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
@@ -1,8 +1,8 @@
---
-title: Network security LAN Manager authentication level
+title: Network security LAN Manager authentication level
description: Best practices, location, values, policy management and security considerations for the policy setting, Network security LAN Manager authentication level.
ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,18 +50,18 @@ LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it's
- Send NTLMv2 responses only. Refuse LM & NTLM
- Not Defined
-The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the
+The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the
authentication level that servers accept. The following table identifies the policy settings, describes the setting, and identifies the security level used in the corresponding registry setting if you choose to use the registry to control this setting instead of the policy setting.
| Setting | Description | Registry security level |
| - | - | - |
-| Send LM & NTLM responses | Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 0|
-| Send LM & NTLM – use NTLMv2 session security if negotiated | Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 1|
-| Send NTLM response only| Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 2|
-| Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 3|
-| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they'll accept only NTLM and NTLMv2 authentication.| 4|
-| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they'll accept only NTLMv2 authentication.| 5|
-
+| Send LM & NTLM responses | Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 0|
+| Send LM & NTLM – use NTLMv2 session security if negotiated | Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 1|
+| Send NTLM response only| Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 2|
+| Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 3|
+| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they'll accept only NTLM and NTLMv2 authentication.| 4|
+| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they'll accept only NTLMv2 authentication.| 5|
+
### Best practices
- Best practices are dependent on your specific security and authentication requirements.
@@ -80,13 +80,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Send NTLMv2 response only|
-| DC Effective Default Settings | Send NTLMv2 response only|
-| Member Server Effective Default Settings | Send NTLMv2 response only|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Send NTLMv2 response only|
+| DC Effective Default Settings | Send NTLMv2 response only|
+| Member Server Effective Default Settings | Send NTLMv2 response only|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
index 3232a699e0..2199e96b47 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
@@ -1,8 +1,8 @@
---
-title: Network security LDAP client signing requirements
+title: Network security LDAP client signing requirements
description: Best practices, location, values, policy management and security considerations for the policy setting, Network security LDAP client signing requirements.
ms.assetid: 38b35489-eb5b-4035-bc87-df63de50509c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Negotiate signing|
-| DC Effective Default Settings | Negotiate signing|
-| Member Server Effective Default Settings | Negotiate signing|
-| Client Computer Effective Default Settings | Negotiate signing|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Negotiate signing|
+| DC Effective Default Settings | Negotiate signing|
+| Member Server Effective Default Settings | Negotiate signing|
+| Client Computer Effective Default Settings | Negotiate signing|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
index cd6838a4f8..5bda79521f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
@@ -1,8 +1,8 @@
---
-title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients
+title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients
description: Best practices and more for the security policy setting, Network security Minimum session security for NTLM SSP based (including secure RPC) clients.
ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 07/27/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Require 128-bit encryption|
-| DC Effective Default Settings | Require 128-bit encryption|
-| Member Server Effective Default Settings | Require 128-bit encryption|
-| Client Computer Effective Default Settings | Require 128-bit encryption|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Require 128-bit encryption|
+| DC Effective Default Settings | Require 128-bit encryption|
+| Member Server Effective Default Settings | Require 128-bit encryption|
+| Client Computer Effective Default Settings | Require 128-bit encryption|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
index 701259d037..ebae59999d 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
@@ -1,8 +1,8 @@
---
-title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers
+title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers
description: Best practices and security considerations for the policy setting, Network security Minimum session security for NTLM SSP based (including secure RPC) servers.
ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Require 128-bit encryption|
-| DC Effective Default Settings | Require 128-bit encryption|
-| Member Server Effective Default Settings | Require 128-bit encryption|
-| Client Computer Effective Default Settings | Require 128-bit encryption|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Require 128-bit encryption|
+| DC Effective Default Settings | Require 128-bit encryption|
+| Member Server Effective Default Settings | Require 128-bit encryption|
+| Client Computer Effective Default Settings | Require 128-bit encryption|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
index 754a7cbc0e..b0e28dc0b1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication
+title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication
description: Best practices, security considerations, and more for the policy setting, Network security Restrict NTLM Add remote server exceptions for NTLM authentication.
ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings| Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings| Not defined|
+
## Policy management
This section describes the features and tools that are available to help you manage this policy.
@@ -90,14 +90,14 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-When it has been determined that the NTLM authentication protocol shouldn't be used from a client device to any remote servers because you're required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security:
+When it has been determined that the NTLM authentication protocol shouldn't be used from a client device to any remote servers because you're required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security:
Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) to any of the deny options, those applications will fail because the outbound NTLM authentication traffic from the client computer will be blocked.
If you define an exception list of servers to which client devices are allowed to use NTLM authentication, then NTLM authentication traffic will continue to flow between those client applications and servers. The servers then are vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM.
### Countermeasure
-When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote
+When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote
servers in your environment. When assessed, you'll have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication.
### Potential impact
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
index c0ebdc1ba5..b6aa571487 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Add server exceptions in this domain
+title: Network security Restrict NTLM Add server exceptions in this domain
description: Best practices, security considerations, and more for the security policy setting, Network security Restrict NTLM Add server exceptions in this domain.
ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,12 +59,12 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
| Default domain policy| Not defined |
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -89,10 +89,10 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-When it has been determined that the NTLM authentication protocol shouldn't be used within a domain because you're required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security:
+When it has been determined that the NTLM authentication protocol shouldn't be used within a domain because you're required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security:
[Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) to any of the deny options, any NTLM authentication request will fail because the pass-through member server will block the NTLM request.
-If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security
+If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security
weaknesses in NTLM.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
index d5104ea5b7..c81152a791 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Audit incoming NTLM traffic
+title: Network security Restrict NTLM Audit incoming NTLM traffic
description: Best practices, security considerations and more for the security policy setting, Network Security Restrict NTLM Audit incoming NTLM traffic.
ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -33,7 +33,7 @@ When this audit policy is enabled within Group Policy, it's enforced on any serv
When you enable this policy on a server, only authentication traffic to that server will be logged.
-When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it doesn't actually block any traffic. Therefore, you can use it effectively to understand the
+When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it doesn't actually block any traffic. Therefore, you can use it effectively to understand the
authentication traffic in your environment, and when you're ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**.
### Possible values
@@ -66,13 +66,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
index dbc99216c2..f79dd47f62 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -1,13 +1,13 @@
---
title: Network security Restrict NTLM Audit NTLM authentication in this domain
description: Best practices, security considerations, and more for the security policy setting, Network Security Restrict NTLM Audit NTLM authentication in this domain.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -46,7 +46,7 @@ When you enable this audit policy, it functions in the same way as the **Network
The domain controller will log events for NTLM authentication requests to all servers in the domain when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain servers**.
- **Enable all**
-
+
The domain controller on which this policy is set will log all events for incoming NTLM traffic.
### Best practices
@@ -61,13 +61,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -90,7 +90,7 @@ There are no security audit event policies that can be configured to view output
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
-NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the
+NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the
Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.
### Vulnerability
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
index 3a547350da..5f964c33cc 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Incoming NTLM traffic
+title: Network security Restrict NTLM Incoming NTLM traffic
description: Best practices, security considerations, and more for the security policy setting, Network Security Restrict NTLM Incoming NTLM traffic.
ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -60,13 +60,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
+| Default domain policy| Not defined|
| Default domain controller policy | Not defined |
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -101,7 +101,7 @@ When it has been determined that the NTLM authentication protocol shouldn't be u
### Potential impact
-If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that
+If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that
you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md).
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
index 61092a99fc..8b9e4f8973 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
@@ -1,13 +1,13 @@
---
title: Network security Restrict NTLM in this domain
description: Learn about best practices, security considerations and more for the security policy setting, Network Security Restrict NTLM NTLM authentication in this domain.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.technology: itpro-security
ms.date: 12/31/2017
---
@@ -63,13 +63,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not configured|
-| Default domain controller policy | Not configured|
+| Default domain policy| Not configured|
+| Default domain controller policy | Not configured|
| Stand-alone server default settings | Not configured|
-| Domain controller effective default settings | Not configured|
-| Member server effective default settings | Not configured |
-| Client computer effective default settings | Not configured|
-
+| Domain controller effective default settings | Not configured|
+| Member server effective default settings | Not configured |
+| Client computer effective default settings | Not configured|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -100,7 +100,7 @@ Malicious attacks on NTLM authentication traffic resulting in a compromised serv
### Countermeasure
-When it has been determined that the NTLM authentication protocol shouldn't be used within a network because you're required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage
+When it has been determined that the NTLM authentication protocol shouldn't be used within a network because you're required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage
within the domain.
### Potential impact
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index 5aedc2eb5b..4869db61ec 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Outgoing traffic
+title: Network security Restrict NTLM Outgoing traffic
description: Learn about best practices, security considerations and more for the policy setting, Network Security Restrict NTLM Outgoing NTLM traffic to remote servers.
ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/15/2022
ms.technology: itpro-security
---
@@ -34,7 +34,7 @@ Describes the best practices, location, values, management aspects, and security
The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.
>**Warning:** Modifying this policy setting may affect compatibility with client computers, services, and applications.
-
+
### Possible values
- **Allow all**
@@ -65,13 +65,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index 34f17b6527..a00661af55 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -8,7 +8,7 @@ manager: aaroncz
ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/07/2023
---
diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md
index 70396092e7..1d6e578b5c 100644
--- a/windows/security/threat-protection/security-policy-settings/password-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/password-policy.md
@@ -1,8 +1,8 @@
---
-title: Password Policy
+title: Password Policy
description: An overview of password policies for Windows and links to information for each policy setting.
ms.assetid: aec1220d-a875-4575-9050-f02f9c54a3b6
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,14 +50,14 @@ The following topics provide a discussion of password policy implementation and
| Topic | Description |
| - | - |
-| [Enforce password history](enforce-password-history.md)| Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.|
-| [Maximum password age](maximum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.|
-| [Minimum password age](minimum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.|
-| [Minimum password length](minimum-password-length.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.|
+| [Enforce password history](enforce-password-history.md)| Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.|
+| [Maximum password age](maximum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.|
+| [Minimum password age](minimum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.|
+| [Minimum password length](minimum-password-length.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.|
| [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) | Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.|
-| [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md) | Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.|
-
+| [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md) | Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.|
+
## Related topics
- [Configure security policy settings](how-to-configure-security-policy-settings.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
index e74ff5c974..15ffdec99c 100644
--- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
@@ -1,8 +1,8 @@
---
-title: Perform volume maintenance tasks
+title: Perform volume maintenance tasks
description: Describes the best practices, location, values, policy management, and security considerations for the Perform volume maintenance tasks security policy setting.
ms.assetid: b6990813-3898-43e2-8221-c9c06d893244
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| DC Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| DC Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
index f77e48438c..2bdc87455f 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
@@ -1,8 +1,8 @@
---
-title: Profile single process
+title: Profile single process
description: Describes the best practices, location, values, policy management, and security considerations for the Profile single process security policy setting.
ms.assetid: c0963de4-4f5e-430e-bfcd-dfd68e66a075
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings| Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings| Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
index 9c7b9de8c4..6be8f9269b 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
@@ -1,8 +1,8 @@
---
-title: Profile system performance
+title: Profile system performance
description: Best practices, location, values, policy management, and security considerations for the security policy setting, Profile system performance.
ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
index 34e5e2b851..590b49f09b 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
@@ -1,8 +1,8 @@
---
-title: Recovery console Allow automatic administrative logon
+title: Recovery console Allow automatic administrative logon
description: Best practices, location, values, policy management, and security considerations for the policy setting, Recovery console Allow automatic administrative logon.
ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
index fdb56ca78e..08ca6beb3f 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
@@ -1,8 +1,8 @@
---
-title: Recovery console Allow floppy copy and access to all drives and folders
+title: Recovery console Allow floppy copy and access to all drives and folders
description: Best practices, security considerations, and more for the policy setting, Recovery console Allow floppy copy and access to all drives and folders.
ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
index c0f395231c..253213f2c1 100644
--- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
+++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
@@ -1,8 +1,8 @@
---
-title: Remove computer from docking station - security policy setting
+title: Remove computer from docking station - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting.
ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
index 5079dab92d..d180d2acea 100644
--- a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
+++ b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
@@ -1,8 +1,8 @@
---
-title: Replace a process level token
+title: Replace a process level token
description: Describes the best practices, location, values, policy management, and security considerations for the Replace a process level token security policy setting.
ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
+| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Network Service
Local Service |
-| Stand-Alone Server Default Settings | Network Service
Local Service|
-| Domain Controller Effective Default Settings | Network Service
Local Service|
-| Member Server Effective Default Settings | Network Service
Local Service|
-| Client Computer Effective Default Settings | Network Service
Local Service|
-
+| Stand-Alone Server Default Settings | Network Service
Local Service|
+| Domain Controller Effective Default Settings | Network Service
Local Service|
+| Member Server Effective Default Settings | Network Service
Local Service|
+| Client Computer Effective Default Settings | Network Service
Local Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
index ec962f77e0..44c6716d50 100644
--- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
+++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
@@ -1,8 +1,8 @@
---
-title: Reset account lockout counter after
+title: Reset account lockout counter after
description: Describes the best practices, location, values, and security considerations for the Reset account lockout counter after security policy setting.
ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 11/02/2018
ms.technology: itpro-security
---
@@ -38,7 +38,7 @@ The disadvantage of a high setting is that users lock themselves out for an inco
### Best practices
-Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements.
+Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements.
[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not applicable|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not applicable|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not applicable|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not applicable|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
index ca2b72c717..f970ac8154 100644
--- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
@@ -1,8 +1,8 @@
---
-title: Restore files and directories - security policy setting
+title: Restore files and directories - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting.
ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -58,13 +58,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-|Default Domain Policy | |
-| Default Domain Controller Policy| Administrators
Backup Operators
Server Operators|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators|
-| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators|
-| Member Server Effective Default Settings | Administrators
Backup Operators|
-| Client Computer Effective Default Settings | Administrators
Backup Operators|
-
+|Default Domain Policy | |
+| Default Domain Controller Policy| Administrators
Backup Operators
Server Operators|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators|
+| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators|
+| Member Server Effective Default Settings | Administrators
Backup Operators|
+| Client Computer Effective Default Settings | Administrators
Backup Operators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -93,7 +93,7 @@ This section describes how an attacker might exploit a feature or its configurat
An attacker with the **Restore files and directories** user right could restore sensitive data to a computer and overwrite data that is more recent, which could lead to loss of important data, data corruption, or a denial-of-service condition. Attackers could overwrite executable files that are used by legitimate administrators or system services with versions that include malicious software to grant themselves elevated privileges, compromise data, or install programs that provide continued access to the device
>**Note:** Even if the following countermeasure is configured, an attacker could restore data to a computer in a domain that is controlled by the attacker. Therefore, it is critical that organizations carefully protect the media that are used to back up data.
-
+
### Countermeasure
Ensure that only the local Administrators group is assigned the **Restore files and directories** user right unless your organization has clearly defined roles for backup and for restore personnel.
diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
index 7efca79530..78ea3fcb09 100644
--- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Advanced security audit policy settings in brief
+title: Advanced security audit policy settings in brief
description: Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index 39d6b0489e..de522cb6d3 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -1,7 +1,7 @@
---
title: Security options
description: Introduction to the Security Options settings of the local security policies plus links to more information.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 01/13/2023
ms.technology: itpro-security
-ms.topic: conceptual
+ms.topic: reference
---
# Security Options
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
index 259ebfec01..9db7d59a20 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
@@ -1,8 +1,8 @@
---
-title: Security policy settings reference
+title: Security policy settings reference
description: This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.
ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -33,10 +33,10 @@ Each policy setting described contains referential content such as a detailed ex
| Topic | Description |
| - | - |
-| [Account Policies](account-policies.md) | An overview of account policies in Windows and provides links to policy descriptions.|
-| [Audit Policy](audit-policy.md) | Provides information about basic audit policies that are available in Windows and links to information about each setting.|
-| [Security Options](security-options.md) | Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.|
-| [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md) | Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.|
+| [Account Policies](account-policies.md) | An overview of account policies in Windows and provides links to policy descriptions.|
+| [Audit Policy](audit-policy.md) | Provides information about basic audit policies that are available in Windows and links to information about each setting.|
+| [Security Options](security-options.md) | Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.|
+| [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md) | Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.|
| [User Rights Assignment](user-rights-assignment.md) | Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. |
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index 397c3a1138..062aa06d3d 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Security policy settings
+title: Security policy settings
description: This reference topic describes the common scenarios, architecture, and processes for security settings.
ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
index f6a3fe8228..def26ab7ef 100644
--- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
+++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
@@ -1,8 +1,8 @@
---
-title: Shut down the system - security policy setting
+title: Shut down the system - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting.
ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -58,13 +58,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Administrators
Backup Operators
Server Operators
Print Operators|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators|
-| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators
Print Operators|
-| Member Server Effective Default Settings | Administrators
Backup Operators|
-| Client Computer Effective Default Settings | Administrators
Backup Operators
Users|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Administrators
Backup Operators
Server Operators
Print Operators|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators|
+| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators
Print Operators|
+| Member Server Effective Default Settings | Administrators
Backup Operators|
+| Client Computer Effective Default Settings | Administrators
Backup Operators
Users|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
index a21dde7fda..672e91297b 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Shutdown Allow system to be shut down without having to log on
+title: Shutdown Allow system to be shut down without having to log on
description: Best practices, security considerations, and more for the security policy setting Shutdown Allow system to be shut down without having to log on.
ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security
This policy setting determines whether you can shut down a device without having to sign in to Windows. When you enable it, the **Shut Down** option is available on the sign-in screen in Windows. If you disable this setting, the **Shut Down** option is removed from the screen. To use the option, the user must sign in on the device successfully and have the **Shut down the system** user right.
-Users who access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service
+Users who access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service
condition from a local console by restarting or shutting down the server.
### Possible values
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
index 7c6df9fb82..b40140dc0f 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
@@ -1,8 +1,8 @@
---
-title: Shutdown Clear virtual memory pagefile
+title: Shutdown Clear virtual memory pagefile
description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting.
ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,12 +12,12 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/01/2017
ms.technology: itpro-security
---
-# Shutdown: Clear virtual memory pagefile
+# Shutdown: Clear virtual memory pagefile
**Applies to**
- Windows 11
@@ -54,13 +54,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat
Important information that is kept in real memory may be written periodically to the paging file to help Windows handle multitasking functions. An attacker who has physical access to a server that has been shut down could view the contents of the paging file. The attacker could move the system volume into a different device and then analyze the contents of the paging file. Although this process is time consuming, it could expose data that is cached from random access memory (RAM) to the paging file.
>**Caution:** An attacker who has physical access to the device could bypass this countermeasure by unplugging the computer from its power source.
-
+
### Countermeasure
Enable the **Shutdown: Clear virtual memory page file** setting. This configuration causes the operating system to clear the paging file when the device is shut down. The amount of time that is required to complete this process depends on the size of the page file. Because the process overwrites the storage area that is used by the page file several times, it could be several minutes before the device completely shuts down.
diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
index adb43f0fea..6b4584688f 100644
--- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
+++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
@@ -1,8 +1,8 @@
---
-title: Store passwords using reversible encryption
+title: Store passwords using reversible encryption
description: Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting.
ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, and security considerations for
The **Store password using reversible encryption** policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then sign in to network resources by using the compromised account. For this reason, never enable **Store password using reversible encryption** for all users in the domain unless application requirements outweigh the need to protect password information.
-If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet
+If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet
Information Services (IIS) also requires that you enable this policy setting.
### Possible values
@@ -42,7 +42,7 @@ Information Services (IIS) also requires that you enable this policy setting.
Set the value for **Store password using reversible encryption** to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to **Enabled**. This setting presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers.
>**Note:** Do not enable this policy setting unless business requirements outweigh the need to protect password information.
-
+
### Location
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\**
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Disabled|
-| Default domain controller policy| Disabled|
-| Stand-alone server default settings | Disabled|
-| Domain controller effective default settings | Disabled|
-| Member server effective default settings | Disabled|
-| Effective GPO default settings on client computers | Disabled|
-
+| Default domain policy| Disabled|
+| Default domain controller policy| Disabled|
+| Stand-alone server default settings | Disabled|
+| Domain controller effective default settings | Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers | Disabled|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
index 3949729b08..6744567fe3 100644
--- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
+++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
@@ -1,8 +1,8 @@
---
-title: Synchronize directory service data
+title: Synchronize directory service data
description: Describes the best practices, location, values, policy management, and security considerations for the Synchronize directory service data security policy setting.
ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
index ce8f451033..597b9027a0 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
@@ -1,8 +1,8 @@
---
-title: System cryptography Force strong key protection for user keys stored on the computer
+title: System cryptography Force strong key protection for user keys stored on the computer
description: Best practices, security considerations, and more for the policy setting, System cryptography Force strong key protection for user keys stored on the computer.
ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings| Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings| Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index 2d223e79b3..d660ac1952 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -1,8 +1,8 @@
---
-title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing
+title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing
description: Best practices, security considerations, and more for the policy setting System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing
ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 11/16/2018
ms.technology: itpro-security
---
@@ -27,12 +27,12 @@ This security policy reference topic for the IT professional describes the best
## Reference
-The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the
+The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the
United States federal government.
**TLS/SSL**
-This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the
+This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the
Triple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption, only the Rivest-Shamir-Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hash Algorithm version 1 (SHA-1) hashing algorithm for the TLS hashing requirements.
**Encrypting File System (EFS)**
@@ -71,13 +71,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
### Operating system version differences
When this setting is enabled, the Encrypting File System (EFS) service supports only the Triple DES encryption algorithm for encrypting file data. By default, the Windows Vista and the Windows Server 2003 implementation of EFS uses the Advanced Encryption Standard (AES) with a 256-bit key. The Windows XP implementation uses DESX.
@@ -86,11 +86,11 @@ When this setting is enabled, BitLocker generates recovery password or recovery
| Operating systems | Applicability |
| - | - |
-| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password can't be used on other systems listed in this table.|
-| Windows Server 2012 and Windows 8 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
-| Windows Server 2008 R2 and Windows 7 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
-| Windows Server 2008 and Windows Vista | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
-
+| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password can't be used on other systems listed in this table.|
+| Windows Server 2012 and Windows 8 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
+| Windows Server 2008 R2 and Windows 7 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
+| Windows Server 2008 and Windows Vista | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -117,7 +117,7 @@ Enable the **System cryptography: Use FIPS compliant algorithms for encryption,
### Potential impact
-Client devices that have this policy setting enabled can't communicate through digitally encrypted or signed protocols with servers that don't support these algorithms. Network clients that don't support these algorithms can't use servers that require them for network communications. For example, many Apache-based Web servers aren't configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool
+Client devices that have this policy setting enabled can't communicate through digitally encrypted or signed protocols with servers that don't support these algorithms. Network clients that don't support these algorithms can't use servers that require them for network communications. For example, many Apache-based Web servers aren't configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool
uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices aren't configured to use the same encryption algorithms.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
index ae93fe4482..3694fe2434 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
@@ -1,8 +1,8 @@
---
-title: System objects Require case insensitivity for non-Windows subsystems
+title: System objects Require case insensitivity for non-Windows subsystems
description: Best practices, security considerations and more for the security policy setting, System objects Require case insensitivity for non-Windows subsystems.
ms.assetid: 340d6769-8f33-4067-8470-1458978d1522
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
index 74bf9dee10..8358279b2d 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
@@ -1,8 +1,8 @@
---
-title: System objects Strengthen default permissions of internal system objects (for example, Symbolic Links)
+title: System objects Strengthen default permissions of internal system objects (for example, Symbolic Links)
description: Best practices and more for the security policy setting, System objects Strengthen default permissions of internal system objects (for example, Symbolic Links).
ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,13 +49,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Enabled |
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
index af54bf48ab..ef7ca4315a 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
@@ -1,8 +1,8 @@
---
-title: System settings Optional subsystems
+title: System settings Optional subsystems
description: Describes the best practices, location, values, policy management, and security considerations for the System settings Optional subsystems security policy setting.
ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | POSIX|
-| DC Effective Default Settings | POSIX|
-| Member Server Effective Default Settings| POSIX|
-| Client Computer Effective Default Settings | POSIX|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | POSIX|
+| DC Effective Default Settings | POSIX|
+| Member Server Effective Default Settings| POSIX|
+| Client Computer Effective Default Settings | POSIX|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
index 81fce5ee99..fee999b57a 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
@@ -1,8 +1,8 @@
---
-title: System settings Use certificate rules on Windows executables for Software Restriction Policies
+title: System settings Use certificate rules on Windows executables for Software Restriction Policies
description: Best practices and more for the security policy setting, System settings Use certificate rules on Windows executables for Software Restriction Policies.
ms.assetid: 2380d93b-b553-4e56-a0c0-d1ef740d089c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -37,7 +37,7 @@ This policy setting determines whether digital certificates are processed when s
### Best practices
-- Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance.
+- Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance.
You can disable CRLs by editing the software restriction policies in the desired GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes.
### Location
@@ -50,13 +50,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
index 179d04747b..39152767a9 100644
--- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
@@ -1,8 +1,8 @@
---
-title: Take ownership of files or other objects
+title: Take ownership of files or other objects
description: Describes the best practices, location, values, policy management, and security considerations for the Take ownership of files or other objects security policy setting.
ms.assetid: cb8595d1-74cc-4176-bb15-d97663eebb2d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -100,7 +100,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a
+Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a
denial-of-service condition.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
index d4b0a95f6a..58989112e3 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Admin Approval Mode for the Built-in Administrator account
+title: User Account Control Admin Approval Mode for the Built-in Administrator account
description: Best practices, security considerations, and more for the policy setting, User Account Control Admin Approval Mode for the Built-in Administrator account.
ms.assetid: d465fc27-1cd2-498b-9cf6-7ad2276e5998
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/08/2017
ms.technology: itpro-security
---
@@ -31,7 +31,7 @@ When the Admin Approval Mode is enabled, the local administrator account functio
> [!NOTE]
> If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.
-
+
### Possible values
- Enabled
@@ -49,7 +49,7 @@ When the Admin Approval Mode is enabled, the local administrator account functio
To enable Admin Approval Mode, you must also configure the local security policy setting: [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) to **Prompt for consent on the secure desktop** and then click OK.
> [!NOTE]
-> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
+> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
### Location
@@ -62,12 +62,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
index 4d0f0eac5b..eb9a42ffeb 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop
+title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop
description: Best practices and more for the policy setting, User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop.
ms.assetid: fce20472-3c93-449d-b520-13c4c74a9892
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
>**Note:** This setting does not change the behavior of the UAC elevation prompt for administrators.
-
+
**Background**
User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI doesn't interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
@@ -39,7 +39,7 @@ Microsoft UI Automation is the current model to support accessibility requiremen
However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation can't drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess.
-If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy
+If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy
checks before starting an application with UIAccess privilege.
1. The application must have a digital signature that can be verified by using a digital certificate that is associated with the Trusted Root Certification Authorities store on the local computer.
@@ -78,13 +78,13 @@ The following table lists the actual and effective default values for this polic
Server type or GPO| Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
index b5175062ac..8acd28314d 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode
+title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode
description: Best practices and more for the security policy setting, User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode.
ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/08/2017
ms.technology: itpro-security
---
@@ -36,7 +36,7 @@ This policy setting determines the behavior of the elevation prompt for accounts
Assumes that the administrator will permit an operation that requires elevation, and more consent or credentials aren't required.
**Note** Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We don't recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.
-
+
- **Prompt for credentials on the secure desktop**
When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
@@ -60,7 +60,7 @@ This policy setting determines the behavior of the elevation prompt for accounts
\*If you've enabled the built-in Administrator account and have configured Admin Approval Mode, you must also configure the option **Prompt for consent on the secure desktop**. You can also configure this option from User Account Control, by typing **UAC** in the search box. From the User Account Control Settings dialog box, set the slider control to **Notify me only when apps try to make changes to my computer (default)**.
> [!NOTE]
-> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
+> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
### Best practices
@@ -77,13 +77,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
+| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Prompt for consent for non-Windows binaries|
-| DC Effective Default Settings | Prompt for consent for non-Windows binaries|
-| Member Server Effective Default Settings | Prompt for consent for non-Windows binaries|
-| Client Computer Effective Default Settings | Prompt for consent for non-Windows binaries|
-
+| Stand-Alone Server Default Settings | Prompt for consent for non-Windows binaries|
+| DC Effective Default Settings | Prompt for consent for non-Windows binaries|
+| Member Server Effective Default Settings | Prompt for consent for non-Windows binaries|
+| Client Computer Effective Default Settings | Prompt for consent for non-Windows binaries|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
index 1d3ea2ed65..6a471c51bb 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
@@ -5,7 +5,7 @@ ms.author: vinpa
ms.prod: windows-client
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/18/2023
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
index b18e302adf..ea22f7f177 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Detect application installations and prompt for elevation
+title: User Account Control Detect application installations and prompt for elevation
description: Learn about best practices and more for the security policy setting, User Account Control Detect application installations and prompt for elevation.
ms.assetid: 3f8cb170-ba77-4c9f-abb3-c3ed1ef264fc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
index e7e8643f8e..92d124a4f7 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Only elevate executables that are signed and validated
+title: User Account Control Only elevate executables that are signed and validated
description: Best practices, security considerations, and more for the security policy setting, User Account Control Only elevate executables that are signed and validated.
ms.assetid: 64950a95-6985-4db6-9905-1db18557352d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -58,13 +58,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
index 564d86f514..4aad366985 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
@@ -1,8 +1,8 @@
---
-title: Only elevate UIAccess app installed in secure location
+title: Only elevate UIAccess app installed in secure location
description: Learn about best practices and more for the policy setting, User Account Control Only elevate UIAccess applications that are installed in secure locations.
ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -34,7 +34,7 @@ This policy setting enforces the requirement that apps that request running with
- \\Program Files (x86)\\ including subdirectories for 64-bit versions of Windows
>**Note:** Windows enforces a PKI signature check on any interactive application that requests running with a UIAccess integrity level, regardless of the state of this security setting.
-
+
**Background**
User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI doesn't interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
@@ -75,13 +75,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
index 8502ded0f0..97d8752204 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
index 90d853997d..9059607fe2 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Switch to the secure desktop when prompting for elevation
+title: User Account Control Switch to the secure desktop when prompting for elevation
description: Best practices, security considerations, and more for the policy setting, User Account Control Switch to the secure desktop when prompting for elevation.
ms.assetid: 77a067db-c70d-4b02-9861-027503311b8b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -45,7 +45,7 @@ The secure desktop’s primary difference from the user desktop is that only tru
### Best practices
-- Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system
+- Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system
processes.
### Location
@@ -58,13 +58,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
index e7bf8758a8..adb9f83c7e 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Virtualize file and registry write failures to per-user locations
+title: User Account Control Virtualize file and registry write failures to per-user locations
description: Best practices, security considerations and more for the policy setting, User Account Control Virtualize file and registry write failures to per-user locations.
ms.assetid: a7b47420-cc41-4b1c-b03e-f67a05221261
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value|
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
index 17f39e5b1f..3ca31c4fe8 100644
--- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
+++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
@@ -1,8 +1,8 @@
---
-title: User Rights Assignment
+title: User Rights Assignment
description: Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
ms.assetid: 99340252-60be-4c79-b0a5-56fbe1a9b0c5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 12/16/2021
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ ms.technology: itpro-security
Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the **User Rights Assignment** item.
-Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under
+Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under
**Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment**, or on the local device by using the Local Group Policy Editor (gpedit.msc).
For information about setting security policies, see [Configure security policy settings](how-to-configure-security-policy-settings.md).
@@ -38,53 +38,53 @@ The following table links to each security policy setting and provides the const
| Group Policy Setting | Constant Name |
| - | - |
-| [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md) | SeTrustedCredManAccessPrivilege|
-| [Access this computer from the network](access-this-computer-from-the-network.md) | SeNetworkLogonRight|
-| [Act as part of the operating system](act-as-part-of-the-operating-system.md) | SeTcbPrivilege|
-| [Add workstations to domain](add-workstations-to-domain.md) | SeMachineAccountPrivilege|
-| [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md) | SeIncreaseQuotaPrivilege|
-| [Allow log on locally](allow-log-on-locally.md) | SeInteractiveLogonRight|
+| [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md) | SeTrustedCredManAccessPrivilege|
+| [Access this computer from the network](access-this-computer-from-the-network.md) | SeNetworkLogonRight|
+| [Act as part of the operating system](act-as-part-of-the-operating-system.md) | SeTcbPrivilege|
+| [Add workstations to domain](add-workstations-to-domain.md) | SeMachineAccountPrivilege|
+| [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md) | SeIncreaseQuotaPrivilege|
+| [Allow log on locally](allow-log-on-locally.md) | SeInteractiveLogonRight|
| [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md)| SeRemoteInteractiveLogonRight|
-| [Back up files and directories](back-up-files-and-directories.md) | SeBackupPrivilege|
-| [Bypass traverse checking](bypass-traverse-checking.md) | SeChangeNotifyPrivilege|
-| [Change the system time](change-the-system-time.md) | SeSystemtimePrivilege|
-| [Change the time zone](change-the-time-zone.md) | SeTimeZonePrivilege|
-| [Create a pagefile](create-a-pagefile.md) | SeCreatePagefilePrivilege|
-| [Create a token object](create-a-token-object.md) | SeCreateTokenPrivilege|
-| [Create global objects](create-global-objects.md) | SeCreateGlobalPrivilege|
-| [Create permanent shared objects](create-permanent-shared-objects.md) | SeCreatePermanentPrivilege|
-| [Create symbolic links](create-symbolic-links.md) | SeCreateSymbolicLinkPrivilege|
-| [Debug programs](debug-programs.md) | SeDebugPrivilege|
+| [Back up files and directories](back-up-files-and-directories.md) | SeBackupPrivilege|
+| [Bypass traverse checking](bypass-traverse-checking.md) | SeChangeNotifyPrivilege|
+| [Change the system time](change-the-system-time.md) | SeSystemtimePrivilege|
+| [Change the time zone](change-the-time-zone.md) | SeTimeZonePrivilege|
+| [Create a pagefile](create-a-pagefile.md) | SeCreatePagefilePrivilege|
+| [Create a token object](create-a-token-object.md) | SeCreateTokenPrivilege|
+| [Create global objects](create-global-objects.md) | SeCreateGlobalPrivilege|
+| [Create permanent shared objects](create-permanent-shared-objects.md) | SeCreatePermanentPrivilege|
+| [Create symbolic links](create-symbolic-links.md) | SeCreateSymbolicLinkPrivilege|
+| [Debug programs](debug-programs.md) | SeDebugPrivilege|
| [Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)| SeDenyNetworkLogonRight |
-| [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) | SeDenyBatchLogonRight|
+| [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) | SeDenyBatchLogonRight|
| [Deny log on as a service](deny-log-on-as-a-service.md) | SeDenyServiceLogonRight |
-| [Deny log on locally](deny-log-on-locally.md) | SeDenyInteractiveLogonRight|
-| [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)| SeDenyRemoteInteractiveLogonRight|
-| [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)| SeEnableDelegationPrivilege|
-| [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md) | SeRemoteShutdownPrivilege|
-| [Generate security audits](generate-security-audits.md) | SeAuditPrivilege|
-| [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)| SeImpersonatePrivilege|
-| [Increase a process working set](increase-a-process-working-set.md) | SeIncreaseWorkingSetPrivilege|
-| [Increase scheduling priority](increase-scheduling-priority.md) | SeIncreaseBasePriorityPrivilege|
-| [Load and unload device drivers](load-and-unload-device-drivers.md) | SeLoadDriverPrivilege|
-| [Lock pages in memory](lock-pages-in-memory.md) | SeLockMemoryPrivilege|
-| [Log on as a batch job](log-on-as-a-batch-job.md) | SeBatchLogonRight|
-| [Log on as a service](log-on-as-a-service.md) | SeServiceLogonRight|
-| [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege|
-| [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege|
-| [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege|
+| [Deny log on locally](deny-log-on-locally.md) | SeDenyInteractiveLogonRight|
+| [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)| SeDenyRemoteInteractiveLogonRight|
+| [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)| SeEnableDelegationPrivilege|
+| [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md) | SeRemoteShutdownPrivilege|
+| [Generate security audits](generate-security-audits.md) | SeAuditPrivilege|
+| [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)| SeImpersonatePrivilege|
+| [Increase a process working set](increase-a-process-working-set.md) | SeIncreaseWorkingSetPrivilege|
+| [Increase scheduling priority](increase-scheduling-priority.md) | SeIncreaseBasePriorityPrivilege|
+| [Load and unload device drivers](load-and-unload-device-drivers.md) | SeLoadDriverPrivilege|
+| [Lock pages in memory](lock-pages-in-memory.md) | SeLockMemoryPrivilege|
+| [Log on as a batch job](log-on-as-a-batch-job.md) | SeBatchLogonRight|
+| [Log on as a service](log-on-as-a-service.md) | SeServiceLogonRight|
+| [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege|
+| [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege|
+| [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege|
| [Obtain an impersonation token for another user in the same session](impersonate-a-client-after-authentication.md) | SeDelegateSessionUserImpersonatePrivilege|
-| [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege|
-| [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege|
-| [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege|
-| [Remove computer from docking station](remove-computer-from-docking-station.md) | SeUndockPrivilege|
-| [Replace a process level token](replace-a-process-level-token.md) | SeAssignPrimaryTokenPrivilege|
+| [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege|
+| [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege|
+| [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege|
+| [Remove computer from docking station](remove-computer-from-docking-station.md) | SeUndockPrivilege|
+| [Replace a process level token](replace-a-process-level-token.md) | SeAssignPrimaryTokenPrivilege|
| [Restore files and directories](restore-files-and-directories.md) | SeRestorePrivilege |
-| [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege|
-| [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege|
-| [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege|
+| [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege|
+| [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege|
+| [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege|
+
-
## Related topics
- [Security policy settings reference](security-policy-settings-reference.md)
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index c9468c7091..c40a04c723 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -20,6 +20,8 @@
- name: Windows 10
expanded: true
items:
+ - name: Extended Security Updates (ESU) program for Windows 10
+ href: extended-security-updates.md
- name: What's new in Windows 10, version 22H2
href: whats-new-windows-10-version-22H2.md
- name: What's new in Windows 10, version 21H2
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 22a8e247df..51b1467402 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -37,6 +37,9 @@ The features in this article are no longer being actively developed, and might b
|Feature | Details and mitigation | Deprecation announced |
| --- | --- | --- |
| Windows Mixed Reality | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in a future release of Windows. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, and [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality) and Steam VR Beta. | December 2023 |
+| Windows speech recognition | [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is deprecated and is no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. | December 2023 |
+| Microsoft Defender Application Guard for Office | [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/app-guard-for-office-install) is being deprecated and is no longer being updated. This deprecation also includes the [Windows.Security.Isolation APIs](/uwp/api/windows.security.isolation) that are used for Microsoft Defender Application Guard for Office. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365#global-settings-for-safe-attachments) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac). | November 2023 |
+| Steps Recorder (psr.exe) | Steps Recorder is no longer being updated and will be removed in a future release of Windows. For screen recording, we recommend the Snipping Tool, Xbox Game Bar, or Microsoft Clipchamp. | November 2023 |
| Tips | The Tips app is deprecated and will be removed in a future release of Windows. Content in the app will continue to be updated with information about new Windows features until the app is removed. | November 2023 |
| Computer Browser | The Computer Browser driver and service are deprecated. The browser (browser protocol and service) is a dated and insecure device location protocol. This protocol, service, and driver were first disabled by default in Windows 10 with the removal of the SMB1 service. For more information on Computer Browser, see [MS-BRWS Common Internet File System](/openspecs/windows_protocols/ms-brws/3cfbad92-09b3-4abc-808f-c6f6347d5677). | November 2023 |
| Webclient (WebDAV) Service | The Webclient (WebDAV) service is deprecated. The Webclient service isn't started by default in Windows. For more information on WebDAV, see [WebDAV - Win32 apps](/windows/win32/webdav/webdav-portal). | November 2023 |
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index ec64e498bc..c2a7a7209f 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -38,6 +38,7 @@
"ms.collection": [
"tier2"
],
+ "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.topic": "article",
diff --git a/windows/whats-new/extended-security-updates.md b/windows/whats-new/extended-security-updates.md
new file mode 100644
index 0000000000..01fdfd6394
--- /dev/null
+++ b/windows/whats-new/extended-security-updates.md
@@ -0,0 +1,74 @@
+---
+title: Extended Security Updates (ESU) program for Windows 10
+description: Learn about the Extended Security Updates (ESU) program for Windows 10. The ESU program gives customers the option to receive security updates for Windows 10.
+ms.prod: windows-client
+ms.technology: itpro-fundamentals
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.localizationpriority: medium
+ms.topic: conceptual
+ms.date: 11/01/2023
+ms.collection:
+ - highpri
+ - tier2
+appliesto:
+ - ✅ Windows 10
+---
+
+# Extended Security Updates (ESU) program for Windows 10
+
+
+The Windows 10 Extended Security Updates (ESU) program gives customers the option to receive security updates for PCs enrolled in the program. ESU is a paid program that provides individuals and organizations of all sizes with the option to extend the use of Windows 10 devices past the end of support date in a more secure manner. For more information about the Windows 10 lifecycle, see the [Windows Lifecycle FAQ](/lifecycle/faq/windows).
+
+Individuals or organizations who elect to continue using Windows 10 after support ends on October 14, 2025, will have the option of enrolling their PCs into a paid ESU subscription. The ESU program enables PCs to continue to receive critical and important security updates through an annual subscription service after support ends. The [Microsoft Security Response Center](https://msrc.microsoft.com/) defines the [severity rating for security updates](https://www.microsoft.com/msrc/security-update-severity-rating-system).
+
+
+## Device prerequisites
+
+To be eligible to install updates from the ESU program, devices must be running Windows 10, version 22H2.
+
+## Limitations
+
+ESUs doesn't include the following items:
+
+- New features
+- Customer-requested nonsecurity updates
+- Design change requests
+- General support won't be provided for Windows versions past the end of support date. Support will be available only to those organizations that purchase ESU for specific situations concerning the security updates. To get technical support, organizations must have an active [support plan](https://www.microsoft.com/enterprise/services/unified-support-solutions) in place.
+
+## Frequently asked questions
+
+The following are frequently asked questions about the ESU program for Windows 10:
+
+### How much does ESU cost?
+
+Final pricing and enrollment conditions will be made available closer to the October 2025 date for end of support, approximately one year before the end of support for Windows 10. ESU will be free for all Windows 365 customers. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview).
+
+### Is there a minimum license purchase requirement for Windows 10 ESU?
+
+There are no minimum license purchase requirements for Windows 10 ESU.
+
+### Can ESUs be purchased for a specific duration?
+
+Customers can't buy partial periods, for instance, only six months. Extended Security Updates are transacted per year (12-month period), starting with the end of support date.
+
+### When will the ESU offer be available for licensing?
+
+Windows 10 ESU will be available in volume licensing starting about 12 months before the end of support date of Windows 10, or late 2024.
+
+### How long can I get security updates for?
+
+Enrolled PCs belonging to a commercial or educational organization can receive security updates for a maximum of three years after end of support for Windows 10.
+
+### Is technical support included in ESU?
+
+No, technical support isn't included in the ESU program. Microsoft will provide support for customers that encounter challenges related to the ESU.
+
+### Will Windows 10 PCs stop working without the ESU offering?
+
+Windows 10 PCs will continue to work, but we recommend customers upgrade eligible PCs to Windows 11 using Windows Autopatch, Microsoft Intune, or transition to a new Windows 11 PC for the best, most secure computing experience. Customers also have the option to migrate to the cloud and subscribe to Windows 365 to make Windows 11 available to users on any device with a Cloud PC. Beginning October 14, 2025, Microsoft will no longer provide the following for versions of Windows 10 that reach end of support on that date:
+
+- Technical support
+- Feature updates or new features
+- Quality updates (including security and reliability fixes)
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index 88f1b323b1..c34ac91e0d 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -48,12 +48,13 @@ landingContent:
linkLists:
- linkListType: whats-new
links:
+ - text: Extended Security Updates (ESU) program for Windows 10
+ url: extended-security-updates.md
- text: What's new in Windows 10, version 22H2
url: whats-new-windows-10-version-22h2.md
- text: What's new in Windows 10, version 21H2
url: whats-new-windows-10-version-21h2.md
- - text: What's new in Windows 10, version 21H1
- url: whats-new-windows-10-version-21h1.md
+
- title: Learn more
linkLists:
diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md
index 122c8a1f8f..ba0ca795c1 100644
--- a/windows/whats-new/temporary-enterprise-feature-control.md
+++ b/windows/whats-new/temporary-enterprise-feature-control.md
@@ -73,5 +73,5 @@ The following features introduced through the monthly cumulative updates allow p
| The **Recommended** section of the **Start Menu** displays personalized website recommendations |[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)| No |**CSP**: ./Device/Vendor/MSFT/Policy/Config/Start/[HideRecoPersonalizedSites](/windows/client-management/mdm/policy-csp-start) **Group Policy**: Computer Configuration\Administrative Templates\Start Menu and Taskbar\\**Remove Personalized Website Recommendations from the Recommended section in the Start Menu**|
| **Recommended** section added to File Explorer Home for users signed into Windows with an Azure AD account. | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes | **CSP**:./Device/Vendor/MSFT/Policy/Config/FileExplorer/[DisableGraphRecentItems](/windows/client-management/mdm/policy-csp-fileexplorer#disablegraphrecentitems) **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\File Explorer\\**Turn off files from Office.com in Quick Access View** **Note**: This control disables additional items beyond the **Recommended** items. Review the policy before implementing this control. |
| Transfer files to another PC using WiFi direct|[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)|Yes|**CSP**: ./Device/Vendor/MSFT/Policy/Config/Wifi/[AllowWiFiDirect](/windows/client-management/mdm/policy-csp-wifi#allowwifidirect)|
-| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**|
+| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**|
|Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSPs**: - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[EnableDevDrive](/windows/client-management/mdm/policy-csp-filesystem#enableeeverive) - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[DevDriveAttachPolicy](/windows/client-management/mdm/policy-csp-filesystem#devdriveattachpolicy) **Group Policies**: - Computer Configuration\Administrative Templates\System\FileSystem\\**Enable dev drive** - Computer Configuration\Administrative Templates\System\FileSystem\\**Dev drive filter attach policy**|
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index f4005118e9..c593f3baae 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -9,18 +9,19 @@ ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
-ms.date: 12/31/2017
+ms.date: 11/17/2023
---
# What's new in Windows 10, version 1903 for IT Pros
**Applies to**
-- Windows 10, version 1903
+- Windows 10, version 1903.
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809.
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1903, also known as the Windows 10 May 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1809.
>[!NOTE]
->New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don’t meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see [Reserved storage](#reserved-storage).
+>
+>New disk space requirement for Windows 10, version 1903 applies only to OEMs for the manufacture of new PCs. This new requirement does not apply to existing devices. PCs that don't meet new device disk space requirements will continue to receive updates and the 1903 update will require about the same amount of free disk space as previous updates. For more information, see [Reserved storage](#reserved-storage).
## Deployment
@@ -28,36 +29,36 @@ This article lists new and updated features and content that are of interest to
[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
-- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
-- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
+- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision) is new in this version of Windows. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
+- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- Windows Autopilot is self-updating during OOBE. From Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
+- Windows Autopilot is self-updating during OOBE. From Windows 10, version 1903 Autopilot functional and critical updates begin downloading automatically during OOBE.
+- Windows Autopilot sets the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### SetupDiag
-[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the `rules.xml` file, which is extracted when SetupDiag is run. The `rules.xml` file are updated as new versions of SetupDiag are made available.
### Reserved storage
-[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10.
+[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327) sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage is enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs. It isn't enabled when updating from a previous version of Windows 10.
## Servicing
- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These new policies now support Microsoft 365 Apps for enterprise updates and Intune content.
-- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
-- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
+- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and lock their device in order to complete the update. This automatic sign-in ensures that when the user returns and unlocks the device, the update is completed.
+- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There's now a single, common start date for phased deployments (no more SAC-T designation). In addition, there's a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device backed up and run normally.
-- **Pause updates**: We've extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you'll need to update your device before pausing again.
-- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
-- **Intelligent active hours**: To further enhance active hours, users will now be able to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
-- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
+- **Pause updates**: The ability to pause updates for both feature and monthly updates is extended. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, the device needs to be updated before pausing again.
+- **Improved update notifications**: When there's an update requiring you to restart your device, a colored dot appears on the Power button in the Start menu and on the Windows icon in your taskbar.
+- **Intelligent active hours**: To further enhance active hours, users are now able to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
+- **Improved update orchestration to improve system responsiveness**: This feature improves system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
## Security
### Windows Information Protection
-With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with [Auto Labeling](/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files).
+With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with [Auto Labeling](/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files).
### Security configuration framework
@@ -73,72 +74,75 @@ The draft release of the [security configuration baseline settings](/archive/blo
### Microsoft Defender for Endpoint
-- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL’s and IP addresses.
-- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
- - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
-- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
+- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URLs and IP addresses.
+- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) - Controls are extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
+ - Integrity enforcement capabilities - Enable remote runtime attestation of Windows 10 platform.
+ - Tamper-proofing capabilities - Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
+- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) - In addition to Windows 10, Microsoft Defender for Endpoint's functionality are extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
-### Microsoft Defender for Endpoint next-gen protection technologies:
+### Microsoft Defender for Endpoint next-gen protection technologies
- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
-- **Emergency outbreak protection**: Provides emergency outbreak protection that will automatically update devices with new intelligence when a new outbreak has been detected.
-- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
+- **Emergency outbreak protection**: Provides emergency outbreak protection that automatically updates devices with new intelligence when a new outbreak is detected.
+- **Certified ISO 27001 compliance**: Ensures that the cloud service is analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
- **Geolocation support**: Support geolocation and sovereignty of sample data and configurable retention policies.
### Threat Protection
- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
-- [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
+- [Microphone privacy settings](https://support.microsoft.com/windows/windows-camera-microphone-and-privacy-a83257bc-e990-d54a-d212-b5e41beba857): A microphone icon appears in the notification area letting you see which apps are using your microphone.
-- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements:
+- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements:
- Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
- WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
- To try this extension:
+ To try this extension:
1. Configure WDAG policies on your device.
2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
3. Follow any of the other configuration steps on the extension setup page.
4. Reboot the device.
5. Navigate to an untrusted site in Chrome and Firefox.
- - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+ - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users are automatically redirected to their host default browser when they enter or select on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control has many new features that light up key scenarios and provide feature parity with AppLocker.
- - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
- - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it's authorized by something other than a path rule like a signer or hash rule.
- This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that isn't available with AppLocker.
- - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+ - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios:
+ 1. Enforce and audit side-by-side.
+ 1. Simpler targeting for policies with different scope/intent.
+ 1. expanding a policy using a new supplemental policy.
+ - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files are checked for write permissions for unknown admins. If a file is found to be user writeable, the system blocks the executable from running unless it receives authorization from a source other than a path rule, such as a signer or hash rule.
+ - This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time. This capability isn't available with AppLocker.
+ - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
#### System Guard
-[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they'll be coming out in the next few months.
+[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner. Specifically, OS memory and secrets are protected from SMM.
-This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
+This new feature is displayed under the Device Security page with the string `Your device exceeds the requirements for enhanced hardware security` if configured properly:
### Identity Protection
-- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
+- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Microsoft Entra ID.
- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
-- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
-- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience.
+- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Microsoft Entra ID and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
### Security management
-- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes.
-- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations.
+- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes.
+- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations.
- [Tamper Protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
## Microsoft Edge
-Several new features are coming in the next version of Edge. For more information, see the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97).
+Several new features are coming in the next version of Microsoft Edge. For more information, see the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97).
## See Also
-[What's New in Windows Server, version 1903](/windows-server/get-started/whats-new-in-windows-server-1903-1909): New and updated features in Windows Server.
-[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
-[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
-[What's new in Windows 10](/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
-[What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers.
+- [What's New in Windows Server, version 1903](/windows-server/get-started/whats-new-in-windows-server-1903-1909): New and updated features in Windows Server.
+- [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
+- [What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
+- [What's new in Windows 10](/windows-hardware/get-started/what-s-new-in-windows): See what's new in Windows 10 hardware.
+- [What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers.
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index d40de13c9d..5ab89168fd 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -55,7 +55,7 @@ Windows 10, version 1909 also includes two new features called **Key-rolling** a
### Transport Layer Security (TLS)
-An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/)
+An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog.
>[!NOTE]
>The experiental implementation of TLS 1.3 isn't supported. TLS 1.3 is only supported on Windows 11 and Server 2022. For more information, see [Protocols in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-).
diff --git a/windows/whats-new/whats-new-windows-11-version-23h2.md b/windows/whats-new/whats-new-windows-11-version-23h2.md
index a6c474e939..7a178b1852 100644
--- a/windows/whats-new/whats-new-windows-11-version-23h2.md
+++ b/windows/whats-new/whats-new-windows-11-version-23h2.md
@@ -36,7 +36,7 @@ To learn more about the status of the update rollout, known issues, and new info
[Temporary enterprise feature control](temporary-enterprise-feature-control.md) temporarily turns off certain features that were introduced during monthly cumulative updates for managed Windows 11, version 22H2 devices. For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
-When a manged Windows 11, version 22H2 device installs [version 23H2](https://support.microsoft.com/kb/5027397), the following features will no longer under be under temporary enterprise feature control:
+When a managed Windows 11, version 22H2 device installs [version 23H2](https://support.microsoft.com/kb/5027397), the following features will no longer be under temporary enterprise feature control:
| Feature | KB article where the feature was introduced |
|---|---|