Merge remote-tracking branch 'refs/remotes/origin/master' into vs-intunechanges

2025-06-18 03:43:39 +00:00 · 2017-04-13 07:18:37 -07:00
parent 7966c0335b d24a0667d6
commit 91e6f202c6
7 changed files with 36 additions and 11 deletions
--- a/windows/keep-secure/bitlocker-group-policy-settings.md
+++ b/windows/keep-secure/bitlocker-group-policy-settings.md
@ -37,6 +37,7 @@ The following policy settings can be used to determine how a BitLocker-protected
 -   [Require additional authentication at startup](#bkmk-unlockpol1)
 -   [Allow enhanced PINs for startup](#bkmk-unlockpol2)
 -   [Configure minimum PIN length for startup](#bkmk-unlockpol3)
+-   [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)
 -   [Disallow standard users from changing the PIN or password](#bkmk-dpinchange)
 -   [Configure use of passwords for operating system drives](#bkmk-ospw)
 -   [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4)
@ -355,6 +356,24 @@ This policy setting is used to set a minimum PIN length when you use an unlock m

 This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.

+### Disable new DMA devices when this computer is locked
+
+This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows.
+
+|                    |                      |
+|--------------------|----------------------|
+| Policy description | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. |
+| Introduced         | Windows 10, version 1703 |
+| Drive type         | Operating system drives  |
+| Policy path        | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+| Conflicts          | None                     |
+| When enabled       | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. |
+| When disabled or not configured | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
+
+**Reference**
+
+This policy setting is only enforced when BitLocker or device encyption is enabled.
+
 ### <a href="" id="bkmk-dpinchange"></a>Disallow standard users from changing the PIN or password

 This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive.
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@ -45,7 +45,7 @@ Configure a registry-based static proxy to allow only Windows Defender ATP senso

 The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.

-The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy`.
+The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy\DataCollection`.

 The registry value `TelemetryProxyServer` takes the following string format:

--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@ -117,4 +117,4 @@ If you're running Windows Defender as the primary antimalware product on your en

 If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy).

->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1)
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-minreq-belowfoldlink1)
--- a/windows/keep-secure/windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md
@ -27,6 +27,8 @@ localizationpriority: high

 Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.

+Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787].
+
 Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:

 -   **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors