Returns status on Application Guard installation and pre-requisites. Value type is integer. Supported operation is Get.
+Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get. + +Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode +Bit 1 - Set to 1 when the client machine is Hyper-V capable +Bit 2 - Set to 1 when the client machine has a valid OS license and SKU +Bit 3 - Set to 1 when WDAG installed on the client machine +Bit 4 - Set to 1 when required Network Isolation Policies are configured +Bit 5 - Set to 1 when the client machine meets minimum hardware requirements + +
**InstallWindowsDefenderApplicationGuard**Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.
diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md index ea9f6e17a8..5a024ad844 100644 --- a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -22,7 +22,7 @@ The Group Policy settings for TPM services are located at: **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** -The following Group Policy settings were introduced in Window 10: +The following Group Policy settings were introduced in Window 10. ## Configure the list of blocked TPM commands @@ -66,9 +66,6 @@ If you disable or do not configure this policy setting, Windows will block the T This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password. -> [!IMPORTANT] -> This policy setting is not available in the Windows 10, version 1607 and Windows Server 2016 and later versions of the ADMX files. - There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**. - **Full** This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md index 4769bd04ec..e84172c1e3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md @@ -97,7 +97,7 @@ You can disable this setting to ensure that only globally defined lists (such as 6. Double-click the **Configure local administrator merge behavior for lists** setting and set the option to **Enabled**. Click **OK**. -[!NOTE] +> [!NOTE] > If you disable local list merging, it will override Controlled folder access settings in Windows Defender Exploit Guard. It also overrides any protected folders or allowed apps set by the local administrator. For more information about Controlled folder access settings, see [Enable Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index b2cf4e4659..9cf38c9042 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -54,6 +54,7 @@ For further details on how audit mode works, and when you might want to use it, >If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Defender Security Center app after a restart of the device. >If the feature is set to **Audit mode** with any of those tools, the Windows Defender Security Center app will show the state as **Off**. >See [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) for more details on how audit mode works. +>>Group Policy settings that disable local administrator list merging will override Controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through Controlled folder access. These policies include: >- Windows Defender Antivirus **Configure local administrator merge behavior for lists** >- System Center Endpoint Protection **Allow users to add exclusions and overrides**