Merge branch 'master' into siosulli-privacy-dpsw

2025-06-19 12:23:37 +00:00 · 2021-06-24 14:45:28 +01:00
parent dcb6afdeb3 bae4a23968
commit 99574e5678
7 changed files with 183 additions and 8 deletions
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@ -10,7 +10,7 @@ ms.prod: w10
 ms.technology: windows
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 06/02/2021
+ms.date: 06/23/2021
 ---

 # Defender CSP
@ -59,6 +59,9 @@ Defender
 --------TamperProtection (Added in Windows 10, version 1903)
 --------EnableFileHashComputation (Added in Windows 10, version 1903)
 --------SupportLogLocation (Added in the next major release of Windows 10)
+--------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
+--------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
+--------SignaturesUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
 ----Scan
 ----UpdateSignature
 ----OfflineScan (Added in Windows 10 version 1803)
@ -518,9 +521,75 @@ When enabled or disabled exists on the client and admin moves the setting to not

 More details:  

- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)  
+- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)  
 - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)  

+<a href="" id="configuration-supportloglocation"></a>**Configuration/PlatformUpdatesChannel**
+
+Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
+
+Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
+
+Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
+
+Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+
+Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+
+If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+- 0: Not configured (Default)
+- 1: Beta Channel - Prerelease
+- 2: Current Channel (Preview)
+- 3: Current Channel (Staged)
+- 4: Current Channel (Broad)
+
+<a href="" id="configuration-supportloglocation"></a>**Configuration/EngineUpdatesChannel**
+
+Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
+
+Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
+
+Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
+
+Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+
+Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+
+If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+- 0 - Not configured (Default)
+- 1 - Beta Channel - Prerelease
+- 2 - Current Channel (Preview)
+- 3 - Current Channel (Staged)
+- 4 - Current Channel (Broad)
+
+<a href="" id="configuration-supportloglocation"></a>**Configuration/SignaturesUpdatesChannel** 
+
+Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.
+
+Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
+
+If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
+
+The data type is integer.
+Supported operations are Add, Delete, Get, Replace.
+
+Valid Values are:
+- 0: Not configured (Default)
+- 3: Current Channel (Staged)
+- 4: Current Channel (Broad)
+
 <a href="" id="scan"></a>**Scan**  
 Node that can be used to start a Windows Defender scan on a device.

--- a/windows/client-management/mdm/policy-csp-localusersandgroups.md
+++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md
@ -14,9 +14,6 @@ manager: dansimp

 # Policy CSP - LocalUsersAndGroups

-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
-
 <hr/>

 <!--Policies-->
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@ -0,0 +1,103 @@
+---
+title: Azure Active Directory join cloud only deployment
+description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 device. 
+keywords: identity, Hello, Active Directory, cloud, 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+audience: ITPro
+author: mapalko
+ms.author: mapalko
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+localizationpriority: medium
+ms.date: 06/23/2021
+ms.reviewer: 
+---
+# Azure AD Joined Cloud Only Deployment
+
+## Introduction
+
+When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed.
+
+You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
+
+> [!NOTE]
+> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
+
+## Prerequisites
+
+Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process.
+
+The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment).
+
+Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge.
+
+Check and view this setting with the following MSOnline PowerShell command:
+
+`Get-MsolDomainFederationSettings –DomainName <your federated domain name>`
+
+To disable this setting, run the following command. Note that this change impacts ALL Azure AD MFA scenarios for this federated domain.
+
+`Set-MsolDomainFederationSettings -DomainName <your federated domain name> -SupportsMfa $false`
+
+Example:
+
+`Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMfa $false`
+
+If you use this Supports MFA switch with value **True**, you must verify that your federated IDP is correctly configured and working with the MFA adapter and provider used by your IDP.
+
+## Use Intune to disable Windows Hello for Business enrollment
+
+We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
+
+However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't using Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business.
+
+## Disable Windows Hello for Business using Intune Enrollment policy
+
+1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center.
+2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens.
+3. Select from the following options for **Configure Windows Hello for Business**:
+
+   1. **Disabled**: If you don't want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
+
+> [!NOTE]
+> This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md).
+
+## Disable Windows Hello for Business enrollment without Intune
+
+The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s).
+
+Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used.
+
+Here are the registry settings an Intune policy would set.
+
+Intune Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies`**
+
+To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant)
+
+These registry settings are pushed from Intune for user policies for your reference.
+
+- Intune User Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\UserSid\Policies`**
+- DWORD: **UsePassportForWork**
+- Value = **0** for Disable, or Value = **1** for Enable
+
+For your reference, these registry settings can be applied from Local or Group Policies.
+
+- Local/GPO User Policy: **`HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork`**
+- Local/GPO Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`**
+- DWORD: **Enabled**
+- Value = **0** for Disable or Value = **1** for Enable
+
+If there's a conflicting Device policy and User policy, the User policy would take precedence. We don't recommend creating Local/GPO registry settings that could conflict with an Intune policy. This conflict could lead to unexpected results.
+
+## Related reference documents for Azure AD join scenarios
+
+- [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join)
+- [Plan your Azure Active Directory device deployment](/azure/active-directory/devices/plan-device-deployment)
+- [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan)
+- [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin)
+- [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal)
+- [Azure AD Join Single Sign-on Deployment](hello-hybrid-aadj-sso.md)
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@ -101,6 +101,8 @@
        href: hello-cert-trust-validate-deploy-mfa.md
      - name: Configure Windows Hello for Business policy settings
        href: hello-cert-trust-policy-settings.md
+    - name: Azure AD join cloud only deployment
+      href: hello-aad-join-cloud-only-deploy.md
    - name: Managing Windows Hello for Business in your organization
      href: hello-manage-in-organization.md
    - name: Deploying Certificates to Key Trust Users to Enable RDP
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@ -21,8 +21,7 @@ ms.technology: mde
 - Windows 10
 - Windows Server 2016

-
-This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed.
+This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985).

 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                              |
 |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------|
@ -35,4 +34,3 @@ This auditing subcategory should not have any events in it, but for some reason
 -   [4985](event-4985.md)(S): The state of a transaction has changed.


-
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
@ -35,6 +35,8 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10
 - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
 - [Optional] Apps and executables already installed in admin-definable folder locations that MEMCM will allow through a one-time scan during policy creation on managed endpoints.

+Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
+
 For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager)

 ## Deploy custom WDAC policies using Packages/Programs or Task Sequences
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@ -120,6 +120,10 @@ To create the WDAC policy, they build a reference server on their standard hardw

 As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version.

+## File rule precedence order
+
+WDAC has a built-in file rule conflict logic that translates to precedence order. It will first processes all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these exists, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md).
+
 ## More information about filepath rules

 Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect will remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder.