From 5fd6e5c58e492303bb084fa104b9b26cb4d7f0e0 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Fri, 3 Sep 2021 14:27:13 +0530 Subject: [PATCH 01/81] Updated-Files1to20 --- .../auditing/advanced-security-audit-policy-settings.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index b1b0dbf35b..85e0d38f53 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -21,7 +21,8 @@ ms.technology: mde # Advanced security audit policy settings **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. From 7df5a3510dc5b607e4538f56db7fe1737c4e269f Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 6 Sep 2021 13:39:34 +0530 Subject: [PATCH 02/81] Updated for 5358843-files-1to25 --- .../auditing/advanced-security-audit-policy-settings.md | 6 +----- .../auditing/advanced-security-auditing-faq.yml | 5 ++--- .../auditing/advanced-security-auditing.md | 5 +---- ...ity-monitoring-recommendations-for-many-audit-events.md | 6 +----- .../apply-a-basic-audit-policy-on-a-file-or-folder.md | 5 +---- .../threat-protection/auditing/audit-account-lockout.md | 7 +------ .../auditing/audit-application-generated.md | 6 +----- .../auditing/audit-application-group-management.md | 6 +----- .../auditing/audit-audit-policy-change.md | 6 +----- .../auditing/audit-authentication-policy-change.md | 7 +------ .../auditing/audit-authorization-policy-change.md | 7 +------ .../auditing/audit-central-access-policy-staging.md | 7 +------ .../auditing/audit-certification-services.md | 6 +----- .../auditing/audit-computer-account-management.md | 6 +----- .../auditing/audit-credential-validation.md | 6 +----- .../audit-detailed-directory-service-replication.md | 6 +----- .../auditing/audit-detailed-file-share.md | 6 +----- .../auditing/audit-directory-service-access.md | 6 +----- .../auditing/audit-directory-service-changes.md | 6 +----- .../auditing/audit-directory-service-replication.md | 6 +----- .../auditing/audit-distribution-group-management.md | 5 +---- .../threat-protection/auditing/audit-dpapi-activity.md | 6 +----- .../threat-protection/auditing/audit-file-share.md | 6 +----- .../threat-protection/auditing/audit-file-system.md | 5 +---- .../auditing/audit-filtering-platform-connection.md | 6 +----- .../auditing/audit-filtering-platform-packet-drop.md | 6 +----- 26 files changed, 27 insertions(+), 128 deletions(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index 85e0d38f53..f45d596295 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -14,16 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Advanced security audit policy settings -**Applies to** -- Windows 10 -- Windows 11 - This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as: diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index 61dfe3d07c..3e90a4fd67 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -15,13 +15,12 @@ metadata: audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual - ms.date: 04/19/2017 + ms.date: 09/06/2021 ms.technology: mde title: Advanced security auditing FAQ summary: | - **Applies to** - - Windows 10 + This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md index 691956d81c..2e9d3a84f1 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing.md +++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md @@ -14,15 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/6/2021 ms.technology: mde --- # Advanced security audit policies -**Applies to** -- Windows 10 - Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy. diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md index c892db7b11..d092d91f72 100644 --- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md +++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # Appendix A: Security monitoring recommendations for many audit events -**Applies to** -- Windows 10 -- Windows Server 2016 - This document, the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) reference, provides information about individual audit events, and lists them within audit categories and subcategories. However, there are many events for which the following overall recommendations apply. There are links throughout this document from the “Recommendations” sections of the relevant events to this appendix. diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 2d63b25eb8..331e40c490 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -14,15 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 07/25/2018 +ms.date: 09/06/2021 ms.technology: mde --- # Apply a basic audit policy on a file or folder -**Applies to** -- Windows 10 - You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. To complete this procedure, you must be signed in as a member of the built-in Administrators group or have **Manage auditing and security log** rights. diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md index 77f8126a98..4837398076 100644 --- a/windows/security/threat-protection/auditing/audit-account-lockout.md +++ b/windows/security/threat-protection/auditing/audit-account-lockout.md @@ -11,17 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 07/16/2018 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Account Lockout -**Applies to** -- Windows 10 -- Windows Server 2016 - - Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md index 7e8adee87d..c2f603a680 100644 --- a/windows/security/threat-protection/auditing/audit-application-generated.md +++ b/windows/security/threat-protection/auditing/audit-application-generated.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Application Generated -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Application Generated generates events for actions related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)). Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) is very rarely in use and it is deprecated starting from Windows Server 2012. diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md index 647f8e28b6..7fefa5c73c 100644 --- a/windows/security/threat-protection/auditing/audit-application-group-management.md +++ b/windows/security/threat-protection/auditing/audit-application-group-management.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Application Group Management -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Application Group Management generates events for actions related to [application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)), such as group creation, modification, addition or removal of group member and some other actions. [Application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)) are used by [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)). diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md index 1ac2a40f94..3828ec83b4 100644 --- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Audit Policy Change -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Audit Policy Change determines whether the operating system generates audit events when changes are made to audit policy. diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md index 8bf74ed78f..07e3af496b 100644 --- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md @@ -11,17 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Authentication Policy Change -**Applies to** -- Windows 10 -- Windows Server 2016 - - Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy. Changes made to authentication policy include: diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md index c00445582a..20750fbbe9 100644 --- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md @@ -11,17 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Authorization Policy Change -**Applies to** -- Windows 10 -- Windows Server 2016 - - Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md index d63d07634a..ed8737a5d1 100644 --- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md +++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md @@ -11,17 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Central Access Policy Staging -**Applies to** -- Windows 10 -- Windows Server 2016 - - Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a proposed policy differs from the current central access policy on an object. If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event is generated as follows: diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md index 82fe1eac16..655f1fbbbc 100644 --- a/windows/security/threat-protection/auditing/audit-certification-services.md +++ b/windows/security/threat-protection/auditing/audit-certification-services.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Certification Services -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed. Examples of AD CS operations include: diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md index 677244f857..1a3c91c1a9 100644 --- a/windows/security/threat-protection/auditing/audit-computer-account-management.md +++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Computer Account Management -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Computer Account Management determines whether the operating system generates audit events when a computer account is created, changed, or deleted. diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md index 4fdf9060db..4bde8f1ddb 100644 --- a/windows/security/threat-protection/auditing/audit-credential-validation.md +++ b/windows/security/threat-protection/auditing/audit-credential-validation.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Credential Validation -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md index a6f472d018..593eb8718d 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Detailed Directory Service Replication -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Detailed Directory Service Replication determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers. diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md index 4428aad464..92b53125a2 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md +++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Detailed File Share -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder. diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md index 608ddbfc4f..bceb0bc1d1 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Directory Service Access -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed. diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md index 2141bbae5e..a2290c487c 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Directory Service Changes -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Directory Service Changes determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md index df8ddc7f12..8bbcc73020 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Directory Service Replication -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Directory Service Replication determines whether the operating system generates audit events when replication between two domain controllers begins and ends. diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md index 352eea4cfe..18f52d6dea 100644 --- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md +++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Distribution Group Management -**Applies to** -- Windows 10 -- Windows Server 2016 Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks. diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md index 9661ffe602..ce489d62ac 100644 --- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md +++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit DPAPI Activity -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit [DPAPI](/previous-versions/ms995355(v=msdn.10)) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](/previous-versions/ms995355(v=msdn.10))). diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md index 88b51b6a3f..97c2332179 100644 --- a/windows/security/threat-protection/auditing/audit-file-share.md +++ b/windows/security/threat-protection/auditing/audit-file-share.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit File Share -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks. diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md index 98f61fc786..17787cf470 100644 --- a/windows/security/threat-protection/auditing/audit-file-system.md +++ b/windows/security/threat-protection/auditing/audit-file-system.md @@ -11,15 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit File System -**Applies to** -- Windows 10 -- Windows Server 2016 > [!NOTE] > For more details about applicability on older operating system versions, read the article [Audit File System](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11)). diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md index e4829f1e56..7e0478f79f 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Filtering Platform Connection -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page). diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md index d6131681ec..dae76cc66f 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md @@ -11,16 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/06/2021 ms.technology: mde --- # Audit Filtering Platform Packet Drop -**Applies to** -- Windows 10 -- Windows Server 2016 - Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page). From 7ab0e861984d7218efb9ad27f7d6d47bd82e95ef Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 6 Sep 2021 13:56:05 +0530 Subject: [PATCH 03/81] Corrected blocking issue --- .../auditing/advanced-security-auditing-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index 3e90a4fd67..c3c1ecbe92 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -22,7 +22,7 @@ title: Advanced security auditing FAQ summary: | - This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. +This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) From 2e8cd0e8200063e241528629c88d7d843fddbe48 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 6 Sep 2021 14:10:38 +0530 Subject: [PATCH 04/81] Updated --- .../auditing/advanced-security-auditing-faq.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index 3e90a4fd67..7341b721a6 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -19,10 +19,8 @@ metadata: ms.technology: mde title: Advanced security auditing FAQ -summary: | - - - This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. + +This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) From aa0b279205831619b050cba6339e4ed923fc6f8a Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 6 Sep 2021 14:16:59 +0530 Subject: [PATCH 05/81] Updated --- .../auditing/advanced-security-auditing-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index 3f9281aea4..92cfb0b820 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -22,7 +22,7 @@ title: Advanced security auditing FAQ -This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. + This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) From 1bef30317bfa50a4de0d2c41b7befed8610e9ac3 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Mon, 6 Sep 2021 17:50:53 +0530 Subject: [PATCH 06/81] Updated for W11 --- ...ackup-tpm-recovery-information-to-ad-ds.md | 11 ++++--- .../tpm/change-the-tpm-owner-password.md | 18 +++++------ .../tpm/how-windows-uses-the-tpm.md | 30 +++++++++--------- ...lize-and-configure-ownership-of-the-tpm.md | 31 ++++++++++--------- .../tpm/manage-tpm-commands.md | 7 +++-- .../tpm/manage-tpm-lockout.md | 13 ++++---- .../switch-pcr-banks-on-tpm-2-0-devices.md | 13 ++++---- .../tpm/tpm-fundamentals.md | 11 ++++--- .../tpm/tpm-recommendations.md | 21 +++++++------ .../tpm/trusted-platform-module-overview.md | 12 +++---- ...m-module-services-group-policy-settings.md | 11 ++++--- .../tpm/trusted-platform-module-top-node.md | 11 ++++--- 12 files changed, 99 insertions(+), 90 deletions(-) diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md index 496b94e463..9e8fb338ce 100644 --- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md @@ -1,5 +1,5 @@ --- -title: Back up the TPM recovery information to AD DS (Windows 10) +title: Back up the TPM recovery information to AD DS (Windows) description: This topic for the IT professional describes backup of Trusted Platform Module (TPM) information. ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5 ms.reviewer: @@ -13,20 +13,21 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/03/2021 --- # Back up the TPM recovery information to AD DS **Applies to** -- Windows 10, version 1511 -- Windows 10, version 1507 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above **Does not apply to** - Windows 10, version 1607 or later -With Windows 10, versions 1511 and 1507, you can back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)). +With Windows 10, versions 1511 and 1507, or Windows 11, you can back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)). ## Related topics diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md index 2a57c4f6c9..c139f7a4df 100644 --- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md +++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md @@ -1,5 +1,5 @@ --- -title: Change the TPM owner password (Windows 10) +title: Change the TPM owner password (Windows) description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. ms.assetid: e43dcff3-acb4-4a92-8816-d6b64b7f2f45 ms.reviewer: @@ -13,24 +13,24 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/03/2021 --- # Change the TPM owner password **Applies to** -- Windows 10, version 1511 -- Windows 10, version 1507 -- TPM 1.2 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. ## About the TPM owner password -Starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded. +Starting with Windows 10, version 1607, or Windows 11, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded. > [!IMPORTANT] -> Although the TPM owner password is not retained starting with Windows 10, version 1607, you can change a default registry key to retain it. However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key 'HKLM\\Software\\Policies\\Microsoft\\TPM' \[REG\_DWORD\] 'OSManagedAuthLevel' to 4. The default value for this key is 2, and unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved. +> Although the TPM owner password is not retained starting with Windows 10, version 1607, or Windows 11, you can change a default registry key to retain it. However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key 'HKLM\\Software\\Policies\\Microsoft\\TPM' \[REG\_DWORD\] 'OSManagedAuthLevel' to 4. The default value for this key is 2, and unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved. Only one owner password exists for each TPM. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it. @@ -42,11 +42,11 @@ Instead of changing your owner password, you can also use the following options - **Clear the TPM**   If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). -- **Turn off the TPM**   With TPM 1.2 and Windows 10, versions 1507 and 1511, you can turn off the TPM. Do this if you want to keep all existing keys and data intact and disable the services that are provided by the TPM. For more info, see [Turn off the TPM](initialize-and-configure-ownership-of-the-tpm.md#turn-off-the-tpm). +- **Turn off the TPM**   With TPM 1.2 and Windows 10, versions 1507 and 1511, or Windows 11, you can turn off the TPM. Do this if you want to keep all existing keys and data intact and disable the services that are provided by the TPM. For more info, see [Turn off the TPM](initialize-and-configure-ownership-of-the-tpm.md#turn-off-the-tpm). ## Change the TPM owner password -With Windows 10, version 1507 or 1511, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password. +With Windows 10, version 1507 or 1511, or Windows 11, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password. To change to a new TPM owner password, in TPM.msc, click **Change Owner Password**, and follow the instructions. You will be prompted to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout. diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index dd9e12558e..532dc2607c 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -14,12 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/27/2017 +ms.date: 09/03/2021 --- -# How Windows 10 uses the Trusted Platform Module +# How Windows uses the Trusted Platform Module -The Windows 10 operating system improves most existing security features in the operating system and adds groundbreaking new security features such as Device Guard and Windows Hello for Business. It places hardware-based security deeper inside the operating system than previous Windows versions had done, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows 10 makes extensive use of the Trusted Platform Module (TPM). This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows 10—as well as the cumulative security impact of running Windows 10 on a PC that contains a TPM. +The Windows operating system improves most existing security features in the operating system and adds groundbreaking new security features such as Device Guard and Windows Hello for Business. It places hardware-based security deeper inside the operating system than previous Windows versions had done, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows makes extensive use of the Trusted Platform Module (TPM). This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows as well as the cumulative security impact of running Windows on a PC that contains a TPM. **See also:** @@ -36,7 +36,7 @@ The TPM is a cryptographic module that enhances computer security and privacy. P Historically, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. -TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features. +TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features. The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). @@ -46,9 +46,9 @@ The TCG designed the TPM as a low-cost, mass-market security solution that addre Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft’s best advice is to determine your organization’s security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability. -## TPM in Windows 10 +## TPM in Windows -The security features of Windows 10 combined with the benefits of a TPM offer practical security and privacy benefits. The following sections start with major TPM-related security features in Windows 10 and go on to describe how key technologies use the TPM to enable or increase security. +The security features of Windows combined with the benefits of a TPM offer practical security and privacy benefits. The following sections start with major TPM-related security features in Windows and go on to describe how key technologies use the TPM to enable or increase security. ## Platform Crypto Provider @@ -62,7 +62,7 @@ The Platform Crypto Provider, introduced in the Windows 8 operating system, expo • **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. -These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows 10 device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could simply prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically. +These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could simply prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically. ## Virtual Smart Card @@ -102,11 +102,11 @@ In the most common configuration, BitLocker encrypts the operating system volume Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience. -Newer hardware and Windows 10 work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the “TPM-only” configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot. +Newer hardware and Windows work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the “TPM-only” configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot. ## Device Encryption -Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows 10. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows 10 that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key. +Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key. For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data. @@ -122,7 +122,7 @@ TPM measurements are designed to avoid recording any privacy-sensitive informati The TPM provides the following way for scenarios to use the measurements recorded in the TPM during boot: -• **Remote Attestation**. Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows 10 can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process. +• **Remote Attestation**. Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process. When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state. @@ -133,21 +133,21 @@ When new security features are added to Windows, Measured Boot adds security-rel ## Health Attestation -Some Windows 10 improvements help security solutions implement remote attestation scenarios. Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. The simple security assertions can be used to evaluate device health. +Some Windows improvements help security solutions implement remote attestation scenarios. Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. The simple security assertions can be used to evaluate device health. Mobile device management (MDM) solutions can receive simple security assertions from the Microsoft Health Attestation service for a client without having to deal with the complexity of the quote or the detailed TPM measurements. MDM solutions can act on the security information by quarantining unhealthy devices or blocking access to cloud services such as Microsoft Office 365. ## Credential Guard -Credential Guard is a new feature in Windows 10 that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user’s credentials (e.g., logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer’s memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a “pass the hash” attack, a malware technique that infects one machine to infect many machines across an organization. +Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user’s credentials (e.g., logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer’s memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a “pass the hash” attack, a malware technique that infects one machine to infect many machines across an organization. Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return. -The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it cannot access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows 10. +The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it cannot access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows. ## Conclusion -The TPM adds hardware-based security benefits to Windows 10. When installed on hardware that includes a TPM, Window 10 delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features. +The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features. |Feature | Benefits when used on a system with a TPM| @@ -163,4 +163,4 @@ The TPM adds hardware-based security benefits to Windows 10. When installed on h
-Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows 10 security. Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/iotcore). IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements. +Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows security. Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows IoT Core](https://developer.microsoft.com/windows/iot/iotcore). IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements. diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index e2bdcc7c8a..e4b8bade20 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -1,5 +1,5 @@ --- -title: Troubleshoot the TPM (Windows 10) +title: Troubleshoot the TPM (Windows) description: This topic for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM). ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8 ms.reviewer: @@ -13,14 +13,15 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/11/2018 +ms.date: 09/06/2021 --- # Troubleshoot the TPM **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This topic provides information for the IT professional to troubleshoot the Trusted Platform Module (TPM): @@ -28,7 +29,7 @@ This topic provides information for the IT professional to troubleshoot the Trus - [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm) -With TPM 1.2 and Windows 10, version 1507 or 1511, you can also take the following actions: +With TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, you can also take the following actions: - [Turn on or turn off the TPM](#turn-on-or-turn-off) @@ -36,7 +37,7 @@ For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/ ## About TPM initialization and ownership -Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you would initialize the TPM and create an owner password. +Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you would initialize the TPM and create an owner password. ## Troubleshoot TPM initialization @@ -46,13 +47,13 @@ If you find that Windows is not able to initialize the TPM automatically, review - If the TPM is a TPM 2.0 and is not detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM has not been disabled or hidden from the operating system. -- If you have TPM 1.2 with Windows 10, version 1507 or 1511, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it is turned back on, Windows will re-initialize it. +- If you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it is turned back on, Windows will re-initialize it. - If you are attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM is not present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM. -### Troubleshoot network connection issues for Windows 10, versions 1507 and 1511 +### Troubleshoot network connection issues for Windows 10, versions 1507 and 1511, or Windows 11 -If you have Windows 10, version 1507 or 1511, the initialization of the TPM cannot complete when your computer has network connection issues and both of the following conditions exist: +If you have Windows 10, version 1507 or 1511, or Windows 11, the initialization of the TPM cannot complete when your computer has network connection issues and both of the following conditions exist: - An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy. @@ -62,7 +63,7 @@ If these issues occur, an error message appears, and you cannot complete the ini ### Troubleshoot systems with multiple TPMs -Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows 10 does not support this behavior. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic. +Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows does not support this behavior. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic. For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection is not changed. @@ -70,7 +71,7 @@ For example, toggling TPMs will cause BitLocker to enter recovery mode. We stron You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM is not cleared before a new operating system is installed, most TPM functionality will probably work correctly. -Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows 10 operating system will automatically re-initialize it and take ownership again. +Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically re-initialize it and take ownership again. > [!WARNING] > Clearing the TPM can result in data loss. For more information, see the next section, “Precautions to take before clearing the TPM.” @@ -83,7 +84,7 @@ Clearing the TPM can result in data loss. To protect against such loss, review t - Do not clear the TPM on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator. -- If you want to temporarily suspend TPM operations and you have TPM 1.2 with Windows 10, version 1507 or 1511, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm), later in this topic. +- If you want to temporarily suspend TPM operations and you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm), later in this topic. - Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Do not clear the TPM directly from UEFI. @@ -105,9 +106,9 @@ Membership in the local Administrators group, or equivalent, is the minimum requ 6. You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM. -7. After the PC restarts, your TPM will be automatically prepared for use by Windows 10. +7. After the PC restarts, your TPM will be automatically prepared for use by Windows. -## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 or 1511) +## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11) Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. @@ -115,7 +116,7 @@ Normally, the TPM is turned on as part of the TPM initialization process. You do If you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM. -**To turn on the TPM (TPM 1.2 with Windows 10, version 1507 or 1511 only)** +**To turn on the TPM (TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11 only)** 1. Open the TPM MMC (tpm.msc). @@ -129,7 +130,7 @@ If you want to use the TPM after you have turned it off, you can use the followi If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. -**To turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511 only)** +**To turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11 only)** 1. Open the TPM MMC (tpm.msc). diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md index af241069fd..8e9896104d 100644 --- a/windows/security/information-protection/tpm/manage-tpm-commands.md +++ b/windows/security/information-protection/tpm/manage-tpm-commands.md @@ -1,5 +1,5 @@ --- -title: Manage TPM commands (Windows 10) +title: Manage TPM commands (Windows) description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. ms.assetid: a78e751a-2806-43ae-9c20-2e7ca466b765 ms.reviewer: @@ -13,14 +13,15 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/30/2017 +ms.date: 09/06/2021 --- # Manage TPM commands **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md index 8991e9b48b..49e541aba5 100644 --- a/windows/security/information-protection/tpm/manage-tpm-lockout.md +++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md @@ -1,5 +1,5 @@ --- -title: Manage TPM lockout (Windows 10) +title: Manage TPM lockout (Windows) description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. ms.assetid: bf27adbe-404c-4691-a644-29ec722a3f7b ms.reviewer: @@ -13,13 +13,14 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/02/2017 +ms.date: 09/06/2021 --- # Manage TPM lockout **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. @@ -37,14 +38,14 @@ The industry standards from the Trusted Computing Group (TCG) specify that TPM m **TPM 2.0** -TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows 10 configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event which increases the counter will cause the counter to decrease by 1. +TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event which increases the counter will cause the counter to decrease by 1. -If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607. +If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607 or Windows 11. ## Reset the TPM lockout by using the TPM MMC > [!NOTE] -> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password is not available in Windows 10 starting with version 1607. +> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password is not available in Windows 10 starting with version 1607 or Windows 11. The following procedure explains the steps to reset the TPM lockout by using the TPM MMC. diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index fed9817bba..f2c79979ef 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -1,5 +1,5 @@ --- -title: Understanding PCR banks on TPM 2.0 devices (Windows 10) +title: Understanding PCR banks on TPM 2.0 devices (Windows) description: This topic for the IT professional provides background about what happens when you switch PCR banks on TPM 2.0 devices. ms.assetid: 743FCCCB-99A9-4636-8F48-9ECB3A3D10DE ms.reviewer: @@ -13,14 +13,15 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/06/2021 --- # Understanding PCR banks on TPM 2.0 devices **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This topic provides background about what happens when you switch PCR banks on TPM 2.0 devices. @@ -35,9 +36,9 @@ The [TCG PC Client Platform TPM Profile Specification](http://www.trustedcomputi Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing them to the PCR values of the TPM. Since the first 16 TPM PCRs cannot be modified arbitrarily, a match between an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log. -## How does Windows 10 use PCRs? +## How does Windows use PCRs? -To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process – when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows 10 uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after. +To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process – when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after. It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using SHA-256 PCR banks, even with the same system configuration. Otherwise, the PCR values will not match. @@ -45,7 +46,7 @@ It is important to note that this binding to PCR values also includes the hashin When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs. -As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows 10 will not be able to unseal it if the PCR banks are switched while BitLocker is enabled. +As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled. ## What can I do to switch PCRs when BitLocker is already active? diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index cffb2255cf..d33693d90e 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -1,5 +1,5 @@ --- -title: TPM fundamentals (Windows 10) +title: TPM fundamentals (Windows) description: Inform yourself about the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and how they are used to mitigate dictionary attacks. ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000 ms.reviewer: @@ -13,14 +13,15 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/16/2017 +ms.date: 09/06/2021 --- # TPM fundamentals **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks. @@ -82,7 +83,7 @@ For TPM 1.2, the TCG specifications for TPMs require physical presence (typicall ## TPM 1.2 states and initialization -For TPM 1.2, there are multiple possible states. Windows 10 automatically initializes the TPM, which brings it to an enabled, activated, and owned state. +For TPM 1.2, there are multiple possible states. Windows automatically initializes the TPM, which brings it to an enabled, activated, and owned state. ## Endorsement keys @@ -134,7 +135,7 @@ Increasing the PIN length requires a greater number of guesses for an attacker. In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. -To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. +To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703, or Windows 11, with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. ### TPM-based smart cards diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 658a7d98d5..a0a68a10b5 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -1,6 +1,6 @@ --- -title: TPM recommendations (Windows 10) -description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10. +title: TPM recommendations (Windows) +description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows. ms.assetid: E85F11F5-4E6A-43E7-8205-672F77706561 ms.reviewer: ms.prod: w10 @@ -14,17 +14,18 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/29/2018 +ms.date: 09/06/2021 --- # TPM recommendations **Applies to** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10. +This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows. For a basic feature description of TPM, see the [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md). @@ -32,7 +33,7 @@ For a basic feature description of TPM, see the [Trusted Platform Module Technol Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. -TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM. +TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM. The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). @@ -89,11 +90,11 @@ Windows uses any compatible TPM in the same way. Microsoft does not take a posit ## Is there any importance for TPM for consumers? -For end consumers, TPM is behind the scenes but is still very relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a component of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage. +For end consumers, TPM is behind the scenes but is still very relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a component of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage. -## TPM 2.0 Compliance for Windows 10 +## TPM 2.0 Compliance for Windows -### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) +### Windows for desktop editions (Home, Pro, Enterprise, and Education) - Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of an existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features). diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 5bbb8174ec..97ceecd48d 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -1,5 +1,5 @@ --- -title: Trusted Platform Module Technology Overview (Windows 10) +title: Trusted Platform Module Technology Overview (Windows) description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. ms.assetid: face8932-b034-4319-86ac-db1163d46538 ms.reviewer: @@ -42,9 +42,9 @@ TPM-based keys can be configured in a variety of ways. One option is to make a T Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/). -### Automatic initialization of the TPM with Windows 10 +### Automatic initialization of the TPM with Windows -Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809. +Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809. In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects. @@ -54,13 +54,13 @@ Certificates can be installed or created on computers that are using the TPM. Af Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process. -Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 and later editions or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. +Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 and Windows 11, or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md). ## New and changed functionality -For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module) +For more info on new and changed functionality for Trusted Platform Module in Windows, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module) ## Device health attestation @@ -95,5 +95,5 @@ Some things that you can check on the device are: - [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md) - [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/) - [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/) -- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx) +- [Windows 10 and Windows 11: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx) - [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md index 0961556a4b..980a789233 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -1,5 +1,5 @@ --- -title: TPM Group Policy settings (Windows 10) +title: TPM Group Policy settings (Windows) description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd ms.reviewer: @@ -13,14 +13,15 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/02/2018 +ms.date: 09/06/2021 --- # TPM Group Policy settings **Applies to** - Windows 10 -- Windows Server 2016 and later +- Windows 11 +- Windows Server 2016 and above This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. @@ -28,7 +29,7 @@ The Group Policy settings for TPM services are located at: **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** -The following Group Policy settings were introduced in Windows 10. +The following Group Policy settings were introduced in Windows. ## Configure the level of TPM owner authorization information available to the operating system @@ -119,7 +120,7 @@ If you do not configure this policy setting, a default value of 9 is used. A val ## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0 -Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. +Introduced in Windows 10, version 1703, or Windows 11, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. > [!IMPORTANT] > Setting this policy will take effect only if: diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md index 124caf74f2..1e071cfbdc 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md @@ -1,5 +1,5 @@ --- -title: Trusted Platform Module (Windows 10) +title: Trusted Platform Module (Windows) description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. ms.prod: w10 ms.mktglfcycl: deploy @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/11/2018 +ms.date: 09/06/2021 ms.reviewer: --- @@ -20,7 +20,8 @@ ms.reviewer: **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. The following topics provide details. @@ -32,6 +33,6 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based, | [TPM fundamentals](tpm-fundamentals.md) | Provides background about how a TPM can work with cryptographic keys. Also describes technologies that work with the TPM, such as TPM-based virtual smart cards. | | [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) | Describes TPM services that can be controlled centrally by using Group Policy settings. | | [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer’s TPM information to Active Directory Domain Services. | -| [Troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, describes how to turn the TPM on or off. | +| [Troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, describes how to turn the TPM on or off. | | [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md) | Provides background about what happens when you switch PCR banks on TPM 2.0 devices. | -| [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows 10 features for which a TPM is required or recommended. | +| [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows features for which a TPM is required or recommended. | From 7f01a2e943de4ccb499b3f18916eb3d2fb8fad9a Mon Sep 17 00:00:00 2001 From: Meghana Athavale <89906726+v-mathavale@users.noreply.github.com> Date: Mon, 6 Sep 2021 17:58:05 +0530 Subject: [PATCH 07/81] Updated suggestions --- .../tpm/initialize-and-configure-ownership-of-the-tpm.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index e4b8bade20..d8af529bde 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -33,7 +33,7 @@ With TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, you can also t - [Turn on or turn off the TPM](#turn-on-or-turn-off) -For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps). +For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps &preserve-view=true). ## About TPM initialization and ownership @@ -146,8 +146,8 @@ If you want to stop using the services that are provided by the TPM, you can use ## Use the TPM cmdlets -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps &preserve-view=true). ## Related topics -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) \ No newline at end of file +- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) From 57472c73a80c199c973a5ea7298aa375bdd996d5 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Mon, 6 Sep 2021 18:02:44 +0530 Subject: [PATCH 08/81] Updated suggestions --- .../security/information-protection/tpm/manage-tpm-commands.md | 2 +- .../trusted-platform-module-services-group-policy-settings.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md index 8e9896104d..ddc7cd93d0 100644 --- a/windows/security/information-protection/tpm/manage-tpm-commands.md +++ b/windows/security/information-protection/tpm/manage-tpm-commands.md @@ -79,7 +79,7 @@ The following procedures describe how to manage the TPM command lists. You must ## Use the TPM cmdlets -You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps). +You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps &preserve-view=true). ## Related topics diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md index 980a789233..3ad73295ac 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -147,5 +147,5 @@ If you don't want users to see the recommendation to update TPM firmware, you ca ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) -- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps) +- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps &preserve-view=true) - [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md) \ No newline at end of file From 297c11359e7a91e36a29bb17c4d6f1a6cf4f65a9 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 7 Sep 2021 09:54:03 +0530 Subject: [PATCH 09/81] 5358700- Batch 01- Windows 11 Update WINDOWS: Hello for Business update for W11 --- .../feature-multifactor-unlock.md | 17 +++++++++-------- .../hello-aad-join-cloud-only-deploy.md | 4 ++-- .../hello-adequate-domain-controllers.md | 4 ++-- .../hello-and-password-changes.md | 6 ++++-- .../hello-biometrics-in-enterprise.md | 6 ++++-- .../hello-cert-trust-adfs.md | 1 + .../hello-cert-trust-policy-settings.md | 15 ++++++++------- .../hello-cert-trust-validate-ad-prereq.md | 8 ++++---- .../hello-cert-trust-validate-deploy-mfa.md | 7 ++++--- .../hello-cert-trust-validate-pki.md | 9 +++++---- .../hello-deployment-cert-trust.md | 1 + .../hello-deployment-guide.md | 3 ++- .../hello-deployment-issues.md | 7 ++++--- .../hello-deployment-key-trust.md | 1 + .../hello-deployment-rdp-certs.md | 1 + .../hello-errors-during-pin-creation.md | 6 ++++-- .../hello-for-business/hello-event-300.md | 10 ++++++---- .../hello-feature-dual-enrollment.md | 10 +++++----- .../hello-feature-dynamic-lock.md | 8 ++++---- .../hello-feature-pin-reset.md | 6 ++++-- .../hello-feature-remote-desktop.md | 7 ++++--- .../hello-how-it-works-authentication.md | 4 +++- .../hello-how-it-works-provisioning.md | 7 ++++--- .../hello-how-it-works-technology.md | 19 ++++++++++--------- .../retired/hello-how-it-works.md | 16 +++++++++------- 25 files changed, 105 insertions(+), 78 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index f80ffec25c..2fe1b87295 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -1,6 +1,6 @@ --- title: Multi-factor Unlock -description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals. +description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor ms.prod: w10 ms.mktglfcycl: deploy @@ -19,17 +19,19 @@ ms.reviewer: # Multi-factor Unlock **Applies to:** -- Windows 10 + +- Windows 10 +- Windows 11 **Requirements:** * Windows Hello for Business deployment (Hybrid or On-premises) * Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments) -* Windows 10, version 1709 or newer +* Windows 10, version 1709 or newer, or Windows 11 * Bluetooth, Bluetooth capable phone - optional Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. -Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. +Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure their Windows to request a combination of factors and trusted signals to unlock their devices. Which organizations can take advantage of Multi-factor unlock? Those who: * Have expressed that PINs alone do not meet their security needs. @@ -92,7 +94,7 @@ You represent signal rules in XML. Each signal rule has an starting and ending ``` ### Signal element -Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values. +Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values. |Attribute|Value| @@ -133,7 +135,7 @@ The **classofDevice** attribute defaults to Phone and uses the values from the f |Health|2304| |Uncategorized|7936| -The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10. +The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10. RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other. @@ -343,11 +345,10 @@ This example configures Wi-Fi as a trusted signal (Windows 10, version 1803) ### How to configure Multifactor Unlock policy settings -You need a Windows 10, version 1709 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1709. +You need at least a Windows 10, version 1709 or later workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1709 or later. Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. - ### Create the Multifactor Unlock Group Policy object The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index 850b4b5214..aa4d0faa2f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -1,6 +1,6 @@ --- title: Azure Active Directory join cloud only deployment -description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 device. +description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device. keywords: identity, Hello, Active Directory, cloud, ms.prod: w10 ms.mktglfcycl: deploy @@ -20,7 +20,7 @@ ms.reviewer: ## Introduction -When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed. +When you Azure Active Directory (Azure AD) join a Windows 10 or Windows 11 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed. You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below. diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 25d27e28d3..b317356b81 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -20,7 +20,7 @@ ms.reviewer: **Applies to** -- Windows 10, version 1703 or later +- Windows 10, version 1703 or later, or Windows 11 - Windows Server, versions 2016 or later - Hybrid or On-Premises deployment - Key trust @@ -32,7 +32,7 @@ ms.reviewer: How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 and above includes the KDC AS Requests performance counter. You can use this counter to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication - it remains unchanged. -Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 or later domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers and above. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 and above domain controller. +Windows 10 or Windows 11 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 or later domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers and above. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 and above domain controller. Determining an adequate number of Windows Server domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding a domain controller that supports public key mapping (in this case Windows Server 2016 or later) to a deployment of existing domain controllers which do not support public key mapping (Windows Server 2008R2, Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario: diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md index 2eb9365b7b..1933fad122 100644 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md @@ -1,5 +1,5 @@ --- -title: Windows Hello and password changes (Windows 10) +title: Windows Hello and password changes (Windows) description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55 ms.reviewer: @@ -19,7 +19,9 @@ ms.date: 07/27/2017 # Windows Hello and password changes **Applies to** -- Windows 10 + +- Windows 10 +- Windows 11 When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello. diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index d0857ccd72..7dc20cb316 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -1,5 +1,5 @@ --- -title: Windows Hello biometrics in the enterprise (Windows 10) +title: Windows Hello biometrics in the enterprise (Windows) description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition. ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc ms.reviewer: @@ -21,7 +21,9 @@ ms.date: 01/12/2021 # Windows Hello biometrics in the enterprise **Applies to:** -- Windows 10 + +- Windows 10 +- Windows 11 Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index f354ae19d4..4f4f37b876 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -21,6 +21,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - On-premises deployment - Certificate trust diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 7f7f59156a..3ce38ae8f6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -19,12 +19,13 @@ ms.reviewer: # Configure Windows Hello for Business Policy settings **Applies to** -- Windows 10, version 1703 or later -- On-premises deployment -- Certificate trust +- Windows 10, version 1703 or later +- Windows 11 +- On-premises deployment +- Certificate trust -You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. +You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: * Enable Windows Hello for Business @@ -116,9 +117,9 @@ The default Windows Hello for Business enables users to enroll and use biometric ### PIN Complexity -PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. +PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. -Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: +Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: * Require digits * Require lowercase letters * Maximum PIN length diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 57f12a0692..d62bda3427 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -19,10 +19,10 @@ ms.reviewer: # Validate Active Directory prerequisites **Applies to** -- Windows 10, version 1703 or later -- On-premises deployment -- Certificate trust - +- Windows 10, version 1703 or later +- Windows 11 +- On-premises deployment +- Certificate trust The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index 373a03c97c..6a840d43c6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -16,19 +16,20 @@ localizationpriority: medium ms.date: 08/19/2018 ms.reviewer: --- -# Validate and Deploy Multi-factor Authentication (MFA) +# Validate and Deploy Multifactor Authentication (MFA) **Applies to** - Windows 10, version 1703 or later +- Windows 11 - On-premises deployment - Certificate trust -Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. +Windows Hello for Business requires all users perform multifactor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) -Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). +Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). ## Follow the Windows Hello for Business on premises certificate trust deployment guide 1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index e4950a9581..d84ad9c32f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -19,9 +19,10 @@ ms.reviewer: # Validate and Configure Public Key Infrastructure **Applies to** -- Windows 10, version 1703 or later -- On-premises deployment -- Certificate trust +- Windows 10, version 1703 or later +- Windows 11 +- On-premises deployment +- Certificate trust Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. @@ -94,7 +95,7 @@ The certificate template is configured to supersede all the certificate template ### Configure an Internal Web Server Certificate template -Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. +Windows 10 or Windows 11 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index c8f3f83f76..db310a19e8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - On-premises deployment - Certificate trust diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 1a07013ef3..80a1ca91b3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -21,6 +21,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. @@ -41,7 +42,7 @@ This guide assumes that baseline infrastructure exists which meets the requireme - Proper name resolution, both internal and external names - Active Directory and an adequate number of domain controllers per site to support authentication - Active Directory Certificate Services 2012 or later -- One or more workstation computers running Windows 10, version 1703 +- One or more workstation computers running Windows 10, version 1703 or later If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index a95d9212e0..30dbcc8929 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -27,16 +27,17 @@ Applies to: - Azure AD joined deployments - Windows 10, version 1803 and later +- Windows 11 PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will shows a page with the error message "We can't open that page right now". ### Identifying Azure AD joined PIN Reset Allowed Domains Issue -The user can launch the PIN reset flow from above lock using the "I forgot my PIN" link in the PIN credential provider. Selecting this link will launch a full screen UI for the PIN experience on Azure AD Join devices. Typically, this UI will display an Azure authentication server page where the user will authenticate using Azure AD credentials and complete multi-factor authentication. +The user can launch the PIN reset flow from above lock using the "I forgot my PIN" link in the PIN credential provider. Selecting this link will launch a full screen UI for the PIN experience on Azure AD Join devices. Typically, this UI will display an Azure authentication server page where the user will authenticate using Azure AD credentials and complete multifactor authentication. -In federated environments authentication may be configured to route to AD FS or a third party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list. +In federated environments authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list. -If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allow list. This results in "We can't open that page right now". +If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allowlist. This results in "We can't open that page right now". ### Resolving Azure AD joined PIN Reset Allowed Domains Issue diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md index e748408fb5..5a5f0334f7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - On-premises deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 0bbce98b00..260463cdb8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -22,6 +22,7 @@ ms.reviewer: **Applies To** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 48a0d130df..f6d78686a8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -1,5 +1,5 @@ --- -title: Windows Hello errors during PIN creation (Windows 10) +title: Windows Hello errors during PIN creation (Windows) description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step. ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 ms.reviewer: @@ -21,7 +21,9 @@ ms.date: 05/05/2018 # Windows Hello errors during PIN creation **Applies to** -- Windows 10 + +- Windows 10 +- Windows 11 When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support. diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md index fd2d0dbe71..a41f3c8418 100644 --- a/windows/security/identity-protection/hello-for-business/hello-event-300.md +++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md @@ -1,5 +1,5 @@ --- -title: Event ID 300 - Windows Hello successfully created (Windows 10) +title: Event ID 300 - Windows Hello successfully created (Windows) description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04 ms.reviewer: @@ -21,19 +21,21 @@ ms.date: 07/27/2017 # Event ID 300 - Windows Hello successfully created **Applies to** -- Windows 10 + +- Windows 10 +- Windows 11 This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. ## Event details -| **Product:** | Windows 10 operating system | +| **Product:** | Windows 10 or Windows 11 operating system | |--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Log:** | Event Viewer > Applications and Service Logs\Microsoft\Windows\User Device Registration\Admin | | **ID:** | 300 | | **Source:** | Microsoft Azure Device Registration Service | -| **Version:** | 10 | +| **Version:** | 10 or 11 | | **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da.
Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} | ## Resolve diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index f62a626f0a..82cb73cd43 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -23,7 +23,7 @@ ms.reviewer: * Hybrid and On-premises Windows Hello for Business deployments * Enterprise joined or Hybrid Azure joined devices -* Windows 10, version 1709 +* Windows 10, version 1709 or later * Certificate trust > [!NOTE] @@ -34,12 +34,12 @@ ms.reviewer: Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device. -By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices. +By design, Windows does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices. -With this setting, administrative users can sign in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads. +With this setting, administrative users can sign in to Windows 10, version 1709 or later using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads. > [!IMPORTANT] -> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation. +> You must configure a Windows computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation. ## Configure Windows Hello for Business Dual Enrollment @@ -69,7 +69,7 @@ where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and ### Configuring Dual Enrollment using Group Policy -You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object. +You configure Windows 10 or Windows 11 to support dual enrollment using the computer configuration portion of a Group Policy object. 1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users. 2. Edit the Group Policy object from step 1. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 53985965fb..6a880c9a9c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -1,6 +1,6 @@ --- title: Dynamic lock -description: Learn how to set Dynamic lock on Windows 10 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value. +description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access ms.prod: w10 ms.mktglfcycl: deploy @@ -21,9 +21,9 @@ ms.reviewer: **Requirements:** -* Windows 10, version 1703 +* Windows 10, version 1703 or later -Dynamic lock enables you to configure Windows 10 devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. +Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**. @@ -54,7 +54,7 @@ For this policy setting, the **type** and **scenario** attribute values are stat |Health|2304| |Uncategorized|7936| -The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10. +The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10. RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 2fbed0b012..25b4269de7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -22,6 +22,7 @@ ms.reviewer: **Applies to:** - Windows 10, version 1709 or later +- Windows 11 Windows Hello for Business provides the capability for users to reset forgotten PINs using the "I forgot my PIN link" from the Sign-in options page in Settings or from above the lock screen. User's are required to authenticate and complete multifactor authentication to reset their PIN. @@ -81,7 +82,7 @@ Visit the [Windows Hello for Business Videos](./hello-videos.md) page and watch When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multifactor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory. -Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment. +Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment. >[!IMPORTANT] > The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and newer. @@ -114,7 +115,7 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se ### Configure Windows devices to use PIN reset using Group Policy -You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. +You can configure Windows to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. 1. Edit the Group Policy object from Step 1. @@ -188,6 +189,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta **Applies to:** - Windows 10, version 1803 or later +- Windows 11 - Azure AD joined The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 550cddc3cc..8ed00949b2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -22,6 +22,7 @@ ms.reviewer: **Requirements** - Windows 10 +- Windows 11 - Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices @@ -36,9 +37,9 @@ Microsoft continues to investigate supporting using keys trust for supplied cred - Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices - Biometric enrollments -- Windows 10, version 1809 +- Windows 10, version 1809 or later -Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809. +Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 or later introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809. ### How does it work @@ -48,7 +49,7 @@ A certificate on a smart card starts with creating an asymmetric key pair using This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide this complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card). -Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN. +Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 or later no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows to prompt the user for their biometric gesture or PIN. ### Compatibility diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 1efcc90b24..d6cff27980 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -18,7 +18,9 @@ ms.reviewer: # Windows Hello for Business and Authentication **Applies to:** -- Windows 10 + +- Windows 10 +- Windows 11 Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 20008e7565..90f0880e9b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -16,9 +16,10 @@ ms.date: 08/19/2018 ms.reviewer: --- # Windows Hello for Business Provisioning - -Applies to: -- Windows 10 + +**Applies to:** +- Windows 10 +- Windows 11 Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on: - How the device is joined to Azure Active Directory diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index af9083a431..cae576ab66 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -19,6 +19,7 @@ ms.reviewer: **Applies to:** - Windows 10 +- Windows 11 - [Attestation Identity Keys](#attestation-identity-keys) - [Azure AD Joined](#azure-ad-joined) @@ -44,15 +45,15 @@ ms.reviewer:
## Attestation Identity Keys -Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service. +Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service. > [!NOTE] -> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK. +> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK. > The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations. -Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10 device. +Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device. -Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. +Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate. @@ -102,7 +103,7 @@ The Windows Hello for Business Cloud deployment is exclusively for organizations [Return to Top](hello-how-it-works-technology.md) ## Cloud Experience Host -In Windows 10, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. +In Windows 10 and Windows 11, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. ### Related topics [Windows Hello for Business](./hello-identity-verification.md), [Managed Windows Hello in Organization](./hello-manage-in-organization.md) @@ -138,7 +139,7 @@ The endorsement key is often accompanied by one or two digital certificates: - One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service. - The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device. -For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10. +For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10 and Windows 11. ### Related topics [Attestation Identity Keys](#attestation-identity-keys), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module) @@ -279,15 +280,15 @@ The trust type determines how a user authenticates to the Active Directory to ac A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
-Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation. +Windows leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation. A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other: - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard. - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015. -Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](../../information-protection/tpm/tpm-recommendations.md). +Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../information-protection/tpm/tpm-recommendations.md). -Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. +Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 and Windows 11 support only TPM 2.0. TPM 2.0 provides a major revision to the capabilities over TPM 1.2: diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 2ad3bb1f3b..2b44b1c81f 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -1,5 +1,5 @@ --- -title: How Windows Hello for Business works (Windows 10) +title: How Windows Hello for Business works (Windows) description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business. ms.prod: w10 ms.mktglfcycl: deploy @@ -16,8 +16,10 @@ ms.topic: article # How Windows Hello for Business works **Applies to** -- Windows 10 -- Windows 10 Mobile + +- Windows 10 +- Windows 11 +- Windows 10 Mobile Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process. @@ -30,15 +32,15 @@ A goal of device registration is to allow a user to open a brand-new device, sec The registration process works like this: -1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. +1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 or Windows 11 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. 2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. 3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately The PIN chosen is associated with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are: - A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers a second authentication factor from the IDP side (if required); after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN. -- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to. -- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to. +- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 or Windows 11 device the user has not previously signed in to. +- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 and Windows 11 device the user has not previously signed in to. When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and protects this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. Each unique gesture generates a unique protector key. The protector key securely wraps the authentication key. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM. @@ -46,7 +48,7 @@ At this point, the user has a PIN gesture defined on the device and an associate ## What’s a container? -You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. +You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 or Windows 11 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. From 01d023b5c878c29bef457d647332ea005dfb2644 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 7 Sep 2021 10:21:15 +0530 Subject: [PATCH 10/81] Updated --- .../tpm/initialize-and-configure-ownership-of-the-tpm.md | 6 +++--- .../security/information-protection/tpm/tpm-fundamentals.md | 2 +- .../tpm/trusted-platform-module-overview.md | 4 ++-- ...rusted-platform-module-services-group-policy-settings.md | 5 ++--- 4 files changed, 8 insertions(+), 9 deletions(-) diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index d8af529bde..b309abe563 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -108,7 +108,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ 7. After the PC restarts, your TPM will be automatically prepared for use by Windows. -## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11) +## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 or 1511) Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. @@ -116,7 +116,7 @@ Normally, the TPM is turned on as part of the TPM initialization process. You do If you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM. -**To turn on the TPM (TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11 only)** +**To turn on the TPM (TPM 1.2 with Windows 10, version 1507 or 1511 only)** 1. Open the TPM MMC (tpm.msc). @@ -130,7 +130,7 @@ If you want to use the TPM after you have turned it off, you can use the followi If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. -**To turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11 only)** +**To turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511 only)** 1. Open the TPM MMC (tpm.msc). diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index d33693d90e..faf6827fc3 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -135,7 +135,7 @@ Increasing the PIN length requires a greater number of guesses for an attacker. In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. -To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703, or Windows 11, with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. +To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, and Windows 11, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. ### TPM-based smart cards diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 97ceecd48d..e401d19506 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -54,7 +54,7 @@ Certificates can be installed or created on computers that are using the TPM. Af Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process. -Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 and Windows 11, or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. +Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md). @@ -95,5 +95,5 @@ Some things that you can check on the device are: - [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md) - [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/) - [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/) -- [Windows 10 and Windows 11: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx) +- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx) - [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md index 3ad73295ac..13b87d24b2 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -72,8 +72,7 @@ The following table shows the TPM owner authorization values in the registry. If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose. -On Windows 10 prior to version 1607, if you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not -configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry. +On Windows 10 prior to version 1607, if you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry. ## Standard User Lockout Duration @@ -120,7 +119,7 @@ If you do not configure this policy setting, a default value of 9 is used. A val ## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0 -Introduced in Windows 10, version 1703, or Windows 11, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. +Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. > [!IMPORTANT] > Setting this policy will take effect only if: From 855ef33cb46f46d005cee0d2dce72be5eb0182b6 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 7 Sep 2021 10:40:47 +0530 Subject: [PATCH 11/81] 5358700- Batch 02- Windows 11 Update WINDOWS: Hello for Business update for W11- Batch02 --- .../hello-for-business/hello-how-it-works.md | 3 ++- .../hello-hybrid-aadj-sso-base.md | 9 +++++---- .../hello-hybrid-aadj-sso-cert.md | 4 +++- .../hello-for-business/hello-hybrid-aadj-sso.md | 1 + .../hello-hybrid-cert-new-install.md | 3 ++- .../hello-hybrid-cert-trust-devreg.md | 5 +++-- .../hello-hybrid-cert-trust-prereqs.md | 3 ++- .../hello-for-business/hello-hybrid-cert-trust.md | 1 + .../hello-hybrid-cert-whfb-provision.md | 1 + .../hello-hybrid-cert-whfb-settings-ad.md | 1 + .../hello-hybrid-cert-whfb-settings-adfs.md | 1 + .../hello-hybrid-cert-whfb-settings-dir-sync.md | 1 + .../hello-hybrid-cert-whfb-settings-pki.md | 3 ++- .../hello-hybrid-cert-whfb-settings-policy.md | 9 +++++---- .../hello-hybrid-cert-whfb-settings.md | 1 + .../hello-hybrid-key-new-install.md | 1 + .../hello-hybrid-key-trust-devreg.md | 1 + .../hello-hybrid-key-trust-dirsync.md | 1 + .../hello-hybrid-key-trust-prereqs.md | 5 +++-- .../hello-for-business/hello-hybrid-key-trust.md | 1 + .../hello-hybrid-key-whfb-provision.md | 1 + .../hello-hybrid-key-whfb-settings-ad.md | 1 + .../hello-hybrid-key-whfb-settings-dir-sync.md | 1 + .../hello-hybrid-key-whfb-settings-pki.md | 1 + .../hello-hybrid-key-whfb-settings-policy.md | 15 ++++++++------- 25 files changed, 50 insertions(+), 24 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 609a2a0954..bb2aa67448 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10 +- Windows 11 Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices. @@ -48,7 +49,7 @@ For more information read [how provisioning works](hello-how-it-works-provisioni ### Authentication -With the device registered and provisioning complete, users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. +With the device registered and provisioning complete, users can sign-in to Windows using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 13246cec6f..f8b221e861 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -21,6 +21,7 @@ ms.reviewer: **Applies to** - Windows 10 +- Windows 11 - Azure Active Directory joined - Hybrid Deployment - Key trust model @@ -50,7 +51,7 @@ You can use the **dsregcmd.exe** command to determine if your device is register ### CRL Distribution Point (CDP) -Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list. During certificate validation, Windows 10 consults the CRL distribution point within the certificate to get a list of revoked certificates. Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid. +Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list. During certificate validation, Windows consults the CRL distribution point within the certificate to get a list of revoked certificates. Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid. ![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png) @@ -75,7 +76,7 @@ Certificate authorities write CRL distribution points in certificates as they ar #### Why does Windows need to validate the domain controller certificate? -Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: +Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met: - The domain controller has the private key for the certificate provided. - The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. @@ -315,7 +316,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys. 8. Enter the desired **Minimum PIN length** and **Maximum PIN length**. > [!IMPORTANT] - > The default minimum PIN length for Windows Hello for Business on Windows 10 is six. Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to six. + > The default minimum PIN length for Windows Hello for Business on Windows 10 and Windows 11 is six. Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to six. 9. Select the appropriate configuration for the following settings: * **Lowercase letters in PIN** @@ -325,7 +326,7 @@ Sign-in a workstation with access equivalent to a _domain user_. * **Remember PIN history** > [!NOTE] - > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature. + > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature. 10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**. 11. Select **No** to **Allow phone sign-in**. This feature has been deprecated. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index e4ada9da90..3015f1321f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -20,7 +20,9 @@ ms.reviewer: # Using Certificates for AADJ On-premises Single-sign On **Applies to:** + - Windows 10 +- Windows 11 - Azure Active Directory joined - Hybrid Deployment - Certificate trust @@ -205,7 +207,7 @@ Sign-in to the issuing certificate authority or management workstations with _Do 10. Click on the **Apply** to save changes and close the console. ### Create an Azure AD joined Windows Hello for Business authentication certificate template -During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server. +During Windows Hello for Business provisioning, Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server. Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 4eed2e7435..cb23b1e6a7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10 +- Windows 11 - Azure Active Directory joined - Hybrid deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index 00aa120b98..c9afa19802 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -1,6 +1,6 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business) -description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust depoyments rely on. +description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on. keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: w10 ms.mktglfcycl: deploy @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Certificate trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 9e100bc146..f4b0f9a22f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Certificate trust @@ -147,7 +148,7 @@ The above PSH creates the following objects: ![Device Registration.](images/hybridct/device5.png) ### Create Service Connection Point (SCP) in Active Directory -If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS +If you plan to use Windows domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS 1. Open Windows PowerShell and execute the following: `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"` @@ -169,7 +170,7 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory. -The above commands enable Windows 10 clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS. +The above commands enable Windows clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS. ### Prepare AD for Device Write Back To ensure AD DS objects and containers are in the correct state for write back of devices from Azure AD, do the following. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 28ff8d49c6..228747d35b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Certificate trust @@ -56,7 +57,7 @@ Review these requirements and those from the Windows Hello for Business planning
## Public Key Infrastructure ## -The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller. +The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows devices to trust the domain controller. Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AD FS) as a certificate registration authority. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index 4de8c1ff50..9cd1d4350b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Certificate trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 35bd16ed3e..f1dc22e50f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Certificate trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index eeb5ed60a9..2a261013b9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Certificate trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 880a1fa1cc..398d31c3d6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -21,6 +21,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Certificate trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index b835c4fad1..0c1a2514f6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -21,6 +21,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Certificate Trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 98cb3003ec..b9a791e77a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -22,6 +22,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid Deployment - Certificate Trust @@ -164,7 +165,7 @@ Sign-in to a certificate authority or management workstation with *Domain Admin* ### Creating Windows Hello for Business authentication certificate template -During Windows Hello for Business provisioning, a Windows 10 client requests an authentication certificate from the Active Directory Federation Service, which requests an authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You set the name of the certificate template when configuring it. +During Windows Hello for Business provisioning, a Windows client requests an authentication certificate from the Active Directory Federation Service, which requests an authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You set the name of the certificate template when configuring it. Sign-in to a certificate authority or management workstation with _Domain Admin equivalent_ credentials. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 9ddd57ccd7..ba312d832b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -20,14 +20,15 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Certificate trust ## Policy Configuration -You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. +You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. @@ -161,9 +162,9 @@ The default Windows Hello for Business enables users to enroll and use biometric ### PIN Complexity -PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. +PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. -Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: +Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: * Require digits * Require lowercase letters * Maximum PIN length diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 73d00fcc58..a56e989ba6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Certificate trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index a72c7e9f5e..bb3de61241 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 741d1cd8fc..713fcd89a5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index a74ecbe0cb..5acfb06f68 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index b245d6282d..95442ae6dd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Key trust @@ -31,7 +32,7 @@ The distributed systems on which these technologies were built involved several * [Public Key Infrastructure](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation-with-azure) -* [MultiFactor Authentication](#multifactor-authentication) +* [Multifactor authentication](#multifactor-authentication) * [Device Registration](#device-registration) ## Directories @@ -61,7 +62,7 @@ Review these requirements and those from the Windows Hello for Business planning
## Public Key Infrastructure -The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller. +The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows devices to trust the domain controller. Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index d8a1b0a961..93903312e5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -21,6 +21,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index e60e0b15f0..8d412b86f0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index c34af8b4ca..0f8a916c18 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index b5a7d75097..28f3658a43 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 11ea807b5c..bc2ae4f46c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -22,6 +22,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid Deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 4e90347c72..3cdd96f898 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -20,20 +20,21 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Key trust ## Policy Configuration -You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. +You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate. -Hybrid Azure AD joined devices needs one Group Policy settings: +Hybrid Azure AD joined devices needs one Group Policy setting: * Enable Windows Hello for Business ### Configure Domain Controllers for Automatic Certificate Enrollment @@ -75,7 +76,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory > [!NOTE] -> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows 10 device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](./hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources) +> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](./hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources) #### Enable Windows Hello for Business @@ -139,12 +140,12 @@ The default Windows Hello for Business enables users to enroll and use biometric ### PIN Complexity -PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. +PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. >[!IMPORTANT] -> Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor. +> Starting from Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor. -Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: +Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: * Require digits * Require lowercase letters * Maximum PIN length From 59f9c804e7f86766ef7a44d0c1777476f7af1e16 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 7 Sep 2021 11:43:47 +0530 Subject: [PATCH 12/81] 5358700- Batch 03- Windows 11 Update WINDOWS: Hello for Business update for W11- Batch03 --- .../hello-for-business/WebAuthnAPIs.md | 18 +++++++++--------- .../hello-hybrid-key-whfb-settings.md | 1 + .../hello-identity-verification.md | 4 ++-- .../hello-for-business/hello-key-trust-adfs.md | 1 + .../hello-key-trust-policy-settings.md | 11 ++++++----- .../hello-key-trust-validate-ad-prereq.md | 1 + .../hello-key-trust-validate-deploy-mfa.md | 5 +++-- .../hello-key-trust-validate-pki.md | 3 ++- .../hello-manage-in-organization.md | 3 ++- .../hello-for-business/hello-overview.md | 7 ++++--- .../hello-for-business/hello-planning-guide.md | 9 +++++---- .../hello-prepare-people-to-use.md | 3 ++- .../hello-for-business/hello-videos.md | 3 ++- .../hello-why-pin-is-better-than-password.md | 3 ++- .../microsoft-compatible-security-key.md | 2 +- .../passwordless-strategy.md | 8 ++++---- .../hello-for-business/reset-security-key.md | 6 +++--- 17 files changed, 50 insertions(+), 38 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md index 9d0f10190e..46ae044e8f 100644 --- a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md +++ b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md @@ -15,31 +15,31 @@ localizationpriority: medium ms.date: 02/15/2019 ms.reviewer: --- -# WebAuthn APIs for password-less authentication on Windows 10 +# WebAuthn APIs for password-less authentication on Windows -### Passwords leave your customers vulnerable. With the new WebAuthn APIs, your sites and apps can leverage password-less authentication. +### Passwords leave your customers vulnerable. With the new WebAuthn APIs, your sites and apps can use password-less authentication. Microsoft has long been a proponent to do away with passwords. While working towards that goal, we'd like to introduce you to the latest Windows 10 (version 1903) W3C/FIDO2 Win32 WebAuthn platform APIs! -These APIs allow Microsoft developer partners and the developer community to leverage Windows Hello and FIDO2 security keys -as a password-less authentication mechanism for their applications on Windows 10 devices. +These APIs allow Microsoft developer partners and the developer community to use Windows Hello and FIDO2 security keys +as a password-less authentication mechanism for their applications on Windows devices. #### What does this mean? -This opens opportunities for developers or relying parties (RPs) to enable password-less authentication. -They can now leverage [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md) +This opens opportunities for developers or relying parties (RPs') to enable password-less authentication. +They can now use [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md) as a password-less multi-factor credential for authentication.
Users of these sites can use any browser that supports WebAuthn Windows 10 APIs for password-less authentication - and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs site! + and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs' site!

The native Windows 10 WebAuthn APIs are currently supported by Microsoft Edge on Windows 10 1809 or later and latest versions of other browsers.

Developers of FIDO2 authentication keys should use the new Windows 10 APIs, to enable these scenarios in a consistent way for users. - Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC and BLE + Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC, and BLE without having to deal with the interaction and management overhead. -This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO related messaging. +This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO-related messaging. #### Where can developers learn more? The new Windows 10 APIs are documented on [GitHub](https://github.com/Microsoft/webauthn) \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 72ae9b3df4..b4a6ed10da 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index ddb05b73ac..3660d85201 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -24,10 +24,10 @@ This article lists the infrastructure requirements for the different deployment ## Cloud Only Deployment -* Windows 10, version 1511 or later +* Windows 10, version 1511 or later, or Windows 11 * Microsoft Azure Account * Azure Active Directory -* Azure AD Multi-Factor Authentication +* Azure AD Multifactor Authentication * Modern Management (Intune or supported third-party MDM), *optional* * Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index 4e83f31ec3..2a99ae368d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - On-premises deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 8042bad1d8..2999718adb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -20,12 +20,13 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - On-premises deployment - Key trust -You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. +You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. @@ -35,7 +36,7 @@ On-premises certificate-based deployments of Windows Hello for Business needs on The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. -If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. For these settings to be configured using GPO, you need to download and install the latest Administrative Templates (.admx) for Windows 10. +If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. For these settings to be configured using GPO, you need to download and install the latest Administrative Templates (.admx) for Windows. ## Create the Windows Hello for Business Group Policy object @@ -92,9 +93,9 @@ The default Windows Hello for Business enables users to enroll and use biometric ### PIN Complexity -PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. +PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. -Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: +Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: * Require digits * Require lowercase letters * Maximum PIN length diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index c2c52074f8..8c65b3943f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - On-premises deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 90a492218c..349b328807 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -16,14 +16,15 @@ localizationpriority: medium ms.date: 08/19/2018 ms.reviewer: --- -# Validate and Deploy Multi-factor Authentication (MFA) +# Validate and Deploy Multifactor Authentication (MFA) > [!IMPORTANT] -> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. +> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. **Applies to** - Windows 10, version 1703 or later +- Windows 11 - On-premises deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 08e787ef60..5b864cd36b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -21,6 +21,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - On-premises deployment - Key trust @@ -114,7 +115,7 @@ The certificate template is configured to supersede all the certificate template ### Configure an Internal Web Server Certificate template -Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. +Windows clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index ab8e875aaa..5c7129efd6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -1,5 +1,5 @@ --- -title: Manage Windows Hello in your organization (Windows 10) +title: Manage Windows Hello in your organization (Windows) description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8 ms.reviewer: @@ -22,6 +22,7 @@ ms.date: 1/20/2021 **Applies to** - Windows 10 +- Windows 11 You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 1a2b17c308..cd38c11105 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -1,7 +1,7 @@ --- -title: Windows Hello for Business Overview (Windows 10) +title: Windows Hello for Business Overview (Windows) ms.reviewer: An overview of Windows Hello for Business -description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10. +description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11. keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 ms.mktglfcycl: deploy @@ -20,6 +20,7 @@ localizationpriority: medium **Applies to** - Windows 10 +- Windows 11 In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. @@ -47,7 +48,7 @@ As an administrator in an enterprise or educational organization, you can create Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don't currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials. - **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. -- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. +- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10 and Windows 11. Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md). diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 9bec345719..617be85699 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -21,6 +21,7 @@ ms.reviewer: **Applies to** - Windows 10 +- Windows 11 Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure. @@ -145,9 +146,9 @@ Modern management is an emerging device management paradigm that leverages the c ### Client -Windows Hello for Business is an exclusive Windows 10 feature. As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows 10 and introduced support for new scenarios. +Windows Hello for Business is an exclusive Windows 10 and Windows 11 feature. As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows and introduced support for new scenarios. -Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update. The client requirement may change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices may require a minimum client running Windows 10, version 1703, also known as the Creators Update. +Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update. The client requirement may change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices may require a minimum client running Windows 10, version 1703, also known as the Creators Update. ### Active Directory @@ -156,7 +157,7 @@ Hybrid and on-premises deployments include Active Directory as part of their inf ### Public Key Infrastructure -The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources. +The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources. ### Cloud @@ -267,7 +268,7 @@ If you use modern management for both domain and non-domain joined devices, writ ### Client -Windows Hello for Business is a feature exclusive to Windows 10. Some deployments and features are available using earlier versions of Windows 10. Others need the latest versions. +Windows Hello for Business is a feature exclusive to Windows 10 and Windows 11. Some deployments and features are available using earlier versions of Windows 10. Others need the latest versions. If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet. Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index e7d6a0cea8..bf0a6af0ea 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -1,5 +1,5 @@ --- -title: Prepare people to use Windows Hello (Windows 10) +title: Prepare people to use Windows Hello (Windows) description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B ms.reviewer: @@ -22,6 +22,7 @@ ms.date: 08/19/2018 **Applies to** - Windows 10 +- Windows 11 When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello. diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index c53586ff18..0f47042799 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -1,6 +1,6 @@ --- title: Windows Hello for Business Videos -description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10. +description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11. keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless ms.prod: w10 ms.mktglfcycl: deploy @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10 +- Windows 11 ## Overview of Windows Hello for Business and Features diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index d74bd61baa..738db8c9bd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -1,5 +1,5 @@ --- -title: Why a PIN is better than a password (Windows 10) +title: Why a PIN is better than a password (Windows) description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password . ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212 ms.reviewer: @@ -23,6 +23,7 @@ ms.date: 10/23/2017 **Applies to** - Windows 10 +- Windows 11 Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password? On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works. diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md index a17d30b55f..73aab32a55 100644 --- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md +++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md @@ -1,6 +1,6 @@ --- title: Microsoft-compatible security key -description: Learn how a Microsoft-compatible security key for Windows 10 is different (and better) than any other FIDO2 security key. +description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key. keywords: FIDO2, security key, CTAP, Hello, WHFB ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 2b1c101fc0..f7bb6e7722 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -1,6 +1,6 @@ --- title: Passwordless Strategy -description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10. +description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless ms.prod: w10 ms.mktglfcycl: deploy @@ -25,7 +25,7 @@ Over the past few years, Microsoft has continued their commitment to enabling a ### 1. Develop a password replacement offering -Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory. +Before you move away from passwords, you need something to replace them. With Windows 10 and Windows 11, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory. Deploying Windows Hello for Business is the first step towards a passwordless environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. @@ -38,7 +38,7 @@ Once the user-visible password surface has been eliminated, your organization ca - the users never change their password - the users do not know their password -In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. +In this world, the user signs in to Windows using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. ### 4. Eliminate passwords from the identity directory The final step of the passwordless story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly passwordless environment. @@ -139,7 +139,7 @@ The journey to password freedom is to take each work persona through each step o After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process. ### Passwordless replacement offering (Step 1) -The first step to password freedom is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. +The first step to password freedom is providing an alternative to passwords. Windows 10 and Windows 11 provide an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. #### Identify test users that represent the targeted work persona A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md index 732dff8677..92a7af375c 100644 --- a/windows/security/identity-protection/hello-for-business/reset-security-key.md +++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md @@ -1,6 +1,6 @@ --- title: Reset-security-key -description: Windows�10 enables users to sign in to their device using a security key. How to reset a security key +description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key keywords: FIDO2, security key, CTAP, Microsoft-compatible security key ms.prod: w10 ms.mktglfcycl: deploy @@ -24,14 +24,14 @@ ms.reviewer: >This operation will wipe everything from your security key and reset it to factory defaults.
**All data and credentials will be cleared.** -A [Microsoft-compatible security key](./microsoft-compatible-security-key.md) can be reset via Settings app ( Settings > Accounts > Sign-in options > Security key ). +A [Microsoft-compatible security key](./microsoft-compatible-security-key.md) can be reset via Settings app (Settings > Accounts > Sign-in options > Security key).
Follow the instructions in the Settings app and look for specific instructions based on your security key manufacturer below: |Security key manufacturer
| Reset instructions
| | --- | --- | -|Yubico | **USB:** Remove and re-insert the security key. When the LED on the security key begins flashing, touch the metal contact
**NFC:** Tap the security key on the reader
| +|Yubico | **USB:** Remove and reinsert the security key. When the LED on the security key begins flashing, touch the metal contact
**NFC:** Tap the security key on the reader
| |Feitian | Touch the blinking fingerprint sensor twice to reset the key| |HID | Tap the card on the reader twice to reset it | From 75c3b4675b176c1571d7469aebeba27b4c893b52 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 7 Sep 2021 14:15:17 +0530 Subject: [PATCH 13/81] Fixing Suggestions Suggestions such as alt text, duplicated h1s and h2s, duplicated descriptions etc --- .../hello-for-business/hello-cert-trust-adfs.md | 8 ++++---- .../hello-cert-trust-policy-settings.md | 3 ++- .../hello-cert-trust-validate-ad-prereq.md | 3 ++- .../hello-for-business/hello-cert-trust-validate-pki.md | 3 ++- .../hello-for-business/hello-how-it-works-provisioning.md | 2 +- .../hello-for-business/retired/hello-how-it-works.md | 2 +- 6 files changed, 12 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 4f4f37b876..d26226c8e4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -1,6 +1,6 @@ --- -title: Prepare & Deploy Windows AD FS certificate trust (Windows Hello for Business) -description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust. +title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business) +description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust. keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 ms.mktglfcycl: deploy @@ -124,7 +124,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. 8. Click **Next** on the **Active Directory Federation Service** page. 9. Click **Install** to start the role installation. -## Review +## Review & validate Before you continue with the deployment, validate your deployment progress by reviewing the following items: @@ -266,7 +266,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. Th 3. In the details pane, click **Configure Device Registration**. 4. In the **Configure Device Registration** dialog, click **OK**. -## Review +## Review to validate Before you continue with the deployment, validate your deployment progress by reviewing the following items: * Confirm you followed the correct procedures based on the domain controllers used in your deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 3ce38ae8f6..4f529da2a1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -16,9 +16,10 @@ localizationpriority: medium ms.date: 08/20/2018 ms.reviewer: --- -# Configure Windows Hello for Business Policy settings +# Configure Windows Hello for Business Policy settings - Certificate Trust **Applies to** + - Windows 10, version 1703 or later - Windows 11 - On-premises deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index d62bda3427..f468cbe23f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -16,9 +16,10 @@ localizationpriority: medium ms.date: 08/19/2018 ms.reviewer: --- -# Validate Active Directory prerequisites +# Validate Active Directory prerequisites for cert-trust deployment **Applies to** + - Windows 10, version 1703 or later - Windows 11 - On-premises deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index d84ad9c32f..2f2d3bcf5b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -16,9 +16,10 @@ localizationpriority: medium ms.date: 08/19/2018 ms.reviewer: --- -# Validate and Configure Public Key Infrastructure +# Validate and Configure Public Key Infrastructure - Certificate Trust Model **Applies to** + - Windows 10, version 1703 or later - Windows 11 - On-premises deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 90f0880e9b..9e1ddf66b7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -49,7 +49,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Azure AD joined provisioning in a Federated environment -![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-federated.png) +![Azure AD joined provisioning in Managed environment.](images/howitworks/prov-aadj-federated.png) | Phase | Description | | :----: | :----------- | diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 2b44b1c81f..d90093aab8 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -13,7 +13,7 @@ ms.reviewer: manager: dansimp ms.topic: article --- -# How Windows Hello for Business works +# How Windows Hello for Business works in Windows devices **Applies to** From 93b77fca971d73b76d5df146ada3835a09ffbc77 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 7 Sep 2021 14:19:32 +0530 Subject: [PATCH 14/81] Fixing suggestion --- .../hello-for-business/hello-cert-trust-adfs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index d26226c8e4..958d349b3e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 01/14/2021 ms.reviewer: --- -# Prepare and Deploy Windows Server 2016 Active Directory Federation Services +# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust **Applies to** From df3287c25480e2724463619a06f7f8007d8d12eb Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 7 Sep 2021 14:57:38 +0530 Subject: [PATCH 15/81] Updated1to20 --- ...duction-devices-to-the-membership-group-for-a-zone.md | 7 ++++--- ...dd-test-devices-to-the-membership-group-for-a-zone.md | 7 ++++--- ...gpo-template-files-for-settings-used-in-this-guide.md | 7 ++++--- .../assign-security-group-filters-to-the-gpo.md | 7 ++++--- .../windows-firewall/basic-firewall-policy-design.md | 9 +++++---- .../windows-firewall/best-practices-configuring.md | 5 +++-- .../windows-firewall/boundary-zone-gpos.md | 7 ++++--- .../threat-protection/windows-firewall/boundary-zone.md | 7 ++++--- .../certificate-based-isolation-policy-design-example.md | 7 ++++--- .../certificate-based-isolation-policy-design.md | 7 ++++--- .../change-rules-from-request-to-require-mode.md | 7 ++++--- .../checklist-configuring-basic-firewall-settings.md | 7 ++++--- ...list-configuring-rules-for-an-isolated-server-zone.md | 7 ++++--- ...s-for-servers-in-a-standalone-isolated-server-zone.md | 7 ++++--- .../checklist-configuring-rules-for-the-boundary-zone.md | 7 ++++--- ...hecklist-configuring-rules-for-the-encryption-zone.md | 7 ++++--- ...hecklist-configuring-rules-for-the-isolated-domain.md | 7 ++++--- .../checklist-creating-group-policy-objects.md | 9 +++++---- .../checklist-creating-inbound-firewall-rules.md | 7 ++++--- .../checklist-creating-outbound-firewall-rules.md | 7 ++++--- 20 files changed, 81 insertions(+), 61 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md index 9995f497a4..22c00f87cc 100644 --- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md @@ -1,5 +1,5 @@ --- -title: Add Production Devices to the Membership Group for a Zone (Windows 10) +title: Add Production Devices to the Membership Group for a Zone (Windows) description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group. ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices. diff --git a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md index 30d809e60c..14eaf54184 100644 --- a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md @@ -1,5 +1,5 @@ --- -title: Add Test Devices to the Membership Group for a Zone (Windows 10) +title: Add Test Devices to the Membership Group for a Zone (Windows) description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected. ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device. diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index 0345da06fe..7a8c114351 100644 --- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -1,5 +1,5 @@ --- -title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10) +title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows) description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO). ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md index 08a9798526..2fe271c315 100644 --- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md @@ -1,5 +1,5 @@ --- -title: Assign Security Group Filters to the GPO (Windows 10) +title: Assign Security Group Filters to the GPO (Windows) description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers. ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/02/2019 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO. diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md index 76378c3a0f..0eda99ff36 100644 --- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md @@ -1,5 +1,5 @@ --- -title: Basic Firewall Policy Design (Windows 10) +title: Basic Firewall Policy Design (Windows) description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design. ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418 ms.reviewer: @@ -20,8 +20,9 @@ ms.technology: mde # Basic Firewall Policy Design **Applies to** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization. @@ -37,7 +38,7 @@ Many network administrators do not want to tackle the difficult task of determin For example, when you install a server role, the appropriate firewall rules are created and enabled automatically. -- For other standard network behavior, the predefined rules that are built into Windows 10, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, and Windows 7 can easily be configured in a GPO and deployed to the devices in your organization. +- For other standard network behavior, the predefined rules that are built into Windows 11, Windows 10, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, and Windows 7 can easily be configured in a GPO and deployed to the devices in your organization. For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols. diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index 5819f886fd..fde3e3850b 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -20,9 +20,10 @@ ms.technology: mde **Applies to** -- Windows operating systems including Windows 10 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -- Windows Server Operating Systems Windows Defender Firewall with Advanced Security provides host-based, two-way network traffic filtering and blocks unauthorized network traffic flowing into diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md index 50e2f66e16..d17a0d6cac 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md @@ -1,5 +1,5 @@ --- -title: Boundary Zone GPOs (Windows 10) +title: Boundary Zone GPOs (Windows) description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security. ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section. diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md index 37d7edb647..95c9a26f95 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -1,5 +1,5 @@ --- -title: Boundary Zone (Windows 10) +title: Boundary Zone (Windows) description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security. ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md index 1b369d6c5e..be336a726b 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md @@ -1,5 +1,5 @@ --- -title: Certificate-based Isolation Policy Design Example (Windows 10) +title: Certificate-based Isolation Policy Design Example (Windows) description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security. ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md index 7c427d50e7..a59ba99025 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md @@ -1,5 +1,5 @@ --- -title: Certificate-based Isolation Policy Design (Windows 10) +title: Certificate-based Isolation Policy Design (Windows) description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design. ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md index cbea6cabc0..eb09b78b9f 100644 --- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md +++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md @@ -1,5 +1,5 @@ --- -title: Change Rules from Request to Require Mode (Windows 10) +title: Change Rules from Request to Require Mode (Windows) description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices. ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md index a3164b6f45..ec2429b56d 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md @@ -1,5 +1,5 @@ --- -title: Checklist Configuring Basic Firewall Settings (Windows 10) +title: Checklist Configuring Basic Firewall Settings (Windows) description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall. ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md index 2ecb358ade..5e8cd7d149 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -1,5 +1,5 @@ --- -title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10) +title: Checklist Configuring Rules for an Isolated Server Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain. ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index c07a12c977..c464183424 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -1,5 +1,5 @@ --- -title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows 10) +title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows) description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md index e10ef7fc18..2a908f4267 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md @@ -1,5 +1,5 @@ --- -title: Checklist Configuring Rules for the Boundary Zone (Windows 10) +title: Checklist Configuring Rules for the Boundary Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md index 180c4f2168..fc6329d478 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md @@ -1,5 +1,5 @@ --- -title: Checklist Configuring Rules for the Encryption Zone (Windows 10) +title: Checklist Configuring Rules for the Encryption Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md index 2bccefd09c..2a0fe73601 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md @@ -1,5 +1,5 @@ --- -title: Checklist Configuring Rules for the Isolated Domain (Windows 10) +title: Checklist Configuring Rules for the Isolated Domain (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md index d2ba4b5a27..b5113224e7 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md @@ -1,5 +1,5 @@ --- -title: Checklist Creating Group Policy Objects (Windows 10) +title: Checklist Creating Group Policy Objects (Windows) description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS. ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group. @@ -30,7 +31,7 @@ The checklists for firewall, domain isolation, and server isolation include a li ## About membership groups -For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied. +For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 11, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied. ## About exclusion groups diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md index 834016bd7b..53822035a9 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md @@ -1,5 +1,5 @@ --- -title: Checklist Creating Inbound Firewall Rules (Windows 10) +title: Checklist Creating Inbound Firewall Rules (Windows) description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This checklist includes tasks for creating firewall rules in your GPOs. diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md index b20cb735f9..445f1e1eda 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md @@ -1,5 +1,5 @@ --- -title: Checklist Creating Outbound Firewall Rules (Windows 10) +title: Checklist Creating Outbound Firewall Rules (Windows) description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This checklist includes tasks for creating outbound firewall rules in your GPOs. From 4806cb632265c3ce55fce426d295181690ff9bfa Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 7 Sep 2021 15:31:02 +0530 Subject: [PATCH 16/81] Fixing Suggestions Suggestions such as alt text, duplicated h1s and h2s, duplicated descriptions etc --- .../hello-hybrid-aadj-sso-cert.md | 18 +++++----- .../hello-hybrid-cert-trust-devreg.md | 34 ++++++++++++------- ...ello-hybrid-cert-whfb-settings-dir-sync.md | 2 +- .../hello-hybrid-cert-whfb-settings-pki.md | 2 +- .../hello-hybrid-cert-whfb-settings-policy.md | 2 +- 5 files changed, 34 insertions(+), 24 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 3015f1321f..6cca936be0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -47,7 +47,7 @@ You need to install and configure additional infrastructure to provide Azure AD - An existing Windows Server 2012 R2 or later Enterprise Certificate Authority - A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role -### High Availaibilty +### High Availability The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority. The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion). @@ -416,11 +416,11 @@ Sign-in a workstation with access equivalent to a _domain user_. 6. Start **AADApplicationProxyConnectorInstaller.exe**. 7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**. - ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-01.png) + ![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png) 8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**. - ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-02.png) + ![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png) 9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**. - ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-03.png) + ![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png) 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments. #### Create a Connector Group @@ -480,12 +480,12 @@ Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. - ![NDES IIS Console.](images/aadjcert/ndes-iis-console.png) + ![NDES IIS Console](images/aadjcert/ndes-iis-console.png) 3. Click **Bindings...*** under **Actions**. Click **Add**. - ![NDES IIS Console.](images/aadjcert/ndes-iis-bindings.png) + ![NDES IIS Console: Add](images/aadjcert/ndes-iis-bindings.png) 4. Select **https** from **Type**. Confirm the value for **Port** is **443**. 5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**. - ![NDES IIS Console.](images/aadjcert/ndes-iis-bindings-add-443.png) + ![NDES IIS Console: Certificate List](images/aadjcert/ndes-iis-bindings-add-443.png) 6. Select **http** from the **Site Bindings** list. Click **Remove**. 7. Click **Close** on the **Site Bindings** dialog box. 8. Close **Internet Information Services (IIS) Manager**. @@ -511,10 +511,10 @@ Sign-in the NDES server with access equivalent to _local administrator_. A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. -![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01.png) +![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png) Confirm the web site uses the server authentication certificate. -![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01-show-cert.png) +![NDES IIS Console: Confirm](images/aadjcert/ndes-https-website-test-01-show-cert.png) ## Configure Network Device Enrollment Services to work with Microsoft Intune diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index f4b0f9a22f..387a5f1ded 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -115,14 +115,14 @@ When you are ready to install, follow the **Configuring federation with AD FS** ### Create AD objects for AD FS Device Authentication If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. -![Device Registration.](images/hybridct/device1.png) +![Device Registration: AD FS](images/hybridct/device1.png) > [!NOTE] > The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. 1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. -![Device Registration.](images/hybridct/device2.png) +![Device Registration: Overview](images/hybridct/device2.png) 2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: @@ -133,7 +133,7 @@ If your AD FS farm is not already configured for Device Authentication (you can > [!NOTE] > If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" -![Device Registration.](images/hybridct/device3.png) +![Device Registration: Domain](images/hybridct/device3.png) The above PSH creates the following objects: @@ -141,11 +141,11 @@ The above PSH creates the following objects: - Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration - Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration -![Device Registration.](images/hybridct/device4.png) +![Device Registration: Tests](images/hybridct/device4.png) 4. Once this is done, you will see a successful completion message. -![Device Registration.](images/hybridct/device5.png) +![Device Registration: Completion](images/hybridct/device5.png) ### Create Service Connection Point (SCP) in Active Directory If you plan to use Windows domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS @@ -156,13 +156,13 @@ If you plan to use Windows domain join (with automatic registration to Azure AD) > [!NOTE] > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep -![Device Registration.](images/hybridct/device6.png) +![Device Registration AdPrep](images/hybridct/device6.png) 2. Provide your Azure AD global administrator credentials `PS C:>$aadAdminCred = Get-Credential` -![Device Registration.](images/hybridct/device7.png) +![Device Registration: Credential](images/hybridct/device7.png) 3. Run the following PowerShell command @@ -239,6 +239,7 @@ The definition helps you to verify whether the values are present or if you need **`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this: +``` @RuleName = "Issue account type for domain-joined computers" c:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", @@ -249,11 +250,13 @@ The definition helps you to verify whether the values are present or if you need Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value = "DJ" ); +``` #### Issue objectGUID of the computer account on-premises **`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: +``` @RuleName = "Issue object GUID for domain-joined computers" c1:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", @@ -271,11 +274,13 @@ The definition helps you to verify whether the values are present or if you need query = ";objectguid;{0}", param = c2.Value ); +``` #### Issue objectSID of the computer account on-premises **`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: +``` @RuleName = "Issue objectSID for domain-joined computers" c1:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", @@ -288,11 +293,13 @@ The definition helps you to verify whether the values are present or if you need Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$" ] => issue(claim = c2); +``` #### Issue issuerID for computer when multiple verified domain names in Azure AD **`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added. +``` @RuleName = "Issue account type with the value User when it is not a computer" NOT EXISTS( @@ -334,7 +341,7 @@ The definition helps you to verify whether the values are present or if you need Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = "http:///adfs/services/trust/" ); - +``` In the claim above, @@ -342,12 +349,13 @@ In the claim above, - `` is a placeholder you need to replace with one of your verified domain names in Azure AD For more details about verified domain names, see [Add a custom domain name to Azure Active Directory](/azure/active-directory/active-directory-add-domain). -To get a list of your verified company domains, you can use the [Get-MsolDomain](/powershell/module/msonline/get-msoldomain?view=azureadps-1.0) cmdlet. +To get a list of your verified company domains, you can use the [Get-MsolDomain](/powershell/module/msonline/get-msoldomain?view=azureadps-1.0&preserve-view=true) cmdlet. #### Issue ImmutableID for computer when one for users exist (e.g. alternate login ID is set) **`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows: +``` @RuleName = "Issue ImmutableID for computers" c1:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", @@ -365,11 +373,13 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain] query = ";objectguid;{0}", param = c2.Value ); +``` #### Helper script to create the AD FS issuance transform rules The following script helps you with the creation of the issuance transform rules described above. +``` $multipleVerifiedDomainNames = $false $immutableIDAlreadyIssuedforUsers = $false $oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains @@ -488,9 +498,9 @@ The following script helps you with the creation of the issuance transform rules $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString +``` - -#### Remarks +#### Remarks - This script appends the rules to the existing rules. Do not run the script twice because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again. @@ -518,7 +528,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe - Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - Container Device Registration Service DKM under the above container -![Device Registration.](images/hybridct/device8.png) +![Device Registration: Container](images/hybridct/device8.png) - object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - read/write access to the specified AD connector account name on the new object diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 0c1a2514f6..c48e5ae621 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -17,7 +17,7 @@ ms.date: 4/30/2021 ms.reviewer: --- -# Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization +# Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index b9a791e77a..1cc5c20c10 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -17,7 +17,7 @@ ms.date: 4/30/2021 ms.reviewer: --- -# Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure +# Configure Hybrid Azure AD joined Windows Hello for Busines - Public Key Infrastructure **Applies to** diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index ba312d832b..519afac582 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 4/30/2021 ms.reviewer: --- -# Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy +# Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy **Applies to** - Windows 10, version 1703 or later From 7b1c74167ad58537ee7fa60b34eea710de6e4223 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 7 Sep 2021 15:40:15 +0530 Subject: [PATCH 17/81] Fixing suggestion --- .../hello-for-business/hello-how-it-works.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index bb2aa67448..657611e55f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -15,7 +15,7 @@ localizationpriority: medium ms.date: 05/05/2018 ms.reviewer: --- -# How Windows Hello for Business works +# How Windows Hello for Business works in Windows Devices **Applies to** @@ -35,7 +35,7 @@ Windows Hello for Business is a distributed system that uses several components Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS). -For more information read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works). +For more information, read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works). ### Provisioning @@ -45,7 +45,7 @@ Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business pr > [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s] -For more information read [how provisioning works](hello-how-it-works-provisioning.md). +For more information, read [how provisioning works](hello-how-it-works-provisioning.md). ### Authentication From c4129b9364a4c42a79bd0c53ff971c919cd91220 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 7 Sep 2021 15:45:41 +0530 Subject: [PATCH 18/81] Fixing Suggestion --- .../hello-for-business/hello-key-trust-adfs.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index 2a99ae368d..bd85292e3b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -102,7 +102,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. 8. Click **Next** on the **Active Directory Federation Service** page. 9. Click **Install** to start the role installation. -## Review +## Review to validate Before you continue with the deployment, validate your deployment progress by reviewing the following items: * Confirm the AD FS farm uses the correct database configuration. @@ -214,7 +214,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. Th 3. In the details pane, click **Configure Device Registration**. 4. In the **Configure Device Registration** dialog, click **OK**. -## Review +## Review and validate Before you continue with the deployment, validate your deployment progress by reviewing the following items: * Confirm you followed the correct procedures based on the domain controllers used in your deployment From 409d8ca8217c126862636ba5d72ae8f3b3e40663 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 7 Sep 2021 15:54:33 +0530 Subject: [PATCH 19/81] Fixing suggestions --- .../hello-for-business/hello-key-trust-adfs.md | 2 +- .../hello-for-business/hello-key-trust-policy-settings.md | 2 +- .../hello-for-business/hello-key-trust-validate-ad-prereq.md | 2 +- .../hello-for-business/hello-key-trust-validate-pki.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index bd85292e3b..7423caec53 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 08/19/2018 ms.reviewer: --- -# Prepare and Deploy Windows Server 2016 Active Directory Federation Services +# Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 2999718adb..116c9ba6ab 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 08/19/2018 ms.reviewer: --- -# Configure Windows Hello for Business Policy settings +# Configure Windows Hello for Business Policy settings - Key Trust **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index 8c65b3943f..943e611e93 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 08/19/2018 ms.reviewer: --- -# Validate Active Directory prerequisites +# Validate Active Directory prerequisites - Key Trust **Applies to** - Windows 10, version 1703 or later diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 5b864cd36b..d4e87e620e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -17,7 +17,7 @@ ms.date: 08/19/2018 ms.reviewer: --- -# Validate and Configure Public Key Infrastructure +# Validate and Configure Public Key Infrastructure - Key Trust **Applies to** - Windows 10, version 1703 or later From e083dd5e3b756f7fa23d0577927ccbd64b12348f Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 7 Sep 2021 16:13:18 +0530 Subject: [PATCH 20/81] Updated boundary-zone.md --- .../windows-firewall/boundary-zone.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md index 95c9a26f95..a78415035a 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -25,13 +25,13 @@ ms.technology: mde - Windows 11 - Windows Server 2016 and above -In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. +In most organizations, some devices can receive network traffic from devices that aren't part of the isolated domain, and therefore can't authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. Devices in the boundary zone are trusted devices that can accept communication requests both from other isolated domain member devices and from untrusted devices. Boundary zone devices try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating device. -The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but do not require it. +The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but don't require it. -Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision. +These boundary zone devices receive unsolicited inbound communications from untrusted devices that use plaintext. Therefore, they must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the additional risk. The following illustration shows a sample process that can help make such a decision. ![design flowchart.](images/wfas-designflowchart1.gif) @@ -39,7 +39,7 @@ The goal of this process is to determine whether the risk of adding a device to You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain. -Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. + [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section discusses creation of the group and how to link it to the GPOs that apply the rules to members of the group. ## GPO settings for boundary zone servers running at least Windows Server 2008 @@ -50,13 +50,13 @@ The boundary zone GPO for devices running at least Windows Server 2008 should i 1. Exempt all ICMP traffic from IPsec. - 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. + 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES, and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. - 3. Data protection (quick mode) algorithm combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.. + 3. Data protection (quick mode) algorithm combinations. We recommend that you don't include DES or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies. - 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method. + 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members can't use Kerberos V5, you must include certificate-based authentication as an optional authentication method. - The following connection security rules: From ff1c9264915abab0b1cdca2d80b3d41693813d15 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 7 Sep 2021 17:56:45 +0530 Subject: [PATCH 21/81] Updated 21to40 files --- ...s-for-clients-of-a-standalone-isolated-server-zone.md | 7 ++++--- ...cklist-implementing-a-basic-firewall-policy-design.md | 9 +++++---- ...enting-a-certificate-based-isolation-policy-design.md | 7 ++++--- ...list-implementing-a-domain-isolation-policy-design.md | 7 ++++--- ...enting-a-standalone-server-isolation-policy-design.md | 7 ++++--- .../windows-firewall/configure-authentication-methods.md | 7 ++++--- .../configure-data-protection-quick-mode-settings.md | 7 ++++--- ...group-policy-to-autoenroll-and-deploy-certificates.md | 7 ++++--- .../configure-key-exchange-main-mode-settings.md | 7 ++++--- .../configure-the-rules-to-require-encryption.md | 4 ++-- .../configure-the-windows-firewall-log.md | 7 ++++--- ...he-workstation-authentication-certificate-template.md | 7 ++++--- ...o-suppress-notifications-when-a-program-is-blocked.md | 7 ++++--- .../confirm-that-certificates-are-deployed-correctly.md | 7 ++++--- .../windows-firewall/copy-a-gpo-to-create-a-new-gpo.md | 9 +++++---- .../create-a-group-account-in-active-directory.md | 7 ++++--- .../windows-firewall/create-a-group-policy-object.md | 7 ++++--- .../create-an-authentication-exemption-list-rule.md | 7 ++++--- .../create-an-authentication-request-rule.md | 7 ++++--- .../windows-firewall/create-an-inbound-icmp-rule.md | 7 ++++--- 20 files changed, 80 insertions(+), 61 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index 4a4c525867..d57f7d5a5d 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -1,5 +1,5 @@ --- -title: Create Rules for Standalone Isolated Server Zone Clients (Windows 10) +title: Create Rules for Standalone Isolated Server Zone Clients (Windows) description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone. diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md index 1aa6060a8c..1d50c40f3d 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md @@ -1,5 +1,5 @@ --- -title: Checklist Implementing a Basic Firewall Policy Design (Windows 10) +title: Checklist Implementing a Basic Firewall Policy Design (Windows) description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. @@ -35,7 +36,7 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co | Task | Reference | | - | - | | Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Basic Firewall Policy Design](basic-firewall-policy-design.md)
[Firewall Policy Design Example](firewall-policy-design-example.md)
[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| -| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 11, Windows 10, and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10 or Windows 11, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| | If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| | Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| | Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)| diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md index 52c11e99ed..1166334bca 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -1,5 +1,5 @@ --- -title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10) +title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows) description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design. ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design. diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md index 1261adcbb9..cf988d2a7d 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md @@ -1,5 +1,5 @@ --- -title: Checklist Implementing a Domain Isolation Policy Design (Windows 10) +title: Checklist Implementing a Domain Isolation Policy Design (Windows) description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design. ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md index 1d53748cc1..b571f7dce4 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -1,5 +1,5 @@ --- -title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10) +title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows) description: Use these tasks to create a server isolation policy design that is not part of an isolated domain. See references to concepts and links to other checklists. ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md index e6fd6b4090..1841e7d9f5 100644 --- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md +++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md @@ -1,5 +1,5 @@ --- -title: Configure Authentication Methods (Windows 10) +title: Configure Authentication Methods (Windows) description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security. ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone. diff --git a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md index 41b2b78f6c..2ef49bcb9e 100644 --- a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md @@ -1,5 +1,5 @@ --- -title: Configure Data Protection (Quick Mode) Settings (Windows 10) +title: Configure Data Protection (Quick Mode) Settings (Windows) description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone. ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone. diff --git a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md index cfc3364fe7..064de062cf 100644 --- a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md +++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md @@ -1,5 +1,5 @@ --- -title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10) +title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows) description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate. diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md index f1b75a3291..3164f07dea 100644 --- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md @@ -1,5 +1,5 @@ --- -title: Configure Key Exchange (Main Mode) Settings (Windows 10) +title: Configure Key Exchange (Main Mode) Settings (Windows) description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security. ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md index 561ea0f380..e3d4f8f8b6 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md @@ -1,5 +1,5 @@ --- -title: Configure the Rules to Require Encryption (Windows 10) +title: Configure the Rules to Require Encryption (Windows) description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that do not use encryption for zones that require encryption. ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md index 4c82249ccd..a4a7b01573 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md @@ -1,5 +1,5 @@ --- -title: Configure the Windows Defender Firewall Log (Windows 10) +title: Configure the Windows Defender Firewall Log (Windows) description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC. ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md index 7ff2117797..58fdd2dd8a 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md @@ -1,5 +1,5 @@ --- -title: Configure the Workstation Authentication Template (Windows 10) +title: Configure the Workstation Authentication Template (Windows) description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations. ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6 ms.reviewer: @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp -ms.date: 07/30/2018 +ms.date: 09/07/2021 ms.technology: mde --- @@ -19,7 +19,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements. diff --git a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index 200675b11a..ee29ef81e8 100644 --- a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows 10) +title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows) description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Bbocked ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console. diff --git a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md index 8af8ad2d89..6e1c2f5c0b 100644 --- a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md +++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md @@ -1,5 +1,5 @@ --- -title: Confirm That Certificates Are Deployed Correctly (Windows 10) +title: Confirm That Certificates Are Deployed Correctly (Windows) description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations. ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices. diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md index 4020fab006..ac157cc912 100644 --- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md @@ -1,5 +1,5 @@ --- -title: Copy a GPO to Create a New GPO (Windows 10) +title: Copy a GPO to Create a New GPO (Windows) description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices. ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in. @@ -56,4 +57,4 @@ To complete this procedure, you must be a member of the Domain Administrators gr 12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**. -13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO. +13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10 or Windows 11, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO. diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md index 3511ad7f7f..844bf1db69 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md @@ -1,5 +1,5 @@ --- -title: Create a Group Account in Active Directory (Windows 10) +title: Create a Group Account in Active Directory (Windows) description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console. ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console. diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md index e6e1e18867..b7b3944df5 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md @@ -1,5 +1,5 @@ --- -title: Create a Group Policy Object (Windows 10) +title: Create a Group Policy Object (Windows) description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group. ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To create a new GPO, use the Active Directory Users and Computers MMC snap-in. diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md index 35cb8d066a..c28612d61c 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Authentication Exemption List Rule (Windows 10) +title: Create an Authentication Exemption List Rule (Windows) description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies. ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies. diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md index 43156e1bc5..b3a12b2ba9 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Authentication Request Rule (Windows 10) +title: Create an Authentication Request Rule (Windows) description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate. ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to:** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate. diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md index c56953f28c..53f49581bd 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Inbound ICMP Rule (Windows 10) +title: Create an Inbound ICMP Rule (Windows) description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: 267b940a-79d9-4322-b53b-81901e357344 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network. From 8bc88fb4d5e00c7dfd4dfc674e01e3bcb617bff5 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Tue, 7 Sep 2021 12:23:18 -0700 Subject: [PATCH 22/81] Update configure-md-app-guard.md --- .../configure-md-app-guard.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index d2ee8b1f7a..48f214f758 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -54,10 +54,11 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |-----------|------------------|-----------|-------| |Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| |Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | +|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | |Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| |Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| |Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.| |Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| |Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| |Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| +|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

**Disabled or not configured.** event logs aren't collected from your Application Guard container.| From 10c89c2930e50cd9cf288ace3d2d038392a35cc5 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Wed, 8 Sep 2021 11:38:28 +0530 Subject: [PATCH 23/81] Updated 41 to 60 --- .../windows-firewall/create-an-inbound-port-rule.md | 7 ++++--- .../create-an-inbound-program-or-service-rule.md | 7 ++++--- .../create-an-outbound-port-rule.md | 7 ++++--- .../create-an-outbound-program-or-service-rule.md | 7 ++++--- .../create-inbound-rules-to-support-rpc.md | 7 ++++--- .../create-windows-firewall-rules-in-intune.md | 8 +++++--- .../create-wmi-filters-for-the-gpo.md | 13 +++++++------ ...dows-firewall-with-advanced-security-strategy.md | 7 ++++--- ...determining-the-trusted-state-of-your-devices.md | 7 ++++--- .../windows-firewall/documenting-the-zones.md | 7 ++++--- .../domain-isolation-policy-design-example.md | 7 ++++--- .../domain-isolation-policy-design.md | 7 ++++--- .../enable-predefined-inbound-rules.md | 7 ++++--- .../enable-predefined-outbound-rules.md | 7 ++++--- .../windows-firewall/encryption-zone-gpos.md | 7 ++++--- .../windows-firewall/encryption-zone.md | 7 ++++--- ...rewall-with-advanced-security-design-examples.md | 7 ++++--- .../exempt-icmp-from-authentication.md | 7 ++++--- .../windows-firewall/exemption-list.md | 7 ++++--- .../windows-firewall/firewall-gpos.md | 7 ++++--- 20 files changed, 84 insertions(+), 63 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md index 05df6a67cc..452b942ae5 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Inbound Port Rule (Windows 10) +title: Create an Inbound Port Rule (Windows) description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md index bd01350eee..c3db4fccfa 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Inbound Program or Service Rule (Windows 10) +title: Create an Inbound Program or Service Rule (Windows) description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules. ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md index a463162a4d..ebce547b94 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Outbound Port Rule (Windows 10) +title: Create an Outbound Port Rule (Windows) description: Learn to block outbound traffic on a port by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index fe0b68eb1d..d3c40f879a 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Outbound Program or Service Rule (Windows 10) +title: Create an Outbound Program or Service Rule (Windows) description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port. diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md index 59cb4d71cb..07e8a14728 100644 --- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md +++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md @@ -1,5 +1,5 @@ --- -title: Create Inbound Rules to Support RPC (Windows 10) +title: Create Inbound Rules to Support RPC (Windows) description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 479b2e67af..587339f4f2 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -1,5 +1,5 @@ --- -title: Create Windows Firewall rules in Intune (Windows 10) +title: Create Windows Firewall rules in Intune (Windows) description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune. ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 ms.reviewer: @@ -21,12 +21,14 @@ ms.technology: mde **Applies to** - Windows 10 +- Windows 11 +- Windows Server 2016 and above >[!IMPORTANT] >This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. To get started, open Device Configuration in Intune, then create a new profile. -Choose Windows 10 as the platform, and Endpoint Protection as the profile type. +Choose Windows 10 or Windows 11 as the platform, and Endpoint Protection as the profile type. Select Windows Defender Firewall. ![Windows Defender Firewall in Intune.](images/windows-firewall-intune.png) @@ -35,7 +37,7 @@ Select Windows Defender Firewall. ## Firewall rule components -The firewall rule configurations in Intune use the Windows 10 CSP for Firewall. For more information, see [Firewall CSP](/windows/client-management/mdm/firewall-csp). +The firewall rule configurations in Intune use the Windows CSP for Firewall. For more information, see [Firewall CSP](/windows/client-management/mdm/firewall-csp). ## Application Control connections for an app or program. diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index 78d50e3732..725f75af51 100644 --- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -1,5 +1,5 @@ --- -title: Create WMI Filters for the GPO (Windows 10) +title: Create WMI Filters for the GPO (Windows) description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows. ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/16/2021 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device. @@ -58,13 +59,13 @@ First, create the WMI filter and configure it to look for a specified version (o select * from Win32_OperatingSystem where Version like "6.%" ``` - This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". For Windows 10 and Windows Server 2016, use "10.%". To specify multiple versions, combine them with or, as shown in the following: + This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". For Windows 11, Windows 10, and Windows Server 2016, use "10.%". To specify multiple versions, combine them with or, as shown in the following: ``` syntax ... where Version like "6.1%" or Version like "6.2%" ``` - To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers and for Windows 10 multi-session, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network. + To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers and for Windows 10 and Windows 11 multi-session, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network. The following clause returns **true** for all devices that are not domain controllers: @@ -72,7 +73,7 @@ First, create the WMI filter and configure it to look for a specified version (o ... where ProductType="1" or ProductType="3" ``` - The following complete query returns **true** for all devices running Windows 10, and returns **false** for any server operating system or any other client operating system. + The following complete query returns **true** for all devices running Windows 10 and Windows 11, and returns **false** for any server operating system or any other client operating system. ``` syntax select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1" diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index 68a9281a43..52f4ad1566 100644 --- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -1,5 +1,5 @@ --- -title: Designing a Windows Defender Firewall Strategy (Windows 10) +title: Designing a Windows Defender Firewall Strategy (Windows) description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy. ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices. diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md index 89fca32581..fe567b13bf 100644 --- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md @@ -1,5 +1,5 @@ --- -title: Determining the Trusted State of Your Devices (Windows 10) +title: Determining the Trusted State of Your Devices (Windows) description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security. ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status. diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md index e8f37ee452..990d2c4fec 100644 --- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md @@ -1,5 +1,5 @@ --- -title: Documenting the Zones (Windows 10) +title: Documenting the Zones (Windows) description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security. ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here: diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md index 8f27c49ab5..dffc684c37 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md @@ -1,5 +1,5 @@ --- -title: Domain Isolation Policy Design Example (Windows 10) +title: Domain Isolation Policy Design Example (Windows) description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security. ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index 659827d1c6..6d6e93c035 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -1,5 +1,5 @@ --- -title: Domain Isolation Policy Design (Windows 10) +title: Domain Isolation Policy Design (Windows) description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain. ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md index 0a1b0212b6..e8cd903c18 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md @@ -1,5 +1,5 @@ --- -title: Enable Predefined Inbound Rules (Windows 10) +title: Enable Predefined Inbound Rules (Windows) description: Learn the rules for Windows Defender Firewall with Advanced Security for common networking roles and functions. ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md index 28e4f8649e..8a3aa2796f 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md @@ -1,5 +1,5 @@ --- -title: Enable Predefined Outbound Rules (Windows 10) +title: Enable Predefined Outbound Rules (Windows) description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security. ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md index 9dc32a7f67..c57c92edcd 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md @@ -1,5 +1,5 @@ --- -title: Encryption Zone GPOs (Windows 10) +title: Encryption Zone GPOs (Windows) description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security. ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md index 3fba99acba..31176e0204 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md @@ -1,5 +1,5 @@ --- -title: Encryption Zone (Windows 10) +title: Encryption Zone (Windows) description: Learn how to create an encryption zone to contain devices that host very sensitive data and require that the sensitive network traffic be encrypted. ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Some servers in the organization host data that's very sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices. diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md index 2f7a20377f..4aea9e2010 100644 --- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -1,5 +1,5 @@ --- -title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows 10) +title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows) description: Evaluating Windows Defender Firewall with Advanced Security Design Examples ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization. diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md index 38c6fd67c7..2dfe9fd103 100644 --- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md +++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md @@ -1,5 +1,5 @@ --- -title: Exempt ICMP from Authentication (Windows 10) +title: Exempt ICMP from Authentication (Windows) description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security. ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol. diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md index b923df309c..e4569e0cf8 100644 --- a/windows/security/threat-protection/windows-firewall/exemption-list.md +++ b/windows/security/threat-protection/windows-firewall/exemption-list.md @@ -1,5 +1,5 @@ --- -title: Exemption List (Windows 10) +title: Exemption List (Windows) description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions. ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md index faa8a0d788..8482ee05ce 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md +++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md @@ -1,5 +1,5 @@ --- -title: Firewall GPOs (Windows 10) +title: Firewall GPOs (Windows) description: In this example, a Group Policy Object is linked to the domain container because the domain controllers are not part of the isolated domain. ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. From 871eacc1653bd07c6c8e10cfaeaa99e0ec828a9b Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Wed, 8 Sep 2021 14:43:44 +0530 Subject: [PATCH 24/81] Updating 61 to 80 --- .../windows-firewall/firewall-policy-design-example.md | 9 +++++---- ...formation-about-your-active-directory-deployment.md | 7 ++++--- ...mation-about-your-current-network-infrastructure.md | 7 ++++--- .../gathering-information-about-your-devices.md | 7 ++++--- .../gathering-other-relevant-information.md | 7 ++++--- .../gathering-the-information-you-need.md | 7 ++++--- .../windows-firewall/gpo-domiso-boundary.md | 7 ++++--- .../windows-firewall/gpo-domiso-encryption.md | 4 ++-- .../windows-firewall/gpo-domiso-firewall.md | 7 ++++--- .../gpo-domiso-isolateddomain-clients.md | 7 ++++--- .../gpo-domiso-isolateddomain-servers.md | 7 ++++--- ...firewall-with-advanced-security-deployment-goals.md | 9 +++++---- ...dows-firewall-with-advanced-security-design-plan.md | 7 ++++--- .../windows-firewall/isolated-domain-gpos.md | 7 ++++--- .../windows-firewall/isolated-domain.md | 10 +++++----- .../windows-firewall/isolating-apps-on-your-network.md | 9 +++++---- .../windows-firewall/link-the-gpo-to-the-domain.md | 7 ++++--- ...a-windows-firewall-with-advanced-security-design.md | 7 ++++--- ...-apply-to-a-different-zone-or-version-of-windows.md | 7 ++++--- ...olicy-management-console-to-ip-security-policies.md | 7 ++++--- 20 files changed, 82 insertions(+), 64 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index 5a6acfea96..85ce84a2a9 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -1,5 +1,5 @@ --- -title: Basic Firewall Policy Design Example (Windows 10) +title: Basic Firewall Policy Design Example (Windows) description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security. ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In this example, the fictitious company Woodgrove Bank is a financial services institution. @@ -67,7 +68,7 @@ Other traffic notes: Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy the firewall settings and rules to the devices on their network. They know that they must deploy policies to the following collections of devices: -- Client devices that run Windows 10, Windows 8, or Windows 7 +- Client devices that run Windows 11, Windows 10, Windows 8, or Windows 7 - WGBank front-end servers that run Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them) diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md index 35ed36b193..07fea715ef 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md @@ -1,5 +1,5 @@ --- -title: Gathering Information about Your Active Directory Deployment (Windows 10) +title: Gathering Information about Your Active Directory Deployment (Windows) description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment. ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed: diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index 97aed509bc..08f2987678 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -1,5 +1,5 @@ --- -title: Gathering Info about Your Network Infrastructure (Windows 10) +title: Gathering Info about Your Network Infrastructure (Windows) description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment. ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Perhaps the most important aspect of planning for Windows Defender Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Defender Firewall solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project: diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md index 1e9b7fee54..c5f34e8ce7 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md @@ -1,5 +1,5 @@ --- -title: Gathering Information about Your Devices (Windows 10) +title: Gathering Information about Your Devices (Windows) description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment. ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned. diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md index e75e426e2c..a34c386f5c 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md +++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md @@ -1,5 +1,5 @@ --- -title: Gathering Other Relevant Information (Windows 10) +title: Gathering Other Relevant Information (Windows) description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization. ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization. diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md index fbdf23f73f..aad5e33e18 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md +++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md @@ -1,5 +1,5 @@ --- -title: Gathering the Information You Need (Windows 10) +title: Gathering the Information You Need (Windows) description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment. ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md index 4ea713f793..3eb3e0fb2b 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_Boundary (Windows 10) +title: GPO\_DOMISO\_Boundary (Windows) description: This example GPO supports devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md index 7c81975bea..bf33747880 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_Encryption\_WS2008 (Windows 10) +title: GPO\_DOMISO\_Encryption\_WS2008 (Windows) description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. ms.assetid: 84375480-af6a-4c79-aafe-0a37115a7446 ms.reviewer: @@ -14,7 +14,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md index 7799c8484f..f625255685 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_Firewall (Windows 10) +title: GPO\_DOMISO\_Firewall (Windows) description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools. ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md index c5c16902b2..ce42bb0dd3 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10) +title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows) description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md index a7e5651251..ca3da60412 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10) +title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows) description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008. diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 738e348ccd..a3648e301a 100644 --- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -1,5 +1,5 @@ --- -title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows 10) +title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows) description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba ms.reviewer: @@ -14,14 +14,15 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- # Identifying Windows Defender Firewall with Advanced Security implementation goals **Applies to** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above Correctly identifying your Windows Defender Firewall with Advanced Security implementation goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your implementation goals. Prioritize and, if possible, combine your implementation goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall implementation goals presented in this guide that are relevant to your scenarios. diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 265019f489..adb0db7bd9 100644 --- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -1,5 +1,5 @@ --- -title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows 10) +title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows) description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The following are important factors in the implementation of your Windows Defender Firewall design plan: diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md index 878839f37f..72632250e3 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md @@ -1,5 +1,5 @@ --- -title: Isolated Domain GPOs (Windows 10) +title: Isolated Domain GPOs (Windows) description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security. ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md index b9656fd06d..037bf1f77b 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md @@ -1,5 +1,5 @@ --- -title: Isolated Domain (Windows 10) +title: Isolated Domain (Windows) description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication. ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e ms.reviewer: @@ -14,16 +14,16 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- # Isolated Domain **Applies to:** -- Windows 10 -- Windows Server 2016 -- Windows Server 2019 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone. diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md index bfd7f19f0a..6e2fcee3e3 100644 --- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md +++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md @@ -1,5 +1,5 @@ --- -title: Isolating Microsoft Store Apps on Your Network (Windows 10) +title: Isolating Microsoft Store Apps on Your Network (Windows) description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network. ms.prod: m365-security ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/13/2017 +ms.date: 09/08/2021 ms.reviewer: ms.author: dansimp ms.technology: mde @@ -21,7 +21,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app. @@ -65,7 +66,7 @@ To isolate Microsoft Store apps on your network, you need to use Group Policy to - The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Microsoft Store app when you create Windows Defender Firewall rules. - >**Note:**  You can install the RSAT on your device running Windows 10 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). + >**Note:**  You can install the RSAT on your device running Windows from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).   ## Step 1: Define your network diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md index 7759669531..c50865a29b 100644 --- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md +++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md @@ -1,5 +1,5 @@ --- -title: Link the GPO to the Domain (Windows 10) +title: Link the GPO to the Domain (Windows) description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security. ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices. diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index ee043c54a0..048875eafd 100644 --- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -1,5 +1,5 @@ --- -title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows 10) +title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows) description: Mapping your implementation goals to a Windows Firewall with Advanced Security design ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you finish reviewing the existing Windows Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. > [!IMPORTANT] diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index 2f2ec6ad54..037b3a66d6 100644 --- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -1,5 +1,5 @@ --- -title: Modify GPO Filters (Windows 10) +title: Modify GPO Filters (Windows) description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security. ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md index 7046b6230b..43485b62d6 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md @@ -1,5 +1,5 @@ --- -title: Open the Group Policy Management Console to IP Security Policies (Windows 10) +title: Open the Group Policy Management Console to IP Security Policies (Windows) description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system. ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC). From bd2d5f0f974637aa741d43df98bd5aacc2e91cd0 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Wed, 8 Sep 2021 17:14:56 +0530 Subject: [PATCH 25/81] Updated 81 to 100 --- ...console-to-windows-firewall-with-advanced-security.md | 7 ++++--- ...roup-policy-management-console-to-windows-firewall.md | 7 ++++--- .../open-windows-firewall-with-advanced-security.md | 7 ++++--- .../planning-certificate-based-authentication.md | 7 ++++--- .../windows-firewall/planning-domain-isolation-zones.md | 7 ++++--- .../windows-firewall/planning-gpo-deployment.md | 7 ++++--- ...g-group-policy-deployment-for-your-isolation-zones.md | 7 ++++--- .../planning-isolation-groups-for-the-zones.md | 7 ++++--- .../windows-firewall/planning-network-access-groups.md | 7 ++++--- .../windows-firewall/planning-server-isolation-zones.md | 7 ++++--- .../planning-settings-for-a-basic-firewall-policy.md | 7 ++++--- .../windows-firewall/planning-the-gpos.md | 9 +++++---- ...-to-deploy-windows-firewall-with-advanced-security.md | 7 ++++--- ...our-windows-firewall-with-advanced-security-design.md | 7 ++++--- .../windows-firewall/procedures-used-in-this-guide.md | 7 ++++--- .../protect-devices-from-unwanted-network-traffic.md | 7 ++++--- .../threat-protection/windows-firewall/quarantine.md | 2 +- ...ryption-when-accessing-sensitive-network-resources.md | 7 ++++--- ...restrict-access-to-only-specified-users-or-devices.md | 7 ++++--- .../restrict-access-to-only-trusted-devices.md | 7 ++++--- 20 files changed, 78 insertions(+), 59 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index 5c3d340ea4..1239f18bf3 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -1,5 +1,5 @@ --- -title: Group Policy Management of Windows Firewall with Advanced Security (Windows 10) +title: Group Policy Management of Windows Firewall with Advanced Security (Windows) description: Group Policy Management of Windows Firewall with Advanced Security ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security. diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md index 2c7d2f500b..a4cba8e7c3 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md @@ -1,5 +1,5 @@ --- -title: Group Policy Management of Windows Defender Firewall (Windows 10) +title: Group Policy Management of Windows Defender Firewall (Windows) description: Group Policy Management of Windows Defender Firewall with Advanced Security ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/02/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To open a GPO to Windows Defender Firewall: diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md index 1b99cfae07..8dda8bcf96 100644 --- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md @@ -1,5 +1,5 @@ --- -title: Open Windows Defender Firewall with Advanced Security (Windows 10) +title: Open Windows Defender Firewall with Advanced Security (Windows) description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group. ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This procedure shows you how to open the Windows Defender Firewall with Advanced Security console. diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md index 0f8b7c455f..2291806174 100644 --- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md +++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md @@ -1,5 +1,5 @@ --- -title: Planning Certificate-based Authentication (Windows 10) +title: Planning Certificate-based Authentication (Windows) description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication. ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Sometimes a device cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication. diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md index af5214261c..0a5d687d62 100644 --- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md @@ -1,5 +1,5 @@ --- -title: Planning Domain Isolation Zones (Windows 10) +title: Planning Domain Isolation Zones (Windows) description: Learn how to use information you have gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security. ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment. diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md index 0f0993409e..fd986acbbd 100644 --- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md +++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md @@ -1,5 +1,5 @@ --- -title: Planning GPO Deployment (Windows 10) +title: Planning GPO Deployment (Windows) description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory. ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above You can control which GPOs are applied to devices in Active Directory in a combination of three ways: diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md index 7899c1c091..47d3282978 100644 --- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md @@ -1,5 +1,5 @@ --- -title: Planning Group Policy Deployment for Your Isolation Zones (Windows 10) +title: Planning Group Policy Deployment for Your Isolation Zones (Windows) description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment. ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan. diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md index c4fff5ce81..6ac5c58afd 100644 --- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md @@ -1,5 +1,5 @@ --- -title: Planning Isolation Groups for the Zones (Windows 10) +title: Planning Isolation Groups for the Zones (Windows) description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs. ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone. diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md index 57d452edac..d767a7db71 100644 --- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md +++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md @@ -1,5 +1,5 @@ --- -title: Planning Network Access Groups (Windows 10) +title: Planning Network Access Groups (Windows) description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security. ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required. diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md index a89145ab4a..2a5a06d873 100644 --- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md @@ -1,5 +1,5 @@ --- -title: Planning Server Isolation Zones (Windows 10) +title: Planning Server Isolation Zones (Windows) description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security. ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server. diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md index ce989c23c6..e843a202ac 100644 --- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md @@ -1,5 +1,5 @@ --- -title: Planning Settings for a Basic Firewall Policy (Windows 10) +title: Planning Settings for a Basic Firewall Policy (Windows) description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices. ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices. diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md index 8bb1208626..67f3121c36 100644 --- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md +++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md @@ -1,5 +1,5 @@ --- -title: Planning the GPOs (Windows 10) +title: Planning the GPOs (Windows) description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout. ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones. @@ -42,7 +43,7 @@ A few things to consider as you plan the GPOs: - Windows Defender Firewall* in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles. -*Windows Defender Firewall is now called Windows Defender Firewall with Advanced Security in Windows 10. +*Windows Defender Firewall is now called Windows Defender Firewall with Advanced Security in Windows 10 and Windows 11. > [!NOTE] > Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Defender Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network. diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index 7dabf87126..8d60afedaf 100644 --- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -1,5 +1,5 @@ --- -title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows 10) +title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows) description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization. ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you collect information about your environment and decide on a design by following the guidance in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Defender Firewall with Advanced Security in your organization. diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md index 437bb3fbeb..8459640ec7 100644 --- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md @@ -1,5 +1,5 @@ --- -title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows 10) +title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows) description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment. ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md index e301390ef9..305d69aef6 100644 --- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md @@ -1,5 +1,5 @@ --- -title: Procedures Used in This Guide (Windows 10) +title: Procedures Used in This Guide (Windows) description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide. ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md index 233776996f..f0fc035973 100644 --- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md +++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md @@ -1,5 +1,5 @@ --- -title: Protect devices from unwanted network traffic (Windows 10) +title: Protect devices from unwanted network traffic (Windows) description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy. ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats. diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md index bd087a2124..17ab51f503 100644 --- a/windows/security/threat-protection/windows-firewall/quarantine.md +++ b/windows/security/threat-protection/windows-firewall/quarantine.md @@ -14,7 +14,7 @@ ms.localizationpriority: normal audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/17/2020 +ms.date: 09/08/2021 ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index 8fbeb35412..a3963db1f2 100644 --- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -1,5 +1,5 @@ --- -title: Require Encryption When Accessing Sensitive Network Resources (Windows 10) +title: Require Encryption When Accessing Sensitive Network Resources (Windows) description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted. ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted. diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index 1a7c288575..e546bbf39d 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -1,5 +1,5 @@ --- -title: Restrict Access to Only Specified Users or Devices (Windows 10) +title: Restrict Access to Only Specified Users or Devices (Windows) description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security. ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index 5285e56ad9..d3d0f94001 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -1,5 +1,5 @@ --- -title: Restrict access to only trusted devices (Windows 10) +title: Restrict access to only trusted devices (Windows) description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices. ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required. From 880447898133e5cde70b76e82c4d07feb134fe1e Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com> Date: Wed, 8 Sep 2021 08:26:18 -0400 Subject: [PATCH 26/81] Update event-4776.md Change lowercase c to uppercase C in line with other error codes. --- windows/security/threat-protection/auditing/event-4776.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index 75dc6a4a69..3249451c6f 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -116,7 +116,7 @@ This event does *not* generate when a domain account logs on locally to a domain | 0xC0000193 | Account logon with expired account. | | 0xC0000224 | Account logon with "Change Password at Next Logon" flagged. | | 0xC0000234 | Account logon with account locked. | -| 0xc0000371 | The local account store does not contain secret material for the specified account. | +| 0xC0000371 | The local account store does not contain secret material for the specified account. | | 0x0 | No errors. | > Table 1. Winlogon Error Codes. @@ -150,4 +150,4 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun | **User logon from unauthorized workstation** | Can indicate a compromised account; especially relevant for highly critical accounts. | | **User logon to account disabled by administrator** | For example, N events in last N minutes can be an indicator of an account compromise attempt, especially relevant for highly critical accounts. | | **User logon with expired account** | Can indicate an account compromise attempt; especially relevant for highly critical accounts. | -| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. | \ No newline at end of file +| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. | From 445cb5de6f4e9afa8cfaaa539c56f6a4b2cb7bb1 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Wed, 8 Sep 2021 18:02:50 +0530 Subject: [PATCH 27/81] Updated 101 to 112 --- ...estrict-server-access-to-members-of-a-group-only.md | 7 ++++--- ...ring-end-to-end-ipsec-connections-by-using-ikev2.md | 7 ++++--- .../windows-firewall/server-isolation-gpos.md | 7 ++++--- .../server-isolation-policy-design-example.md | 7 ++++--- .../windows-firewall/server-isolation-policy-design.md | 7 ++++--- ...-windows-firewall-and-configure-default-behavior.md | 7 ++++--- ...s-firewall-with-advanced-security-design-process.md | 4 ++-- .../verify-that-network-traffic-is-authenticated.md | 7 ++++--- ...-security-administration-with-windows-powershell.md | 7 ++++--- ...firewall-with-advanced-security-deployment-guide.md | 7 ++++--- ...ows-firewall-with-advanced-security-design-guide.md | 9 +++++---- .../windows-firewall-with-advanced-security.md | 10 +++++----- 12 files changed, 48 insertions(+), 38 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md index a9a24aa516..c0d7282746 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md @@ -1,5 +1,5 @@ --- -title: Restrict Server Access to Members of a Group Only (Windows 10) +title: Restrict Server Access to Members of a Group Only (Windows) description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group. ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group. diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index 8cb2a35d50..aa6d7c5117 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -1,5 +1,5 @@ --- -title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows 10) +title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows) description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 ms.prod: m365-security ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.reviewer: ms.author: dansimp ms.technology: mde @@ -21,7 +21,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above IKEv2 offers the following: diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md index bb23429112..74da744d30 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md @@ -1,5 +1,5 @@ --- -title: Server Isolation GPOs (Windows 10) +title: Server Isolation GPOs (Windows) description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security. ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md index a0070cf114..fd8fad7308 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md @@ -1,5 +1,5 @@ --- -title: Server Isolation Policy Design Example (Windows 10) +title: Server Isolation Policy Design Example (Windows) description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company. ms.assetid: 337e5f6b-1ec5-4b83-bee5-d0aea1fa5fc6 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section. diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md index 7d44e7c17c..3d5d5e9694 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md @@ -1,5 +1,5 @@ --- -title: Server Isolation Policy Design (Windows 10) +title: Server Isolation Policy Design (Windows) description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group. ms.assetid: f93f65cd-b863-461e-ab5d-a620fd962c9a ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG). diff --git a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md index b6a468447e..8f2dd62bfc 100644 --- a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md @@ -1,5 +1,5 @@ --- -title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows 10) +title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows) description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To enable Windows Defender Firewall with Advanced Security and configure its default behavior, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console. diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md index 6a77eda3f7..6f83b6d42d 100644 --- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -1,5 +1,5 @@ --- -title: Understand WFAS Deployment (Windows 10) +title: Understand WFAS Deployment (Windows) description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process ms.prod: m365-security ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.reviewer: ms.author: dansimp ms.technology: mde diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md index 113c3c0cc2..633bcb4aed 100644 --- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md +++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md @@ -1,5 +1,5 @@ --- -title: Verify That Network Traffic Is Authenticated (Windows 10) +title: Verify That Network Traffic Is Authenticated (Windows) description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication. ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index bf70a3a3b7..c4e919e41a 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows 10) +title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows) description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell ms.prod: m365-security ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.reviewer: ms.author: dansimp ms.technology: mde @@ -21,7 +21,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md index 9a3954cc03..8e4af001ae 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Firewall with Advanced Security deployment overview (Windows 10) +title: Windows Defender Firewall with Advanced Security deployment overview (Windows) description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network. ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md index e1a438412f..702acc0dcf 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Firewall with Advanced Security design guide (Windows 10) +title: Windows Defender Firewall with Advanced Security design guide (Windows) description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise. ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/05/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Defender Firewall supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices. @@ -87,7 +88,7 @@ The following table identifies and defines terms used throughout this guide. | Certificate-based isolation | A way to add devices that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that cannot use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).| | Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.| | Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.| -| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. | +| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 11, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. | | Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).| | IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.| | Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).
In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.| diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index e3becc881c..7a9d7305a5 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Firewall with Advanced Security (Windows 10) +title: Windows Defender Firewall with Advanced Security (Windows) description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. ms.prod: m365-security ms.mktglfcycl: deploy @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/21/2020 +ms.date: 09/08/2021 ms.reviewer: ms.custom: asr ms.technology: mde @@ -21,9 +21,9 @@ ms.technology: mde # Windows Defender Firewall with Advanced Security **Applies to** -- Windows 10 -- Windows Server 2016 -- Windows Server 2019 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. From 87408d21fafb78e486616e2aac62f0a78aeb5d7b Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Thu, 9 Sep 2021 13:57:32 +0530 Subject: [PATCH 28/81] Updated as per feedback --- .../tpm/initialize-and-configure-ownership-of-the-tpm.md | 6 +++--- .../information-protection/tpm/manage-tpm-lockout.md | 4 ++-- .../security/information-protection/tpm/tpm-fundamentals.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index b309abe563..2cce643c84 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -108,7 +108,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ 7. After the PC restarts, your TPM will be automatically prepared for use by Windows. -## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 or 1511) +## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 and higher) Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. @@ -116,7 +116,7 @@ Normally, the TPM is turned on as part of the TPM initialization process. You do If you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM. -**To turn on the TPM (TPM 1.2 with Windows 10, version 1507 or 1511 only)** +**To turn on the TPM (TPM 1.2 with Windows 10, version 1507 and higher)** 1. Open the TPM MMC (tpm.msc). @@ -130,7 +130,7 @@ If you want to use the TPM after you have turned it off, you can use the followi If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. -**To turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511 only)** +**To turn off the TPM (TPM 1.2 with Windows 10, version 1507 and higher)** 1. Open the TPM MMC (tpm.msc). diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md index 49e541aba5..777005b678 100644 --- a/windows/security/information-protection/tpm/manage-tpm-lockout.md +++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md @@ -40,12 +40,12 @@ The industry standards from the Trusted Computing Group (TCG) specify that TPM m TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event which increases the counter will cause the counter to decrease by 1. -If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607 or Windows 11. +If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher. ## Reset the TPM lockout by using the TPM MMC > [!NOTE] -> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password is not available in Windows 10 starting with version 1607 or Windows 11. +> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password is not available in Windows 10 starting with version 1607 and higher. The following procedure explains the steps to reset the TPM lockout by using the TPM MMC. diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index faf6827fc3..a1f536f4be 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -135,7 +135,7 @@ Increasing the PIN length requires a greater number of guesses for an attacker. In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. -To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, and Windows 11, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. +To help organizations with the transition, with Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed,Windows 10, version 1709 and higher, and Windows 11, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. ### TPM-based smart cards From 32c5c896e9cb292e4abb49cdda2e23096177cd89 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Thu, 9 Sep 2021 14:17:31 +0530 Subject: [PATCH 29/81] Updated suggestions --- .../tpm/initialize-and-configure-ownership-of-the-tpm.md | 4 ++-- .../information-protection/tpm/manage-tpm-commands.md | 2 +- .../trusted-platform-module-services-group-policy-settings.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index 2cce643c84..0fb36c69fe 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -33,7 +33,7 @@ With TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, you can also t - [Turn on or turn off the TPM](#turn-on-or-turn-off) -For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps &preserve-view=true). +For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true). ## About TPM initialization and ownership @@ -146,7 +146,7 @@ If you want to stop using the services that are provided by the TPM, you can use ## Use the TPM cmdlets -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps &preserve-view=true). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true). ## Related topics diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md index ddc7cd93d0..23fb8a8789 100644 --- a/windows/security/information-protection/tpm/manage-tpm-commands.md +++ b/windows/security/information-protection/tpm/manage-tpm-commands.md @@ -79,7 +79,7 @@ The following procedures describe how to manage the TPM command lists. You must ## Use the TPM cmdlets -You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps &preserve-view=true). +You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true). ## Related topics diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md index 13b87d24b2..0ae9cb6622 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -146,5 +146,5 @@ If you don't want users to see the recommendation to update TPM firmware, you ca ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) -- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps &preserve-view=true) +- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true) - [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md) \ No newline at end of file From 119190a4e18d3b5ff72de1714872f593f49ee750 Mon Sep 17 00:00:00 2001 From: Kamil Date: Fri, 10 Sep 2021 01:44:16 +0200 Subject: [PATCH 30/81] Update windows-adk-scenarios-for-it-pros.md Image creation functionality has been removed from Windows ICD a long time ago. Also, the link that has been deleted is no longer valid. --- windows/deployment/windows-adk-scenarios-for-it-pros.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md index 9c27c2ce11..39d68c7a0e 100644 --- a/windows/deployment/windows-adk-scenarios-for-it-pros.md +++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md @@ -71,7 +71,7 @@ Here are some things you can do with Windows SIM: For a list of settings you can change, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/) on the MSDN Hardware Dev Center. -### Create a Windows image using Windows ICD +### Create a provisioning package using Windows ICD Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) or Windows 10 IoT Core (IoT Core) image. @@ -79,7 +79,6 @@ Here are some things you can do with Windows ICD: - [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) - [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) -- [Build and deploy an image for Windows 10 for desktop editions](https://msdn.microsoft.com/library/windows/hardware/dn916105.aspx) ### IT Pro Windows deployment tools @@ -90,4 +89,4 @@ There are also a few tools included in the Windows ADK that are specific to IT P   -  \ No newline at end of file +  From 24ccda538c6f7d704e4aaabf2e1e9d865db2f4b6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 13 Sep 2021 07:41:28 -0700 Subject: [PATCH 31/81] Update event-4776.md --- .../threat-protection/auditing/event-4776.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index 3249451c6f..8b9727aaa0 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/13/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -125,14 +125,14 @@ This event does *not* generate when a domain account logs on locally to a domain For 4776(S, F): The computer attempted to validate the credentials for an account. -| **Type of monitoring required** | **Recommendation** | -|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. | +| **Type of monitoring required** | **Recommendation** | +|-----------------|---------| +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.
To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. | -| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list. | -| **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that don’t comply with naming conventions. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list. | +| **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that don’t comply with naming conventions. | - If NTLM authentication should not be used for a specific account, monitor for that account. Don’t forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored. @@ -142,12 +142,12 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun - Consider tracking the following errors for the reasons listed: -| **Error to track** | **What the error might indicate** | -|-----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------| +| **Error to track** | **What the error might indicate** | +|----------|----------------| | **User logon with misspelled or bad user account** | For example, N events in the last N minutes can be an indicator of an account enumeration attack, especially relevant for highly critical accounts. | | **User logon with misspelled or bad password** | For example, N events in the last N minutes can be an indicator of a brute-force password attack, especially relevant for highly critical accounts. | -| **User logon outside authorized hours** | Can indicate a compromised account; especially relevant for highly critical accounts. | -| **User logon from unauthorized workstation** | Can indicate a compromised account; especially relevant for highly critical accounts. | +| **User logon outside authorized hours** | Can indicate a compromised account; especially relevant for highly critical accounts. | +| **User logon from unauthorized workstation** | Can indicate a compromised account; especially relevant for highly critical accounts. | | **User logon to account disabled by administrator** | For example, N events in last N minutes can be an indicator of an account compromise attempt, especially relevant for highly critical accounts. | -| **User logon with expired account** | Can indicate an account compromise attempt; especially relevant for highly critical accounts. | -| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. | +| **User logon with expired account** | Can indicate an account compromise attempt; especially relevant for highly critical accounts. | +| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. | From ebad3c4166357d929c214b2129e9a3856213393d Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 14 Sep 2021 09:45:57 +0530 Subject: [PATCH 32/81] Incorporated review comments --- .../tpm/change-the-tpm-owner-password.md | 1 + .../tpm/how-windows-uses-the-tpm.md | 12 +++---- ...lize-and-configure-ownership-of-the-tpm.md | 36 +++++++++---------- .../tpm/manage-tpm-lockout.md | 2 +- .../tpm/tpm-fundamentals.md | 31 ++++++++-------- .../tpm/tpm-recommendations.md | 18 +++++----- 6 files changed, 50 insertions(+), 50 deletions(-) diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md index c139f7a4df..6edba10d03 100644 --- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md +++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md @@ -20,6 +20,7 @@ ms.date: 09/03/2021 **Applies to** - Windows 10 +- TPM 1.2 - Windows 11 - Windows Server 2016 and above diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index 532dc2607c..038e7da093 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -19,7 +19,7 @@ ms.date: 09/03/2021 # How Windows uses the Trusted Platform Module -The Windows operating system improves most existing security features in the operating system and adds groundbreaking new security features such as Device Guard and Windows Hello for Business. It places hardware-based security deeper inside the operating system than previous Windows versions had done, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows makes extensive use of the Trusted Platform Module (TPM). This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows as well as the cumulative security impact of running Windows on a PC that contains a TPM. +The Windows operating system improves most existing security features in the operating system and adds groundbreaking new security features such as Device Guard and Windows Hello for Business. It places hardware-based security deeper inside the operating system than previous Windows versions had done, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows makes extensive use of the Trusted Platform Module (TPM). This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows and the cumulative security impact of running Windows on a PC that contains a TPM. **See also:** @@ -36,7 +36,7 @@ The TPM is a cryptographic module that enhances computer security and privacy. P Historically, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. -TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features. +TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user reinstalls the operating system, user may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features. The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). @@ -58,11 +58,11 @@ Although CNG sounds like a mundane starting point, it illustrates some of the ad The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers cannot offer or cannot offer as effectively: -• **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making additional copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use. +• **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use. • **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. -These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could simply prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically. +These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically. ## Virtual Smart Card @@ -92,13 +92,13 @@ For Windows Hello for Business, Microsoft can fill the role of the identity CA. ## BitLocker Drive Encryption -BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without additional protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system’s enforcement of file permissions to read any user data. +BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system’s enforcement of file permissions to read any user data. In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities: • **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values. -• **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key in Active Directory Domain Services (AD DS). +• **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS). Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience. diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index 0fb36c69fe..bb72304f8c 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -1,6 +1,6 @@ --- title: Troubleshoot the TPM (Windows) -description: This topic for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM). +description: This article for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM). ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8 ms.reviewer: ms.prod: w10 @@ -23,7 +23,7 @@ ms.date: 09/06/2021 - Windows 11 - Windows Server 2016 and above -This topic provides information for the IT professional to troubleshoot the Trusted Platform Module (TPM): +This article provides information for the IT professional to troubleshoot the Trusted Platform Module (TPM): - [Troubleshoot TPM initialization](#troubleshoot-tpm-initialization) @@ -43,7 +43,7 @@ Starting with Windows 10 and Windows 11, the operating system automatically init If you find that Windows is not able to initialize the TPM automatically, review the following information: -- You can try clearing the TPM to the factory default values and allowing Windows to re-initialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic. +- You can try clearing the TPM to the factory default values and allowing Windows to re-initialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article. - If the TPM is a TPM 2.0 and is not detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM has not been disabled or hidden from the operating system. @@ -63,7 +63,7 @@ If these issues occur, an error message appears, and you cannot complete the ini ### Troubleshoot systems with multiple TPMs -Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows does not support this behavior. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic. +Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows does not support this behavior. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article. For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection is not changed. @@ -80,11 +80,11 @@ Clearing the TPM resets it to an unowned state. After you clear the TPM, the Win Clearing the TPM can result in data loss. To protect against such loss, review the following precautions: -- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a login PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM. +- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM. - Do not clear the TPM on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator. -- If you want to temporarily suspend TPM operations and you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm), later in this topic. +- If you want to temporarily suspend TPM operations and you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm), later in this article. - Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Do not clear the TPM directly from UEFI. @@ -96,13 +96,13 @@ Membership in the local Administrators group, or equivalent, is the minimum requ 1. Open the Windows Defender Security Center app. -2. Click **Device security**. +2. Select **Device security**. -3. Click **Security processor details**. +3. Select **Security processor details**. -4. Click **Security processor troubleshooting**. +4. Select **Security processor troubleshooting**. -5. Click **Clear TPM**. +5. Select **Clear TPM**. 6. You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM. @@ -120,9 +120,9 @@ If you want to use the TPM after you have turned it off, you can use the followi 1. Open the TPM MMC (tpm.msc). -2. In the **Action** pane, click **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page. +2. In the **Action** pane, select **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page. -3. Click **Shutdown** (or **Restart**), and then follow the UEFI screen prompts. +3. Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts. After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software is not attempting to make changes to the TPM. @@ -134,20 +134,20 @@ If you want to stop using the services that are provided by the TPM, you can use 1. Open the TPM MMC (tpm.msc). -2. In the **Action** pane, click **Turn TPM Off** to display the **Turn off the TPM security hardware** page. +2. In the **Action** pane, select **Turn TPM Off** to display the **Turn off the TPM security hardware** page. 3. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM: - - If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**. + - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the .tpm file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**. - - If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**. + - If you do not have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**. - - If you did not save your TPM owner password or no longer know it, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password. + - If you did not save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password. ## Use the TPM cmdlets You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true). -## Related topics +## Related articles -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) +- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of articles) diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md index 777005b678..fe1fb8255c 100644 --- a/windows/security/information-protection/tpm/manage-tpm-lockout.md +++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md @@ -38,7 +38,7 @@ The industry standards from the Trusted Computing Group (TCG) specify that TPM m **TPM 2.0** -TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event which increases the counter will cause the counter to decrease by 1. +TPM 2.0 devices have standardized lockout behavior, which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event, which increases the counter will cause the counter to decrease by 1. If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher. diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index a1f536f4be..7cd1b04f28 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -1,5 +1,5 @@ --- -title: TPM fundamentals (Windows) +title: Trusted Platform Module (TPM) fundamentals (Windows) description: Inform yourself about the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and how they are used to mitigate dictionary attacks. ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000 ms.reviewer: @@ -23,17 +23,17 @@ ms.date: 09/06/2021 - Windows 11 - Windows Server 2016 and above -This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks. +This article for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks. -A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the remainder of the system by using a hardware bus. +A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is installed on the motherboard of a computer, and it communicates with the rest of the system by using a hardware bus. Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user. You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM. -Computers that incorporate a TPM can also create a key that has not only been wrapped, but is also tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met. +Computers that incorporate a TPM can also create a key that is wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met. -With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. Because the TPM uses its own internal firmware and logic circuits to process instructions, it does not rely on the operating system, and it is not exposed to vulnerabilities that might exist in the operating system or application software. +With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. The TPM uses its own internal firmware and logic circuits to process instructions. Hence, it doesn't rely on the operating system and it isn't exposed to vulnerabilities that might exist in the operating system or application software. For info about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more info, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module). @@ -62,16 +62,15 @@ The following topic describes the TPM Services that can be controlled centrally ## Measured Boot with support for attestation -The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can initiate remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate. +The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate. ## TPM-based Virtual Smart Card -The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a -Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user. +The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user. ## TPM-based certificate storage -The TPM can be used to protect certificates and RSA keys. The TPM key storage provider (KSP) provides easy, convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP can be used to generate keys when an organization enrolls for certificates, and the KSP is managed by templates in the UI. The TPM can also be used to protect certificates that are imported from an outside source. TPM-based certificates can be used exactly as standard certificates with the added functionality that the certificate can never leave the TPM from which the keys were generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal). +The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The KSP is managed by templates in the UI. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal). ## TPM Cmdlets @@ -79,31 +78,31 @@ You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets i ## Physical presence interface -For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning the TPM on, turning it off, or clearing it. These actions typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. +For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning on the TPM, turning it off, or clearing it. These actions typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. ## TPM 1.2 states and initialization -For TPM 1.2, there are multiple possible states. Windows automatically initializes the TPM, which brings it to an enabled, activated, and owned state. +TPM 1.2 has multiple possible states. Windows automatically initializes the TPM, which brings it to an enabled, activated, and owned state. ## Endorsement keys -For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. +A trusted application can use TPM only if the TPM contains an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and it is never revealed or accessible outside the TPM. ## Key attestation -TPM key attestation allows a certification authority to verify that a private key is actually protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys which have been proven valid can be used to bind the user identity to a device. Moreover, the user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM. +TPM key attestation allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM. ## Anti-hammering -When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM can be used to create a cryptographic key that is not disclosed outside the TPM, but is able to be used in the TPM after the correct authorization value is provided. +When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM is used to create a cryptographic key that is not disclosed outside the TPM. It is used in the TPM after the correct authorization value is provided. TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur. -Because many entities can use the TPM, a single authorization success cannot reset the TPM’s anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s protection. Generally, TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic. +Because many entities can use the TPM, a single authorization success cannot reset the TPM’s anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s protection. TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic. ### TPM 2.0 anti-hammering -TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer, and the logic varied widely throughout the industry. +TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer and the logic varied widely throughout the industry. For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts. diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index a0a68a10b5..de5f910d13 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -31,11 +31,11 @@ For a basic feature description of TPM, see the [Trusted Platform Module Technol ## TPM design and implementation -Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. +Traditionally, TPMs are discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Discrete TPM implementations are common. However, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM. -The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). +The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards. These standards support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM. @@ -55,7 +55,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in - TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms. - - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms. + - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs don't support all algorithms. - For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](/windows/win32/seccertenroll/cng-cryptographic-algorithm-providers). @@ -69,14 +69,14 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in - TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee. -- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC. +- While TPM 1.2 parts are discrete silicon components, which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s), and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC. > [!NOTE] > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. > > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. -## Discrete, Integrated or Firmware TPM? +## Discrete, Integrated, or Firmware TPM? There are three implementation options for TPMs: @@ -86,17 +86,17 @@ There are three implementation options for TPMs: - Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit -Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs. +Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions, which should suit all needs. ## Is there any importance for TPM for consumers? -For end consumers, TPM is behind the scenes but is still very relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a component of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage. +For end consumers, TPM is behind the scenes but is still relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a component of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage. ## TPM 2.0 Compliance for Windows ### Windows for desktop editions (Home, Pro, Enterprise, and Education) -- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of an existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features). +- Since July 28, 2016, all new device models, lines, or series (or if you're updating the hardware configuration of an existing model, line, or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features). ### IoT Core @@ -104,7 +104,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u ### Windows Server 2016 -- TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required. +- TPM is optional for Windows Server SKUs unless the SKU meets the other qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required. ## TPM and Windows Features From e2ad7e35ae5f66b43c5d4cf46db0cdbf844ea465 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 14 Sep 2021 09:51:04 +0530 Subject: [PATCH 33/81] Update feature-multifactor-unlock --- .../hello-for-business/feature-multifactor-unlock.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 2fe1b87295..d1e93b59ef 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -94,13 +94,13 @@ You represent signal rules in XML. Each signal rule has an starting and ending ``` ### Signal element -Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values. +Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 or later supports the **ipConfig** and **bluetooth** type values. |Attribute|Value| |---------|-----| -| type| "bluetooth" or "ipConfig" (Windows 10, version 1709)| -| type| "wifi" (Windows 10, version 1803) +| type| "bluetooth" or "ipConfig" (Windows 10, version 1709) or later| +| type| "wifi" (Windows 10, version 1803 or later) #### Bluetooth You define the bluetooth signal with additional attributes in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>". @@ -222,7 +222,7 @@ The fully qualified domain name of your organization's internal DNS suffix where #### Wi-Fi **Applies to:** -- Windows 10, version 1803 +- Windows 10, version 1803 or later You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements do not have attributes or nested elements. @@ -324,7 +324,7 @@ This example configures the same as example 2 using compounding And elements. T ``` #### Example 4 -This example configures Wi-Fi as a trusted signal (Windows 10, version 1803) +This example configures Wi-Fi as a trusted signal (Windows 10, version 1803 or later) ```xml From d2a3c13010c578450d228d9b74ba113faa0d3605 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 15 Sep 2021 12:05:52 +0530 Subject: [PATCH 34/81] Create policy-csp-admx-framepanes.md --- .../mdm/policy-csp-admx-framepanes.md | 193 ++++++++++++++++++ 1 file changed, 193 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-framepanes.md diff --git a/windows/client-management/mdm/policy-csp-admx-framepanes.md b/windows/client-management/mdm/policy-csp-admx-framepanes.md new file mode 100644 index 0000000000..b6c506ddd9 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-framepanes.md @@ -0,0 +1,193 @@ +--- +title: Policy CSP - ADMX_FramePanes +description: Policy CSP - ADMX_FramePanes +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/14/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_FramePanes +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +

+ + +## ADMX_FramePanes policies + +
+
+ ADMX_FramePanes/NoReadingPane +
+
+ ADMX_FramePanes/NoPreviewPane +
+
+ + +
+ + +**ADMX_FramePanes/NoReadingPane** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting shows or hides the Details Pane in File Explorer. + +- If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user. + +- If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and cannot be hidden by the user. + +> [!NOTE] +> This has a side effect of not being able to toggle to the Preview Pane since the two cannot be displayed at the same time. + +- If you disable, or do not configure this policy setting, the Details Pane is hidden by default and can be displayed by the user. + +This is the default policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Turn on or off details pane* +- GP name: *NoReadingPane* +- GP path: *Windows Components\File Explorer\Explorer Frame Pane* +- GP ADMX file name: *FramePanes.admx* + + + +
+ + +**ADMX_FramePanes/NoPreviewPane** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Hides the Preview Pane in File Explorer. + +- If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user. + +- If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Turn off Preview Pane* +- GP name: *NoPreviewPane* +- GP path: *Windows Components\File Explorer\Explorer Frame Pane* +- GP ADMX file name: *FramePanes.admx* + + + + +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + + From 560e60cc6449ec8a09d5b95e67d886d9ce848c00 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 15 Sep 2021 12:05:57 +0530 Subject: [PATCH 35/81] Update policy-configuration-service-provider.md --- .../mdm/policy-configuration-service-provider.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a394943879..82b6038a3e 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1177,6 +1177,16 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC +### ADMX_FramePanes policies +
+
+ ADMX_FramePanes/NoReadingPane +
+
+ ADMX_FramePanes/NoPreviewPane +
+
+ ### ADMX_Help policies
From 0f8d5166f662c84f4814ec1755847d82bcd26ab2 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 15 Sep 2021 12:29:27 +0530 Subject: [PATCH 36/81] Updated --- .../client-management/mdm/policies-in-policy-csp-admx-backed.md | 2 ++ windows/client-management/mdm/toc.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index c4eba79f3d..86ae6b3e10 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -291,6 +291,8 @@ ms.date: 10/08/2020 - [ADMX_FolderRedirection/LocalizeXPRelativePaths_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-2) - [ADMX_FolderRedirection/PrimaryComputer_FR_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-1) - [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2) +- [ADMX_FramePanes/NoReadingPane](./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane) +- [ADMX_FramePanes/NoPreviewPane](./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane) - [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin) - [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1) - [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 4395fbc920..76433d4d19 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -483,6 +483,8 @@ items: href: policy-csp-admx-filesys.md - name: ADMX_FolderRedirection href: policy-csp-admx-folderredirection.md + - name: ADMX_FramePanes + href: policy-csp-admx-framepanes.md - name: ADMX_Globalization href: policy-csp-admx-globalization.md - name: ADMX_GroupPolicy From 4b6ad246f282c2035a4aab8f9cb53e8ca094a6f4 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Wed, 15 Sep 2021 16:08:21 +0530 Subject: [PATCH 37/81] Updated as per task 5388078 --- .../administrative-tools-in-windows-10.md | 13 +++++++------ ...advanced-troubleshooting-802-authentication.md | 2 +- .../connect-to-remote-aadj-pc.md | 7 ++++--- .../data-collection-for-802-authentication.md | 2 +- .../determine-appropriate-page-file-size.md | 2 +- ...icies-for-enterprise-and-education-editions.md | 5 +++-- .../client-management/manage-corporate-devices.md | 11 ++++++----- ...anage-device-installation-with-group-policy.md | 15 ++++++++------- .../manage-settings-app-with-group-policy.md | 7 ++++--- .../client-management/mandatory-user-profile.md | 6 ++++-- .../new-policies-for-windows-10.md | 5 +++-- windows/client-management/quick-assist.md | 2 +- .../troubleshoot-tcpip-port-exhaust.md | 2 +- windows/client-management/windows-libraries.md | 4 ++-- 14 files changed, 46 insertions(+), 37 deletions(-) diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 6da0fdfdb9..8cf6c2a75d 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -1,5 +1,5 @@ --- -title: Administrative Tools in Windows 10 (Windows 10) +title: Administrative Tools in Windows 10 and Windows 11 description: Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. ms.assetid: FDC63933-C94C-43CB-8373-629795926DC8 ms.reviewer: @@ -10,16 +10,17 @@ ms.mktglfcycl: manage ms.sitesec: library author: greg-lindsay ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 09/14/2021 ms.topic: article --- -# Administrative Tools in Windows 10 +# Administrative Tools in Windows **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. @@ -29,7 +30,7 @@ The tools in the folder might vary depending on which edition of Windows you are ![Screenshot of folder of admin tools.](images/admin-tools-folder.png) -These tools were included in previous versions of Windows. The associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders. +These tools were included in previous versions of Windows. The associated documentation for each tool should help you use these tools in Windows. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders. @@ -54,7 +55,7 @@ These tools were included in previous versions of Windows. The associated docume - [Windows Memory Diagnostic]( https://go.microsoft.com/fwlink/p/?LinkId=708507) > [!TIP] -> If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content.  +> If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows** page. Details about the information you want for a tool will help us plan future content.  ## Related topics diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index c2a8ea0c57..80304a3e5f 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -21,7 +21,7 @@ This article includes general troubleshooting for 802.1X wireless and wired clie ## Scenarios -This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS. +This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 (and Windows 11) for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS. ## Known issues diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 4d8f35673e..63d3683704 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -1,5 +1,5 @@ --- -title: Connect to remote Azure Active Directory-joined PC (Windows 10) +title: Connect to remote Azure Active Directory-joined PC (Windows 10 and Windows 11) description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC. keywords: ["MDM", "device management", "RDP", "AADJ"] ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: devices author: dansimp ms.localizationpriority: medium ms.author: dansimp -ms.date: 08/02/2018 +ms.date: 09/14/2021 ms.reviewer: manager: dansimp ms.topic: article @@ -21,6 +21,7 @@ ms.topic: article **Applies to** - Windows 10 +- Windows 11 From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). @@ -28,7 +29,7 @@ From its release, Windows 10 has supported remote connections to PCs joined to A ## Set up -- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported. +- Both PCs (local and remote) must be running Windows 10, version 1607 or later or Windows 11. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported. - Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported. - The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop. diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md index 58f94bd27e..0002838314 100644 --- a/windows/client-management/data-collection-for-802-authentication.md +++ b/windows/client-management/data-collection-for-802-authentication.md @@ -24,7 +24,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window 1. Create C:\MSLOG on the client machine to store captured logs. 2. Launch an elevated command prompt on the client machine, and run the following commands to start a RAS trace log and a Wireless/Wired scenario log. - **Wireless Windows 8.1 and Windows 10:** + **Wireless Windows 8.1, Windows 10, and Windows 11:** ``` netsh ras set tracing * enabled netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl diff --git a/windows/client-management/determine-appropriate-page-file-size.md b/windows/client-management/determine-appropriate-page-file-size.md index 8daf0f4ce4..da6bb869ab 100644 --- a/windows/client-management/determine-appropriate-page-file-size.md +++ b/windows/client-management/determine-appropriate-page-file-size.md @@ -74,7 +74,7 @@ By default, page files are system-managed. This means that the page files increa For example, when the system commit charge is more than 90 percent of the system commit limit, the page file is increased to back it. This continues to occur until the page file reaches three times the size of physical memory or 4 GB, whichever is larger. This all assumes that the logical disk that is hosting the page file is large enough to accommodate the growth. -The following table lists the minimum and maximum page file sizes of system-managed page files in Windows 10. +The following table lists the minimum and maximum page file sizes of system-managed page files in Windows 10 and Windows 11. |Minimum page file size |Maximum page file size| |---------------|------------------| diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md index 8b2eb55f2f..2fbd6d4691 100644 --- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md +++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: dansimp ms.localizationpriority: medium -ms.date: 10/13/2017 +ms.date: 09/14/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,7 +17,8 @@ ms.topic: troubleshooting **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 In Windows 10, version 1607, the following Group Policy settings apply only to Windows 10 Enterprise and Windows 10 Education. diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index f7fdbd3994..25dcf468c0 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -1,5 +1,5 @@ --- -title: Manage corporate devices (Windows 10) +title: Manage corporate devices (Windows 10 and Windows 11) description: You can use the same management tools to manage all device types running Windows 10 desktops, laptops, tablets, and phones. ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D ms.reviewer: @@ -12,7 +12,7 @@ ms.sitesec: library ms.pagetype: devices author: dansimp ms.localizationpriority: medium -ms.date: 09/21/2017 +ms.date: 09/14/2021 ms.topic: article --- @@ -21,9 +21,10 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 -You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10. +You can use the same management tools to manage all device types running Windows 10 and Windows 11: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10 and Windows 11. ## In this section @@ -35,7 +36,7 @@ You can use the same management tools to manage all device types running Windows | [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | | [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | | [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start | -| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 in their organizations | +| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 11 in their organizations | ## Learn more diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index db00986ab0..4c263fc3c8 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -1,11 +1,11 @@ --- -title: Manage Device Installation with Group Policy (Windows 10) +title: Manage Device Installation with Group Policy (Windows 10 and Windows 11) description: Find out how to manage Device Installation Restrictions with Group Policy. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: barakm -ms.date: 07/05/2021 +ms.date: 09/14/2021 ms.reviewer: manager: barakm ms.author: barakm @@ -18,15 +18,16 @@ ms.topic: article **Applies to** - Windows 10, Windows Server 2022 +- Windows 11 ## Summary -By using Windows 10 operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy. +By using Windows 10 and Windows 11 operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy. ## Introduction ### General -This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and cannot install. This guide applies to all Windows 10 versions starting with RS5 (1809). The guide includes the following scenarios: +This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and cannot install. This guide applies to all Windows 10 (and Windows 11) versions starting with RS5 (1809). The guide includes the following scenarios: - Prevent users from installing devices that are on a "prohibited" list. If a device is not on the list, then the user can install it. - Allow users to install only devices that are on an "approved" list. If a device is not on the list, then the user cannot install it. @@ -44,7 +45,7 @@ It is important to understand that the Group Policies that are presented in this This guide is targeted at the following audiences: -- Information technology planners and analysts who are evaluating Windows 10 and Windows Server 2022 +- Information technology planners and analysts who are evaluating Windows 10 (and Windows 11) and Windows Server 2022 - Enterprise information technology planners and designers - Security architects who are responsible for implementing trustworthy computing in their organization - Administrators who want to become familiar with the technology @@ -102,7 +103,7 @@ A device is a piece of hardware with which Windows interacts to perform some fun When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those included with the driver packages. -Windows uses four types of identifiers to control device installation and configuration. You can use the Group Policy settings in Windows 10 to specify which of these identifiers to allow or block. +Windows uses four types of identifiers to control device installation and configuration. You can use the Group Policy settings in Windows 10 (and Windows 11) to specify which of these identifiers to allow or block. The four types of identifiers are: @@ -223,7 +224,7 @@ Some of these policies take precedence over other policies. The flowchart shown To complete each of the scenarios, please ensure your have: -- A client computer running Windows 10. +- A client computer running Windows 10 (and Windows 11). - A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives do not require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index f64ee0de0c..0188879565 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -1,11 +1,11 @@ --- -title: Manage the Settings app with Group Policy (Windows 10) +title: Manage the Settings app with Group Policy (Windows 10 and Windows 11) description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: dansimp -ms.date: 04/19/2017 +ms.date: 09/14/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,7 +17,8 @@ ms.topic: article **Applies to** -- Windows 10, Windows Server 2016 +- Windows 10, Windows Server 2016 +- Windows 11 You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 7b77f47742..8b2e2bc3e9 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -1,5 +1,5 @@ --- -title: Create mandatory user profiles (Windows 10) +title: Create mandatory user profiles (Windows 10 and Windows 11) description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. keywords: [".man","ntuser"] ms.prod: w10 @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: dansimp ms.author: dansimp -ms.date: 10/02/2018 +ms.date: 09/14/2021 ms.reviewer: manager: dansimp ms.topic: article @@ -16,7 +16,9 @@ ms.topic: article # Create mandatory user profiles **Applies to** + - Windows 10 +- Windows 11 A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 183335b55e..9d8d9e35c6 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -11,7 +11,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: dansimp ms.localizationpriority: medium -ms.date: 10/24/2017 +ms.date: 09/15/2021 ms.topic: reference --- @@ -20,7 +20,8 @@ ms.topic: reference **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference". diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index acdcd2d268..0449d63dde 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -12,7 +12,7 @@ manager: laurawi # Use Quick Assist to help users -Quick Assist is a Windows 10 application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user’s device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices. +Quick Assist is a Windows 10 and Windows 11 application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user’s device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices. ## Before you begin diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index 4c1e8b1b7f..26ba85c430 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -196,4 +196,4 @@ goto loop - [Port Exhaustion and You!](/archive/blogs/askds/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend) - this article gives a detail on netstat states and how you can use netstat output to determine the port status -- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10) +- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10 and Windows 11) diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/windows-libraries.md index a287d48be1..5db8c1238b 100644 --- a/windows/client-management/windows-libraries.md +++ b/windows/client-management/windows-libraries.md @@ -10,11 +10,11 @@ ms.technology: storage ms.topic: article author: dansimp description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. -ms.date: 04/19/2017 +ms.date: 09/15/2021 --- # Windows libraries -> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 +> Applies to: Windows 10, Windows 11, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location. From 58d4a0a3a9f6446ac95c4dbbcea047e75ff565eb Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 15 Sep 2021 18:47:06 +0530 Subject: [PATCH 38/81] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 + .../mdm/policy-csp-admx-fthsvc.md | 116 ++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 3 files changed, 119 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-fthsvc.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 86ae6b3e10..0c20f673c6 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -293,6 +293,7 @@ ms.date: 10/08/2020 - [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2) - [ADMX_FramePanes/NoReadingPane](./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane) - [ADMX_FramePanes/NoPreviewPane](./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane) +- [ADMX_FTHSVC/WdiScenarioExecutionPolicy](./policy-csp-admx-fthsvc-wdiscenarioexecutionpolicy.md#admx-fthsvc-wdiscenarioexecutionpolicy) - [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin) - [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1) - [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2) diff --git a/windows/client-management/mdm/policy-csp-admx-fthsvc.md b/windows/client-management/mdm/policy-csp-admx-fthsvc.md new file mode 100644 index 0000000000..8790ac9ad7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-fthsvc.md @@ -0,0 +1,116 @@ +--- +title: Policy CSP - ADMX_FTHSVC +description: Policy CSP - ADMX_FTHSVC +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/15/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_FTHSVC +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_FTHSVC policies + +
+
+ ADMX_FTHSVC/WdiScenarioExecutionPolicy +
+
+ +
+ + +**ADMX_FTHSVC/WdiScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption problems. + +- If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems. + +- If you disable this policy setting, Windows cannot detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS. +If you do not configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default. +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. +This policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. +The DPS can be configured with the Services snap-in to the Microsoft Management Console. +No system restart or service restart is required for this policy setting to take effect: changes take effect immediately. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Configure Scenario Execution Level* +- GP name: *WdiScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Fault Tolerant Heap* +- GP ADMX file name: *FTHSVC.admx* + + + + +
+ +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 76433d4d19..dc49d0d690 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -485,6 +485,8 @@ items: href: policy-csp-admx-folderredirection.md - name: ADMX_FramePanes href: policy-csp-admx-framepanes.md + - name: ADMX_FTHSVC + href: policy-csp-admx-fthsvc.md - name: ADMX_Globalization href: policy-csp-admx-globalization.md - name: ADMX_GroupPolicy From fd963bd7d8b4b73be47820e7aeb6e7135d0623e2 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 15 Sep 2021 18:52:33 +0530 Subject: [PATCH 39/81] Update policy-configuration-service-provider.md --- .../mdm/policy-configuration-service-provider.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 82b6038a3e..584f15a4e5 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1187,6 +1187,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_FTHSVC policies ### ADMX_Help policies
From 61904effb4d5e4481def041491234225329684e8 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 15 Sep 2021 19:39:05 +0530 Subject: [PATCH 40/81] Updated --- .../policy-configuration-service-provider.md | 13 ++ .../mdm/policy-csp-admx-hotspotauth.md | 115 ++++++++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-hotspotauth.md diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 584f15a4e5..4496c8609f 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1188,6 +1188,12 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
### ADMX_FTHSVC policies +
+
+ ADMX_FTHSVC/WdiScenarioExecutionPolicy +
+
+ ### ADMX_Help policies
@@ -1204,6 +1210,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_HotSpotAuth policies +
+
+ ADMX_HotSpotAuth/HotspotAuth_Enable +
+
+ ### ADMX_Globalization policies
diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md new file mode 100644 index 0000000000..17e85306fc --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md @@ -0,0 +1,115 @@ +--- +title: Policy CSP - ADMX_HotSpotAuth +description: Policy CSP - ADMX_HotSpotAuth +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/15/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_HotSpotAuth +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_HotSpotAuth policies + +
+
+ ADMX_HotSpotAuth/HotspotAuth_Enable +
+
+ +
+ + +**ADMX_HotSpotAuth/HotspotAuth_Enable** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting defines whether WLAN hotspots are probed for Wireless Internet Service Provider roaming (WISPr) protocol support. + +- If a WLAN hotspot supports the WISPr protocol, users can submit credentials when manually connecting to the network. + +- If authentication is successful, users will be connected automatically on subsequent attempts. Credentials can also be configured by network operators. + +- If you enable this policy setting, or if you do not configure this policy setting, WLAN hotspots are automatically probed for WISPR protocol support. + +- If you disable this policy setting, WLAN hotspots are not probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Enable Hotspot Authentication* +- GP name: *HotspotAuth_Enable* +- GP path: *Network\Hotspot Authentication* +- GP ADMX file name: *HotSpotAuth.admx* + + + + +
+ +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + From 61fe4f0fa19e0c07bda86809745dc3372a5b969b Mon Sep 17 00:00:00 2001 From: gkomatsu Date: Wed, 15 Sep 2021 15:23:11 -0700 Subject: [PATCH 41/81] Changed terminology for clarification Changed term ADMX-backed policy -> ADMX policy --- .../mdm/enable-admx-backed-policies-in-mdm.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index cfc9928a0b..ef636898be 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -1,6 +1,6 @@ --- -title: Enable ADMX-backed policies in MDM -description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX-backed policies) in Mobile Device Management (MDM). +title: Enable ADMX policies in MDM +description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). ms.author: dansimp ms.topic: article ms.prod: w10 @@ -12,30 +12,30 @@ ms.reviewer: manager: dansimp --- -# Enable ADMX-backed policies in MDM +# Enable ADMX policies in MDM -This is a step-by-step guide to configuring ADMX-backed policies in MDM. +This is a step-by-step guide to configuring ADMX policies in MDM. -Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX-backed policies)](./policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy. +Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](./policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy. Summary of steps to enable a policy: -- Find the policy from the list ADMX-backed policies. +- Find the policy from the list ADMX policies. - Find the Group Policy related information from the MDM policy description. - Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy. - Create the data payload for the SyncML. -See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX-Backed policies using Microsoft Intune](/archive/blogs/senthilkumar/intune-deploying-admx-backed-policies-using-microsoft-intune) for a walk-through using Intune. +See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX policies using Microsoft Intune](/archive/blogs/senthilkumar/intune-deploying-admx-backed-policies-using-microsoft-intune) for a walk-through using Intune. ->[!TIP] ->Intune has added a number of ADMX-backed administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](/intune/administrative-templates-windows) + + ## Enable a policy > [!NOTE] -> See [Understanding ADMX-backed policies in Policy CSP](./understanding-admx-backed-policies.md). +> See [Understanding ADMX policies in Policy CSP](./understanding-admx-backed-policies.md). -1. Find the policy from the list [ADMX-backed policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description. +1. Find the policy from the list [ADMX policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description. - GP English name - GP name - GP ADMX file name @@ -308,4 +308,4 @@ The \ payload is empty. Here an example to set AppVirtualization/Publishin -``` \ No newline at end of file +``` From dfa6f2914dcfc00113767abb14051db21dafa089 Mon Sep 17 00:00:00 2001 From: gkomatsu Date: Wed, 15 Sep 2021 15:42:16 -0700 Subject: [PATCH 42/81] Terminology change for ADMX for clarifiation Changed from ADMX-Backed Policies _> ADMX Policies --- .../mdm/understanding-admx-backed-policies.md | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index 21f39c4389..4550b1717b 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -1,6 +1,6 @@ --- -title: Understanding ADMX-backed policies -description: Starting in Windows 10, version 1703, you can use ADMX-backed policies for Windows 10 mobile device management (MDM) across Windows 10 devices. +title: Understanding ADMX policies +description: In Windows 10, you can use ADMX policies for Windows 10 mobile device management (MDM) across Windows 10 devices. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -11,15 +11,15 @@ ms.reviewer: manager: dansimp --- -# Understanding ADMX-backed policies +# Understanding ADMX policies -Due to increased simplicity and the ease with which devices can be targeted, enterprise businesses are finding it increasingly advantageous to move their PC management to a cloud-based device management solution. Unfortunately, current Windows PC device-management solutions lack the critical policy and app settings configuration capabilities that are supported in a traditional PC management solution. +Due to increased simplicity and the ease with which devices can be targeted, enterprise businesses are finding it increasingly advantageous to move their PC management to a cloud-based device management solution. Unfortunately, the modern Windows PC device-management solutions lack the critical policy and app settings configuration capabilities that are supported in a traditional PC management solution. -Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support will be expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the Policy configuration service provider (CSP). This expanded access ensures that enterprises do not need to compromise security of their devices in the cloud. +Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support expanded to allow access of selected set of Group Policy administrative templates (ADMX policies) for Windows PCs via the Policy configuration service provider (CSP). This expanded access ensures that enterprises can keep their devices compliant and prevent the risk on compromising security of their devices managed through the cloud. ## Background -In addition to standard policies, the Policy CSP can now also handle ADMX-backed policies. In an ADMX-backed policy, an administrative template contains the metadata of a Window Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753471(v=ws.10)). +In addition to standard MDM policies, the Policy CSP can also handle selected set of ADMX policies. In an ADMX policy, an administrative template contains the metadata of a Window Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753471(v=ws.10)). ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC. Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor: @@ -30,29 +30,29 @@ In a domain controller/Group Policy ecosystem, Group Policies are automatically An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, including the PC's Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM. -Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](./policy-configuration-service-provider.md). +Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX policies supported by MDM, see [Policy CSP - ADMX policies](./policy-configuration-service-provider.md). ->[!TIP] ->Intune has added a number of ADMX-backed administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](/intune/administrative-templates-windows) + + ## ADMX files and the Group Policy Editor -To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX-backed Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named "Publishing Server 2 Settings." When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**. +To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named "Publishing Server 2 Settings." When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**. The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the "Publishing Server 2 Settings" is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category. Group Policy option button setting: - If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur: - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. - - The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX-backed policy definition. + - The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX policy definition. - If **Disabled** is selected and you click **Apply**, the following events occur: - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. - - The MDM client stack receives this command, which causes the Policy CSP to either delete the device's registry settings, set the registry keys, or both, per the state change directed by the ADMX-backed policy definition. + - The MDM client stack receives this command, which causes the Policy CSP to either delete the device's registry settings, set the registry keys, or both, per the state change directed by the ADMX policy definition. - If **Not Configured** is selected and you click **Apply**, the following events occur: - MDM ISV server sets up a Delete SyncML command. - - The MDM client stack receives this command, which causes the Policy CSP to delete the device's registry settings per the ADMX-backed policy definition. + - The MDM client stack receives this command, which causes the Policy CSP to delete the device's registry settings per the ADMX policy definition. The following diagram shows the main display for the Group Policy Editor. @@ -83,9 +83,9 @@ Appv.admx file: ``` -## ADMX-backed policy examples +## ADMX policy examples -The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ### Enabling a policy From 776cad1c724fd2678281c2ed1a56ac01437a1c3b Mon Sep 17 00:00:00 2001 From: gkomatsu Date: Wed, 15 Sep 2021 15:49:20 -0700 Subject: [PATCH 43/81] Terminology changes for clarity ADMX-Backed policy -> ADMX policy Import -> Ingest --- ...in32-and-centennial-app-policy-configuration.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index 3d2584ee4e..2e285342fd 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -1,6 +1,6 @@ --- -title: Win32 and Desktop Bridge app policy configuration -description: Starting in Windows 10, version 1703, you can import ADMX files and set those ADMX-backed policies for Win32 and Desktop Bridge apps. +title: Win32 and Desktop Bridge app ADMX policy Ingestion +description: Starting in Windows 10, version 1703, you can ingest ADMX files and set those ADMX policies for Win32 and Desktop Bridge apps. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -11,21 +11,21 @@ ms.reviewer: manager: dansimp --- -# Win32 and Desktop Bridge app policy configuration +# Win32 and Desktop Bridge app ADMX policy Ingestion ## In this section - [Overview](#overview) - [Ingesting an app ADMX file](#ingesting-an-app-admx-file) - [URI format for configuring an app policy](#uri-format-for-configuring-an-app-policy) -- [ADMX-backed app policy examples](#admx-backed-app-policy-examples) +- [ADMX app policy examples](#admx-backed-app-policy-examples) - [Enabling an app policy](#enabling-an-app-policy) - [Disabling an app policy](#disabling-an-app-policy) - [Setting an app policy to not configured](#setting-an-app-policy-to-not-configured) ## Overview -Starting in Windows 10, version 1703, you can import ADMX files (also called ADMX ingestion) and set those ADMX-backed policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. +Starting in Windows 10, version 1703, you can ingest ADMX files (ADMX ingestion) and set those ADMX policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. NOTE: Starting from the following Windows 10 version Replace command is supported - Windows 10, version 1903 with KB4512941 and KB4517211 installed @@ -33,7 +33,7 @@ NOTE: Starting from the following Windows 10 version Replace command is supporte - Windows 10, version 1803 with KB4512509 and KB installed - Windows 10, version 1709 with KB4516071 and KB installed -When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations: +When the ADMX policies are ingested, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations: - Software\Policies\Microsoft\Office\ - Software\Microsoft\Office\ @@ -58,7 +58,7 @@ When the ADMX policies are imported, the registry keys to which each policy is w - Software\Microsoft\EdgeUpdate\ > [!Warning] -> Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. +> Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still ingest ADMX files and set ADMX policies regardless of whether the device is domain joined or non-domain joined. > [!NOTE] > Settings that cannot be configured using custom policy ingestion have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script). From b325e6129c5ca240912065f7c3c9b940cc19aa2e Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Wed, 15 Sep 2021 19:18:04 -0400 Subject: [PATCH 44/81] Fixed redirect --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index fc68ba7fb1..1fc2ec8e56 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,7 +1,7 @@ { "redirections": [ { - "source_path": "windows/configuration/customize-the-start-menu-layout-on-windows-11.md", + "source_path": "windows/configuration/use-json-customize-start-menu-windows.md", "redirect_url": "/windows/configuration/customize-start-menu-layout-windows-11", "redirect_document_id": false }, From 7f03c674a2fe1a61d8f858198c73a7c321b00122 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Thu, 16 Sep 2021 11:34:22 +0530 Subject: [PATCH 45/81] Build issue- fixes as per comments Fixed the formatting issues in hello-hybrid-cert-trust-devreg.md and added valid code-blocks to the file. --- .../hello-hybrid-aadj-sso-base.md | 7 +- .../hello-hybrid-aadj-sso-cert.md | 4 +- .../hello-hybrid-cert-trust-devreg.md | 127 +++++++++--------- .../hello-hybrid-cert-whfb-provision.md | 2 +- .../hello-hybrid-cert-whfb-settings-pki.md | 2 +- 5 files changed, 74 insertions(+), 68 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index f8b221e861..86d9a96b10 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -213,8 +213,8 @@ The web server is ready to host the CRL distribution point. Now, configure the 4. On the **Extensions** tab, click **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (do not forget the trailing backwards slash). 5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. 6. Type **.crl** at the end of the text in **Location**. Click **OK**. -7. Select the CDP you just created. - ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png) +7. Select the CDP you just created.
+![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png) 8. Select **Publish CRLs to this location**. 9. Select **Publish Delta CRLs to this location**. 10. Click **Apply** save your selections. Click **Yes** when ask to restart the service. Click **OK** to close the properties dialog box. @@ -262,7 +262,6 @@ With the CA properly configured with a valid HTTP-based CRL distribution point, 5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Click **OK**.
![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png) - ## Configure and Assign a Trusted Certificate Device Configuration Profile Your domain controllers have new certificate that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD joined devices. Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD joined devices do not trust domain controller certificates and authentication fails. @@ -282,7 +281,7 @@ Steps you will perform include: ![Details tab and copy to file.](images/aadj/certlm-root-cert-details-tab.png) 6. In the **Certificate Export Wizard**, click **Next**. 7. On the **Export File Format** page of the wizard, click **Next**. -8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box. +8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box.
![Export root certificate.](images/aadj/certlm-export-root-certificate.png) 9. Click **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 6cca936be0..61eb44f8f8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -323,7 +323,7 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 3. Select **Trust this user for delegation to specified services only**. 4. Select **Use any authentication protocol**. 5. Click **Add**. -6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**. +6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **HOST**. Click **OK**. ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) 7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**. 8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. @@ -509,7 +509,7 @@ Sign-in the NDES server with access equivalent to _local administrator_. ``` where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. -A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. +A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentService** source. ![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 387a5f1ded..07738c4e4a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -24,7 +24,6 @@ ms.reviewer: - Hybrid deployment - Certificate trust - Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. > [!IMPORTANT] @@ -34,15 +33,17 @@ Your environment is federated and you are ready to configure device registration >Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration. Use this three-phased approach for configuring device registration. + 1. [Configure devices to register in Azure](#configure-azure-for-device-registration) 2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization) 3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices) > [!NOTE] > Before proceeding, you should familiarize yourself with device registration concepts such as: -> * Azure AD registered devices -> * Azure AD joined devices -> * Hybrid Azure AD joined devices +> +> - Azure AD registered devices +> - Azure AD joined devices +> - Hybrid Azure AD joined devices > > You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction) @@ -50,7 +51,8 @@ Use this three-phased approach for configuring device registration. > To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594). ## Configure Azure for Device Registration -Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. + +Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal) @@ -60,7 +62,7 @@ Azure Active Directory is now configured for device registration. Next, you need ### Upgrading Active Directory to the Windows Server 2016 or later Schema -To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016 or later. +To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016 or later. > [!IMPORTANT] > If you already have a Windows Server 2016 or later domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 or later Schema** (this section). @@ -83,110 +85,107 @@ Manually updating Active Directory uses the command-line utility **adprep.exe** Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials. -1. Open an elevated command prompt. -2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. -3. To update the schema, type ```adprep /forestprep```. -4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. -5. Close the Command Prompt and sign-out. +1. Open an elevated command prompt. +2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. +3. To update the schema, type ```adprep /forestprep```. +4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. +5. Close the Command Prompt and sign-out. > [!NOTE] > If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured. - ### Setup Active Directory Federation Services + If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service. Review the [AD FS Design guide](/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service. Once you have your AD FS design ready, review [Deploying a Federation Server farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment. > [!IMPORTANT] -> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures. +> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures. The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) #### ADFS Web Proxy ### + Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network. Use the [Setting of a Federation Proxy](/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. ### Deploy Azure AD Connect + Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771). When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**. -### Create AD objects for AD FS Device Authentication -If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. +### Create AD objects for AD FS Device Authentication +If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. ![Device Registration: AD FS](images/hybridct/device1.png) > [!NOTE] > The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1. -1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. - -![Device Registration: Overview](images/hybridct/device2.png) - +1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**. + ![Device Registration: Overview](images/hybridct/device2.png) 2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: - `Import-module activedirectory` `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName ""` 3. On the pop-up window click **Yes**. -> [!NOTE] -> If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" + > [!NOTE] + > If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$" -![Device Registration: Domain](images/hybridct/device3.png) + ![Device Registration: Domain](images/hybridct/device3.png) + The above PSH creates the following objects: -The above PSH creates the following objects: - -- RegisteredDevices container under the AD domain partition -- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration -- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration - -![Device Registration: Tests](images/hybridct/device4.png) + - RegisteredDevices container under the AD domain partition + - Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration + - Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration + ![Device Registration: Tests](images/hybridct/device4.png)
4. Once this is done, you will see a successful completion message. -![Device Registration: Completion](images/hybridct/device5.png) + ![Device Registration: Completion](images/hybridct/device5.png) ### Create Service Connection Point (SCP) in Active Directory If you plan to use Windows domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS -1. Open Windows PowerShell and execute the following: + +1. Open Windows PowerShell and execute the following: `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"` -> [!NOTE] -> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep - -![Device Registration AdPrep](images/hybridct/device6.png) + > [!NOTE] + > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep + ![Device Registration AdPrep](images/hybridct/device6.png) 2. Provide your Azure AD global administrator credentials - `PS C:>$aadAdminCred = Get-Credential` - -![Device Registration: Credential](images/hybridct/device7.png) + `PS C:>$aadAdminCred = Get-Credential` + ![Device Registration: Credential](images/hybridct/device7.png) 3. Run the following PowerShell command `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred` -Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory. + Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory. The above commands enable Windows clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS. ### Prepare AD for Device Write Back To ensure AD DS objects and containers are in the correct state for write back of devices from Azure AD, do the following. -1. Open Windows PowerShell and execute the following: +1. Open Windows PowerShell and execute the following: `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name]` -Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format + Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format The above command creates the following objects for device write back to AD DS, if they do not exist already, and allows access to the specified AD connector account name - RegisteredDevices container in the AD domain partition - Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration -### Enable Device Write Back in Azure AD Connect +### Enable Device Write Back in Azure AD Connect + If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets ## Configure AD FS to use Azure registered devices @@ -213,17 +212,17 @@ When you're using AD FS, you need to enable the following WS-Trust endpoints: The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises. -* `http://schemas.microsoft.com/ws/2012/01/accounttype` -* `http://schemas.microsoft.com/identity/claims/onpremobjectguid` -* `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid` +- `http://schemas.microsoft.com/ws/2012/01/accounttype` +- `http://schemas.microsoft.com/identity/claims/onpremobjectguid` +- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid` If you have more than one verified domain name, you need to provide the following claim for computers: -* `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid` +- `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid` If you are already issuing an ImmutableID claim (e.g., alternate login ID) you need to provide one corresponding claim for computers: -* `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID` +- `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID` In the following sections, you find information about: @@ -239,7 +238,8 @@ The definition helps you to verify whether the values are present or if you need **`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this: -``` +```powershell + @RuleName = "Issue account type for domain-joined computers" c:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", @@ -256,7 +256,8 @@ The definition helps you to verify whether the values are present or if you need **`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: -``` +```powershell + @RuleName = "Issue object GUID for domain-joined computers" c1:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", @@ -280,7 +281,8 @@ The definition helps you to verify whether the values are present or if you need **`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this: -``` +```powershell + @RuleName = "Issue objectSID for domain-joined computers" c1:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", @@ -299,7 +301,8 @@ The definition helps you to verify whether the values are present or if you need **`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added. -``` +```powershell + @RuleName = "Issue account type with the value User when it is not a computer" NOT EXISTS( @@ -355,7 +358,8 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain] **`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows: -``` +```powershell + @RuleName = "Issue ImmutableID for computers" c1:[ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", @@ -379,7 +383,8 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain] The following script helps you with the creation of the issuance transform rules described above. -``` +```powershell + $multipleVerifiedDomainNames = $false $immutableIDAlreadyIssuedforUsers = $false $oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains @@ -506,20 +511,21 @@ The following script helps you with the creation of the issuance transform rules - If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule: - -~~~ + ~~~ c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/")); -~~~ + ~~~ - If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**. -#### Configure Device Authentication in AD FS +#### Configure Device Authentication in AD FS + Using an elevated PowerShell command window, configure AD FS policy by executing the following command `PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod SignedToken` -#### Check your configuration +#### Check your configuration + For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work - object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain> @@ -528,7 +534,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe - Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - Container Device Registration Service DKM under the above container -![Device Registration: Container](images/hybridct/device8.png) + ![Device Registration: Container](images/hybridct/device8.png) - object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> - read/write access to the specified AD connector account name on the new object @@ -542,6 +548,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
## Follow the Windows Hello for Business hybrid certificate trust deployment guide + 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index f1dc22e50f..e7082740c2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -1,6 +1,6 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business) -description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Businesss. +description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 1cc5c20c10..53d6fd45a0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -17,7 +17,7 @@ ms.date: 4/30/2021 ms.reviewer: --- -# Configure Hybrid Azure AD joined Windows Hello for Busines - Public Key Infrastructure +# Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure **Applies to** From 266f215617500b3a9497e5600814d25b7b23c2e2 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Thu, 16 Sep 2021 17:37:38 +0530 Subject: [PATCH 46/81] 5402449-Localpoliciessecurityoptions: Updated Missing Documentation Added missing documentation (MicrosoftNetworkClient_DigitallySignCommunicationsAlways) in Policy CSP - LocalPoliciesSecurityOptions - Windows Client Management | Microsoft Docs. --- ...policy-csp-localpoliciessecurityoptions.md | 1090 +++++++++++------ 1 file changed, 729 insertions(+), 361 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index c004295d70..50d1696f71 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1,6 +1,6 @@ --- title: Policy CSP - LocalPoliciesSecurityOptions -description: These settings prevents users from adding new Microsoft accounts on a specific computer using LocalPoliciesSecurityOptions. +description: These settings prevent users from adding new Microsoft accounts on a specific computer using LocalPoliciesSecurityOptions. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -69,6 +69,9 @@ manager: dansimp
LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
+
+ LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways +
LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
@@ -173,28 +176,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -245,28 +254,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -322,28 +337,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -385,28 +406,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -448,28 +475,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -512,28 +545,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -576,28 +615,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -642,28 +687,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -705,28 +756,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -772,28 +829,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -843,29 +906,34 @@ Valid values: - - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -917,28 +985,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -991,28 +1065,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -1058,28 +1138,34 @@ Valid values: From 0 to 599940, where the value is the amount of inactivity time - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -1123,28 +1209,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -1186,28 +1278,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1254,6 +1352,88 @@ GP Info: - GP Friendly name: *Interactive logon: Smart card removal behavior* - GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + +
+ + +**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Microsoft network client: Digitally sign communications (always) + +This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. + +If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. + +Default: Disabled. + +>[!Important] +>For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). + +>[!Note] +>All Windows operating systems support both a client-side SMB component and a server-side SMB component. + +On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. + +SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136." + + + +GP Info: +- GP Friendly name: *Microsoft network client: Digitally sign communications (always)* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + @@ -1265,28 +1445,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1313,14 +1499,16 @@ If this setting is enabled, the Microsoft network client will ask the server to Default: Enabled. -Notes +>[!Note] +>All Windows operating systems support both a client-side SMB component and a server-side SMB component. -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. + SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. @@ -1341,28 +1529,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1404,28 +1598,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1482,28 +1682,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1533,21 +1739,21 @@ Default: Disabled for member servers. Enabled for domain controllers. -Notes +>[!Note] +>All Windows operating systems support both a client-side SMB component and a server-side SMB component. + +On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. -Important - -For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: -Microsoft network server: Digitally sign communications (if server agrees) +>[!Important] +>For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: Microsoft network server: Digitally sign communications (if server agrees) For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature @@ -1570,28 +1776,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1618,18 +1830,19 @@ If this setting is enabled, the Microsoft network server will negotiate SMB pack Default: Enabled on domain controllers only. -Important +>[!Important] +>For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature +>[!Note] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. + SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. @@ -1650,28 +1863,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1702,9 +1921,8 @@ Disabled: No additional restrictions. Rely on default permissions. Default on workstations: Enabled. Default on server:Enabled. -Important - -This policy has no impact on domain controllers. +>[!Important] +>This policy has no impact on domain controllers. @@ -1723,28 +1941,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1786,28 +2010,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1849,28 +2079,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1912,28 +2148,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -1979,28 +2221,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -2047,28 +2295,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2115,28 +2369,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2169,9 +2429,8 @@ Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). -Important - -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. +>[!Important] +>This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. Default: @@ -2198,28 +2457,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2266,28 +2531,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2334,28 +2605,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2408,28 +2685,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2487,28 +2770,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2566,28 +2855,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2645,28 +2940,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -2719,28 +3020,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2784,28 +3091,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -2858,27 +3171,34 @@ Valid values: - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -2934,28 +3254,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -3002,28 +3328,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -3067,28 +3399,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -3132,28 +3470,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -3204,28 +3548,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -3272,28 +3622,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -3337,28 +3693,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -3402,28 +3764,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
From 935b551112e86ddc13cc1126c83153d8801c5852 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 08:29:56 -0700 Subject: [PATCH 47/81] Update change-the-tpm-owner-password.md --- .../tpm/change-the-tpm-owner-password.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md index 6edba10d03..44bdc2c7a6 100644 --- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md +++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md @@ -20,7 +20,6 @@ ms.date: 09/03/2021 **Applies to** - Windows 10 -- TPM 1.2 - Windows 11 - Windows Server 2016 and above @@ -57,4 +56,4 @@ You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets i ## Related topics -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) \ No newline at end of file +- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) From a12b662e2b3390a2abfeddd4a69bd1842b775d9f Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Thu, 16 Sep 2021 09:39:33 -0600 Subject: [PATCH 48/81] Update hello-hybrid-aadj-sso-base.md Attempt fix line 217 indent --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 86d9a96b10..a679646de2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -213,8 +213,8 @@ The web server is ready to host the CRL distribution point. Now, configure the 4. On the **Extensions** tab, click **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (do not forget the trailing backwards slash). 5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. 6. Type **.crl** at the end of the text in **Location**. Click **OK**. -7. Select the CDP you just created.
-![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png) +7. Select the CDP you just created. + ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png) 8. Select **Publish CRLs to this location**. 9. Select **Publish Delta CRLs to this location**. 10. Click **Apply** save your selections. Click **Yes** when ask to restart the service. Click **OK** to close the properties dialog box. From d728e76a74bbcb26d283a04dec18905e6935306d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Sep 2021 08:46:10 -0700 Subject: [PATCH 49/81] Update configure-md-app-guard.md --- .../configure-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 48f214f758..41284661d3 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 05/24/2021 +ms.date: 09/16/2021 ms.reviewer: manager: dansimp ms.custom: asr From 6e87dcadb8a53b610f3938e5cdb14dd1ff12a316 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Thu, 16 Sep 2021 09:48:25 -0600 Subject: [PATCH 50/81] Update hello-hybrid-aadj-sso-base.md --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index a679646de2..f81d496669 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -214,6 +214,7 @@ The web server is ready to host the CRL distribution point. Now, configure the 5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. 6. Type **.crl** at the end of the text in **Location**. Click **OK**. 7. Select the CDP you just created. + ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png) 8. Select **Publish CRLs to this location**. 9. Select **Publish Delta CRLs to this location**. From 85320e5e8b80287fd7672c21f78014761f95604d Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Thu, 16 Sep 2021 09:58:54 -0600 Subject: [PATCH 51/81] Update hello-hybrid-aadj-sso-base.md attempt 2 fix indent line 217 --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index f81d496669..eeb8ee8626 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -213,8 +213,7 @@ The web server is ready to host the CRL distribution point. Now, configure the 4. On the **Extensions** tab, click **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (do not forget the trailing backwards slash). 5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. 6. Type **.crl** at the end of the text in **Location**. Click **OK**. -7. Select the CDP you just created. - +7. Select the CDP you just created.
![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png) 8. Select **Publish CRLs to this location**. 9. Select **Publish Delta CRLs to this location**. From 323c7813668a8b3231e3dc51f52ec4271d0fecb4 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Thu, 16 Sep 2021 10:31:25 -0600 Subject: [PATCH 52/81] Update hello-hybrid-cert-trust-devreg.md Add language identifier line 514 --- .../hello-for-business/hello-hybrid-cert-trust-devreg.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 07738c4e4a..ba0f914fa0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -511,10 +511,10 @@ The following script helps you with the creation of the issuance transform rules - If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule: - ~~~ + ```Claims Rule Language c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/")); - ~~~ + ``` - If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**. @@ -554,4 +554,4 @@ For your reference, below is a comprehensive list of the AD DS devices, containe 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. Configure Azure Device Registration (*You are here*) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) From ae900fd2fe6df2d65cdec40bad5d75a6653754ec Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Thu, 16 Sep 2021 11:13:34 -0600 Subject: [PATCH 53/81] Update tpm-fundamentals.md --- .../security/information-protection/tpm/tpm-fundamentals.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index 7cd1b04f28..123b5b21c7 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -134,7 +134,7 @@ Increasing the PIN length requires a greater number of guesses for an attacker. In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. -To help organizations with the transition, with Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed,Windows 10, version 1709 and higher, and Windows 11, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. +To help organizations with the transition, with Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, Windows 10, version 1709 and higher, and Windows 11, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. ### TPM-based smart cards @@ -152,4 +152,4 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) - [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/) - [TPM WMI providers](/windows/win32/secprov/security-wmi-providers-reference) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md#tpm-hardware-configurations) \ No newline at end of file +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md#tpm-hardware-configurations) From ce1ed5e3d4dc18dc89be7e4d45415b83a3f07a3e Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 10:22:58 -0700 Subject: [PATCH 54/81] Update toc.yml removing "-backed" from TOC --- windows/client-management/mdm/toc.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 04c1850c2f..af181cb7c5 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -23,9 +23,9 @@ items: href: certificate-authentication-device-enrollment.md - name: On-premises authentication device enrollment href: on-premise-authentication-device-enrollment.md - - name: Understanding ADMX-backed policies + - name: Understanding ADMX policies href: understanding-admx-backed-policies.md - - name: Enable ADMX-backed policies in MDM + - name: Enable ADMX policies in MDM href: enable-admx-backed-policies-in-mdm.md - name: Win32 and Desktop Bridge app policy configuration href: win32-and-centennial-app-policy-configuration.md @@ -381,7 +381,7 @@ items: href: policy-ddf-file.md - name: Policies in Policy CSP supported by Group Policy href: policies-in-policy-csp-supported-by-group-policy.md - - name: ADMX-backed policies in Policy CSP + - name: ADMX policies in Policy CSP href: policies-in-policy-csp-admx-backed.md - name: Policies in Policy CSP supported by HoloLens 2 href: policies-in-policy-csp-supported-by-hololens2.md From 35f5bd941b0880765c0382fa2501298412466379 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 10:35:17 -0700 Subject: [PATCH 55/81] Update enable-admx-backed-policies-in-mdm.md --- .../mdm/enable-admx-backed-policies-in-mdm.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index ef636898be..bf6cf8cc1e 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -15,7 +15,7 @@ manager: dansimp # Enable ADMX policies in MDM -This is a step-by-step guide to configuring ADMX policies in MDM. +Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](./policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy. @@ -63,7 +63,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ 3. Create the SyncML to enable the policy that does not require any parameter. - In this example you configure **Enable App-V Client** to **Enabled**. + In this example, you configure **Enable App-V Client** to **Enabled**. > [!NOTE] > The \ payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type. @@ -109,12 +109,12 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ![Publishing server 2 policy description.](images/admx-appv-policy-description.png) - 3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx. + 3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the ADMX files) and open appv.admx. 4. Search for GP name **Publishing_Server2_policy**. - 5. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The text id and enum id represents the data id you need to include in the SyncML data payload. They correspond to the fields you see in GP Editor. + 5. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The *text id* and *enum id* represents the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor. Here is the snippet from appv.admx: @@ -206,9 +206,9 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ``` - 6. From the \ tag, copy all the text id and enum id and create an XML with data id and value fields. The value field contains the configuration settings you would enter in the GP Editor. + 6. From the **\** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor. - Here is the example XML for Publishing_Server2_Policy : + Here is the example XML for Publishing_Server2_Policy: ```xml From 073e467d2ce27571bb91209e54fd26cdd353ab2c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Sep 2021 13:16:02 -0700 Subject: [PATCH 56/81] Update windows-defender-security-center.md --- .../windows-defender-security-center.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index fe03727f33..cb27db7bfd 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -29,7 +29,7 @@ This library describes the Windows Security app, and provides information on con In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall apps. -In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**. +In Windows 10, version 1803, the app has two new areas: **Account protection** and **Device security**. ![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features.](images/security-center-home.png) @@ -75,20 +75,20 @@ You can find more information about each section, including options for configur ## How the Windows Security app works with Windows security features > [!IMPORTANT] -> Microsoft Defender AV and the Windows Security app use similarly named services for specific purposes. +> Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes. > > The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](/previous-versions/windows/it-pro/windows-xp/bb457154(v=technet.10)#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection. > ->These services do not affect the state of Microsoft Defender AV. Disabling or modifying these services will not disable Microsoft Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product. +>These services do not affect the state of Microsoft Defender Antivirus. Disabling or modifying these services will not disable Microsoft Defender Antivirus, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product. > ->Microsoft Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date]/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). +>Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). > -> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). +> Disabling the Windows Security Center service will not disable Microsoft Defender Antivirus or [Windows Defender Firewall](/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). > [!WARNING] > If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. > -> It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. +> It may also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. > > This will significantly lower the protection of your device and could lead to malware infection. @@ -101,4 +101,4 @@ Disabling any of the individual features (through Group Policy or other manageme > [!IMPORTANT] > Individually disabling any of the services will not disable the other services or the Windows Security app. -For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall. \ No newline at end of file +For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall. From 4064975d0931bd4cce539500e3a8b8505a19cdae Mon Sep 17 00:00:00 2001 From: jaimeo Date: Thu, 16 Sep 2021 13:42:50 -0700 Subject: [PATCH 58/81] tuning up articles in the plan section; doesn't include ones needing the biggest changes --- .../update/create-deployment-plan.md | 12 ++++++---- windows/deployment/update/eval-infra-tools.md | 23 +++++++++++-------- .../update/plan-define-readiness.md | 5 ++++ .../update/plan-determine-app-readiness.md | 7 +++++- 4 files changed, 33 insertions(+), 14 deletions(-) diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md index 2d806516c6..0f7d0795a5 100644 --- a/windows/deployment/update/create-deployment-plan.md +++ b/windows/deployment/update/create-deployment-plan.md @@ -13,9 +13,14 @@ ms.topic: article # Create a deployment plan +**Applies to** + +- Windows 10 +- Windows 11 + A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity. -When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We’ve found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method to separate devices into a deployment timeline. +When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We’ve found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method to separate devices into a deployment timeline. At the highest level, each “ring” comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur. @@ -99,8 +104,7 @@ Once the devices in the Limited ring have had a sufficient stabilization period, In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision) broad deployment can occur relatively quickly. > [!NOTE] -> In some instances, you might hold back on mission critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows 10 feature -> updates to mission critical devices. +> In some instances, you might hold back on mission-critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows client feature updates to mission critical-devices. During the broad deployment phase, you should focus on the following activities: @@ -116,7 +120,7 @@ Previously, we have provided methods for analyzing your deployments, but these h [Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Microsoft Endpoint Manager](/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to make informed decisions about the readiness of your Windows devices. -In Windows 10 deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Microsoft Endpoint Manager can help you assess app compatibility with the latest +In Windows client deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Microsoft Endpoint Manager can help you assess app compatibility with the latest feature update and create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions. > [!IMPORTANT] diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md index ce3c85e030..1d8974b7b8 100644 --- a/windows/deployment/update/eval-infra-tools.md +++ b/windows/deployment/update/eval-infra-tools.md @@ -15,34 +15,39 @@ ms.collection: m365initiative-coredeploy # Evaluate infrastructure and tools +**Applies to** + +- Windows 10 +- Windows 11 + Before you deploy an update, it's best to assess your deployment infrastructure (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness. ## Infrastructure Do your deployment tools need updates? -- If you use Configuration Manager, is it on the Current Branch with the latest release installed. Being on this branch ensures that it supports the next Windows 10 feature update. Configuration Manager releases are supported for 18 months. +- If you use Configuration Manager, is it on the Current Branch with the latest release installed.? Being on this branch ensures that it supports the next Windows client feature update. Configuration Manager releases are supported for 18 months. - Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated. -- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows 10 feature update. +- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows client feature update. Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered while doing so. ## Device settings -Make sure your security baseline, administrative templates, and policies have the right settings to support your devices once the new Windows 10 update is installed. +Make sure your security baseline, administrative templates, and policies have the right settings to support your devices once the new Windows client update is installed. ### Security baseline -Keep security baselines current to help ensure that your environment is secure and that new security feature in the coming Windows 10 update are set properly. +Keep security baselines current to help ensure that your environment is secure and that new security feature in the coming Windows client update are set properly. - **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them. -- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows 10 you are about to deploy. +- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows client you are about to deploy. ### Configuration updates There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately. -- **Windows 10 Administrative templates**: Each Windows 10 feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 10, version 1909](https://www.microsoft.com/download/100591). +- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 10, version 1909](https://www.microsoft.com/download/100591). - **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones. @@ -50,9 +55,9 @@ There are a number of Windows policies (set by Group Policy, Intune, or other me When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating: -- **Call trend**: Define what percentage increase in calls relating to Windows 10 feature updates are acceptable or can be supported. -- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows 10 feature updates are acceptable or can be supported. -- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows 10 feature update. +- **Call trend**: Define what percentage increase in calls relating to Windows client feature updates are acceptable or can be supported. +- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows client feature updates are acceptable or can be supported. +- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows client feature update. - **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update. Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight. diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md index 2e371a0df1..40198581cc 100644 --- a/windows/deployment/update/plan-define-readiness.md +++ b/windows/deployment/update/plan-define-readiness.md @@ -15,6 +15,11 @@ ms.collection: m365initiative-coredeploy # Define readiness criteria +**Applies to** + +- Windows 10 +- Windows 11 + ## Figure out roles and personnel Planning and managing a deployment involves a variety of distinct activities and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment. diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md index 0bb65d7087..8fcd5f228e 100644 --- a/windows/deployment/update/plan-determine-app-readiness.md +++ b/windows/deployment/update/plan-determine-app-readiness.md @@ -16,7 +16,12 @@ author: jaimeo # Determine application readiness -Before you deploy a Windows 10 update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps] with respect to their criticality in your organization. +**Applies to** + +- Windows 10 +- Windows 11 + +Before you deploy a Windows client update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps](plan-define-readiness.md) with respect to their criticality in your organization. ## Validation methods From 7c37664b9388f7c81a84bb0434f03751f36b618f Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 17 Sep 2021 11:59:52 +0530 Subject: [PATCH 59/81] Updated the file as per feedback and suggestions --- ...policy-csp-localpoliciessecurityoptions.md | 115 +++++++----------- 1 file changed, 41 insertions(+), 74 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 50d1696f71..256a265ebe 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -666,9 +666,8 @@ For a computer to print to a shared printer, the driver for that shared printer Default on servers: Enabled. Default on workstations: Disabled -Note - -This setting does not affect the ability to add a local printer. This setting does not affect Administrators. +[!Note] +>This setting does not affect the ability to add a local printer. This setting does not affect Administrators. @@ -1412,21 +1411,16 @@ This security setting determines whether packet signing is required by the SMB c If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. -Default: Disabled. - ->[!Important] ->For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). +Default: Disabled. >[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component. - -On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. - -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136." +>All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +>- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +>- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +>- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +>- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1500,17 +1494,15 @@ If this setting is enabled, the Microsoft network client will ask the server to Default: Enabled. >[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component. - -On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. - -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. +>All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +>- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +>- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +>- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +>- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +>If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. +> +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. +For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1734,30 +1726,18 @@ The server message block (SMB) protocol provides the basis for Microsoft file an If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. -Default: - -Disabled for member servers. -Enabled for domain controllers. +Default: Disabled for member servers. Enabled for domain controllers. >[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component. - -On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. - -Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. -If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. - ->[!Important] ->For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: Microsoft network server: Digitally sign communications (if server agrees) - -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: -HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. +>All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +>- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +>- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +>- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +>- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> +>Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +>If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1830,21 +1810,16 @@ If this setting is enabled, the Microsoft network server will negotiate SMB pack Default: Enabled on domain controllers only. ->[!Important] ->For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature - >[!Note] -> All Windows operating systems support both a client-side SMB component and a server-side SMB component. - -For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. - -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +>- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +>- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +>- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +>- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +>If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. +> +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. +For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -2347,11 +2322,6 @@ This security setting determines if, at the next password change, the LAN Manage Default on Windows Vista and above: Enabled Default on Windows XP: Disabled. -Important - -Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. - GP Info: @@ -2429,12 +2399,9 @@ Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). ->[!Important] ->This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. - Default: -Windows 2000 and windows XP: send LM and NTLM responses +windows XP: send LM and NTLM responses Windows Server 2003: Send NTLM response only @@ -2510,7 +2477,7 @@ This security setting allows a client device to require the negotiation of 128-b Default: -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. +Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements. Windows 7 and Windows Server 2008 R2: Require 128-bit encryption. @@ -2584,7 +2551,7 @@ Require 128-bit encryption. The connection will fail if strong encryption (128-b Default: -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. +Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements. Windows 7 and Windows Server 2008 R2: Require 128-bit encryption From 49b4a83d17ed83c4e1f61f4544e85791a83a355a Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 17 Sep 2021 13:38:48 +0530 Subject: [PATCH 60/81] Update policy-csp-localpoliciessecurityoptions.md --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 256a265ebe..d88347f9e1 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -666,7 +666,7 @@ For a computer to print to a shared printer, the driver for that shared printer Default on servers: Enabled. Default on workstations: Disabled -[!Note] +>[!Note] >This setting does not affect the ability to add a local printer. This setting does not affect Administrators. @@ -1420,7 +1420,7 @@ Default: Disabled. >- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. >- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md) . @@ -1502,7 +1502,7 @@ Default: Enabled. >If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > >SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md). @@ -1737,7 +1737,7 @@ Default: Disabled for member servers. Enabled for domain controllers. > >Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. >If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md). @@ -1819,7 +1819,7 @@ Default: Enabled on domain controllers only. >If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > >SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md). From adca70b7787282d526ceec93d3e56d153a6a6b70 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Fri, 17 Sep 2021 15:58:16 +0530 Subject: [PATCH 61/81] Incorporated the review comments --- .../administrative-tools-in-windows-10.md | 4 ++-- .../advanced-troubleshooting-802-authentication.md | 2 +- .../client-management/connect-to-remote-aadj-pc.md | 4 ++-- .../client-management/manage-corporate-devices.md | 8 ++++---- .../manage-device-installation-with-group-policy.md | 13 +++++++------ windows/client-management/quick-assist.md | 2 +- .../troubleshoot-tcpip-port-exhaust.md | 2 +- 7 files changed, 18 insertions(+), 17 deletions(-) diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 8cf6c2a75d..b7d0186f19 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -1,5 +1,5 @@ --- -title: Administrative Tools in Windows 10 and Windows 11 +title: Administrative Tools in Windows description: Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. ms.assetid: FDC63933-C94C-43CB-8373-629795926DC8 ms.reviewer: @@ -55,7 +55,7 @@ These tools were included in previous versions of Windows. The associated docume - [Windows Memory Diagnostic]( https://go.microsoft.com/fwlink/p/?LinkId=708507) > [!TIP] -> If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows** page. Details about the information you want for a tool will help us plan future content.  +> If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** or **Administrative Tools in Windows 11** page. Details about the information you want for a tool will help us plan future content.  ## Related topics diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 80304a3e5f..d3f7cdaa23 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -21,7 +21,7 @@ This article includes general troubleshooting for 802.1X wireless and wired clie ## Scenarios -This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 (and Windows 11) for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS. +This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 11 for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS. ## Known issues diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 63d3683704..d35a51b495 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -1,5 +1,5 @@ --- -title: Connect to remote Azure Active Directory-joined PC (Windows 10 and Windows 11) +title: Connect to remote Azure Active Directory-joined PC (Windows) description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC. keywords: ["MDM", "device management", "RDP", "AADJ"] ms.prod: w10 @@ -29,7 +29,7 @@ From its release, Windows 10 has supported remote connections to PCs joined to A ## Set up -- Both PCs (local and remote) must be running Windows 10, version 1607 or later or Windows 11. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported. +- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported. - Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported. - The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop. diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index 25dcf468c0..b1ab3c2cab 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -1,6 +1,6 @@ --- -title: Manage corporate devices (Windows 10 and Windows 11) -description: You can use the same management tools to manage all device types running Windows 10 desktops, laptops, tablets, and phones. +title: Manage corporate devices (Windows) +description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D ms.reviewer: manager: dansimp @@ -24,7 +24,7 @@ ms.topic: article - Windows 10 - Windows 11 -You can use the same management tools to manage all device types running Windows 10 and Windows 11: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10 and Windows 11. +You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10 and Windows 11. ## In this section @@ -36,7 +36,7 @@ You can use the same management tools to manage all device types running Windows | [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | | [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | | [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start | -| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 11 in their organizations | +| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 or Windows 11 in their organizations | ## Learn more diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index 4c263fc3c8..25ce17d38a 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -17,17 +17,18 @@ ms.topic: article **Applies to** -- Windows 10, Windows Server 2022 +- Windows 10 - Windows 11 +- Windows Server 2022 ## Summary -By using Windows 10 and Windows 11 operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy. +By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy. ## Introduction ### General -This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and cannot install. This guide applies to all Windows 10 (and Windows 11) versions starting with RS5 (1809). The guide includes the following scenarios: +This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and cannot install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios: - Prevent users from installing devices that are on a "prohibited" list. If a device is not on the list, then the user can install it. - Allow users to install only devices that are on an "approved" list. If a device is not on the list, then the user cannot install it. @@ -45,7 +46,7 @@ It is important to understand that the Group Policies that are presented in this This guide is targeted at the following audiences: -- Information technology planners and analysts who are evaluating Windows 10 (and Windows 11) and Windows Server 2022 +- Information technology planners and analysts who are evaluating Windows 10, Windows 11 or Windows Server 2022 - Enterprise information technology planners and designers - Security architects who are responsible for implementing trustworthy computing in their organization - Administrators who want to become familiar with the technology @@ -103,7 +104,7 @@ A device is a piece of hardware with which Windows interacts to perform some fun When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those included with the driver packages. -Windows uses four types of identifiers to control device installation and configuration. You can use the Group Policy settings in Windows 10 (and Windows 11) to specify which of these identifiers to allow or block. +Windows uses four types of identifiers to control device installation and configuration. You can use the Group Policy settings in Windows to specify which of these identifiers to allow or block. The four types of identifiers are: @@ -224,7 +225,7 @@ Some of these policies take precedence over other policies. The flowchart shown To complete each of the scenarios, please ensure your have: -- A client computer running Windows 10 (and Windows 11). +- A client computer running Windows. - A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives do not require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 0449d63dde..ced09ebede 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -12,7 +12,7 @@ manager: laurawi # Use Quick Assist to help users -Quick Assist is a Windows 10 and Windows 11 application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user’s device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices. +Quick Assist is a Windows application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user’s device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices. ## Before you begin diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index 26ba85c430..3e8eeea8a1 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -196,4 +196,4 @@ goto loop - [Port Exhaustion and You!](/archive/blogs/askds/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend) - this article gives a detail on netstat states and how you can use netstat output to determine the port status -- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10 and Windows 11) +- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10, and Windows 11) From d70fd37e67aed91bc008ce627d19382c79460e95 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Fri, 17 Sep 2021 16:03:20 +0530 Subject: [PATCH 62/81] updated --- .../policy-configuration-service-provider.md | 9 ++ .../mdm/policy-csp-admx-iis.md | 113 ++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 3 files changed, 124 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-iis.md diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 4496c8609f..2cfb72007a 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1528,6 +1528,15 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_IIS policies +
+
+ ADMX_IIS/PreventIISInstall +
+
+ ### ADMX_kdc policies
diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md new file mode 100644 index 0000000000..7516b56b97 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-iis.md @@ -0,0 +1,113 @@ +--- +title: Policy CSP - ADMX_IIS +description: Policy CSP - ADMX_IIS +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/17/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_IIS +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_IIS policies + +
+
+ ADMX_IIS/PreventIISInstall +
+
+ +
+ + +**ADMX_IIS/PreventIISInstall** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting prevents installation of Internet Information Services (IIS) on this computer. + +- If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting. + +Enabling this setting will not have any effect on IIS if IIS is already installed on the computer. + +- If you disable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Prevent IIS installation* +- GP name: *PreventIISInstall* +- GP path: *Windows Components\Internet Information Services* +- GP ADMX file name: *IIS.admx* + + + + +
+ +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index dc49d0d690..eb0e3b7e08 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -497,6 +497,8 @@ items: href: policy-csp-admx-helpandsupport.md - name: ADMX_ICM href: policy-csp-admx-icm.md + - name: ADMX_IIS + href: policy-csp-admx-iis.md - name: ADMX_kdc href: policy-csp-admx-kdc.md - name: ADMX_Kerberos From 97f0f2cbc2c4c6d4b83bf7e0568ac69b636c2a86 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Fri, 17 Sep 2021 16:13:34 +0530 Subject: [PATCH 63/81] Update policies-in-policy-csp-admx-backed.md --- .../mdm/policies-in-policy-csp-admx-backed.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 0c20f673c6..912040f409 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -293,7 +293,7 @@ ms.date: 10/08/2020 - [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2) - [ADMX_FramePanes/NoReadingPane](./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane) - [ADMX_FramePanes/NoPreviewPane](./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane) -- [ADMX_FTHSVC/WdiScenarioExecutionPolicy](./policy-csp-admx-fthsvc-wdiscenarioexecutionpolicy.md#admx-fthsvc-wdiscenarioexecutionpolicy) +- [ADMX_FTHSVC/WdiScenarioExecutionPolicy](./policy-csp-admx-fthsvc.md#admx-fthsvc-wdiscenarioexecutionpolicy) - [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin) - [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1) - [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2) @@ -395,6 +395,7 @@ ms.date: 10/08/2020 - [ADMX_ICM/ShellRemovePublishToWeb_2](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-2) - [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1) - [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2) +- [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall) - [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor) - [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch) - [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness) From b7c667953575042501de18ba86e0c22a6246c1a6 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 17 Sep 2021 16:15:59 +0530 Subject: [PATCH 64/81] Link fix --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index d88347f9e1..798ae71573 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1420,7 +1420,7 @@ Default: Disabled. >- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. >- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md) . +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). From 6cba995ed1bda001c06e601136dd13bb81120a94 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 17 Sep 2021 16:21:33 +0530 Subject: [PATCH 65/81] link fixes-part-2 --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 798ae71573..1c0cdcacb8 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1502,7 +1502,7 @@ Default: Enabled. >If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > >SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md). +For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1737,7 +1737,7 @@ Default: Disabled for member servers. Enabled for domain controllers. > >Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. >If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md). +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1819,7 +1819,7 @@ Default: Enabled on domain controllers only. >If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > >SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md). +For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). From 032a63cb9b4c7da1e246b2cd00c29490b7443b3a Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 17 Sep 2021 09:09:20 -0700 Subject: [PATCH 66/81] more reference changes --- .../update/prepare-deploy-windows.md | 11 ++++-- windows/deployment/update/update-baseline.md | 3 ++ windows/deployment/update/update-policies.md | 10 ++++- ...aas-deployment-rings-windows-10-updates.md | 33 ++++++----------- .../update/waas-manage-updates-wsus.md | 36 +++++------------- .../waas-optimize-windows-10-updates.md | 37 +++++++------------ ...s-servicing-strategy-windows-10-updates.md | 31 +++++----------- 7 files changed, 65 insertions(+), 96 deletions(-) diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md index 4da49340aa..3ea447d2c4 100644 --- a/windows/deployment/update/prepare-deploy-windows.md +++ b/windows/deployment/update/prepare-deploy-windows.md @@ -15,7 +15,12 @@ ms.collection: m365initiative-coredeploy # Prepare to deploy Windows -Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows 10. The planning phase will have left you with these useful items: +**Applies to** + +- Windows 10 +- Windows 11 + +Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows client. The planning phase will have left you with these useful items: - A clear understanding of necessary personnel and their roles and criteria for [rating app readiness](plan-define-readiness.md) - A plan for [testing and validating](plan-determine-app-readiness.md) apps @@ -114,7 +119,7 @@ Ensure that devices can reach necessary Windows Update endpoints through the fir > [!NOTE] > Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail. -The specific endpoints can vary between Windows 10 versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows 10 versions are available in the table of contents nearby. +The specific endpoints can vary between Windows versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows client versions are available in the table of contents nearby. ### Optimize download bandwidth @@ -124,7 +129,7 @@ Set up [Delivery Optimization](waas-delivery-optimization.md) for peer network s In the course of surveying your device population, either with Desktop Analytics or by some other means, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems. -- **Low disk space:** Quality updates require a minimum of 2 GB to successfully install. Feature updates require between 8 GB and 15 GB depending upon the configuration. On Windows 10, version 1903 and later you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve the problem by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files: +- **Low disk space:** Quality updates require a minimum of 2 GB to successfully install. Feature updates require between 8 GB and 15 GB depending upon the configuration. On Windows 10, version 1903 and later (and Windows 11) you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve the problem by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files: - C:\Windows\temp - C:\Windows\cbstemp (though this file might be necessary to investigate update failures) diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index 2e4ab4fd64..ed9feda6cd 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -15,6 +15,9 @@ ms.topic: article **Applies to:** Windows 10 +> [!NOTE] +> Update Baseline is not currently available for Windows 11. + With the large number of different policies offered for Windows 10, Update Baseline provides a clear list of recommended Windows Update policy settings for IT administrators who want the best user experience while also meeting their monthly update compliance goals. See [Policies included in the Update Baseline](#policies-included-in-the-update-baseline) for the full list of policy configurations. ## Why is Update Baseline needed? diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md index a9b3b9cd95..0fd8905103 100644 --- a/windows/deployment/update/update-policies.md +++ b/windows/deployment/update/update-policies.md @@ -15,6 +15,12 @@ ms.collection: M365-modern-desktop --- # Policies for update compliance, activity, and end-user experience + +**Applies to** + +- Windows 10 +- Windows 11 +- Keeping devices up to date is the best way to keep them working smoothly and securely. ## Deadlines for update compliance @@ -25,7 +31,7 @@ deadline approaches, and then prioritize velocity as the deadline nears, while s ### Deadlines Beginning with Windows 10, version 1903 and with the August 2019 security update for Windows 10, version 1709 -and late, a new policy was introduced to replace older deadline-like policies: **Specify deadlines for automatic updates and restarts**. +and later (including Windows 11), a new policy was introduced to replace older deadline-like policies: **Specify deadlines for automatic updates and restarts**. The older policies started enforcing deadlines once the device reached a “restart pending” state for an update. The new policy starts the countdown for the update installation deadline from when the @@ -172,7 +178,7 @@ The default timeout on devices that support traditional sleep is set to three ho ## Old or conflicting policies -Each release of Windows 10 can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions. +Each release of Windows client can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions. > [!IMPORTANT] > If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md index 52a1ec6f2c..177e2b07ca 100644 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md @@ -1,6 +1,6 @@ --- -title: Build deployment rings for Windows 10 updates (Windows 10) -description: Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. +title: Build deployment rings for Windows client updates +description: Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -14,10 +14,11 @@ ms.topic: article # Build deployment rings for Windows 10 updates - **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 + > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) @@ -26,7 +27,7 @@ ms.topic: article For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different. -Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows 10, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings. +Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows client, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings. Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct. Also, there are times in which client computers could move between different deployment rings when necessary. @@ -47,25 +48,15 @@ Table 1 provides an example of the deployment rings you might use. As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. -## Steps to manage updates for Windows 10 +## Steps to manage updates for Windows client |  |  | | --- | --- | | ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | -| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | -| ![done.](images/checklistdone.png) | Build deployment rings for Windows 10 updates (this topic) | -| ![to do.](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | -| ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | +| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | +| ![done.](images/checklistdone.png) | Build deployment rings for Windows client updates (this topic) | +| ![to do.](images/checklistbox.gif) | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) | +| ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows client updates](waas-optimize-windows-10-updates.md) | +| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows client updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | -## Related topics -- [Update Windows 10 in the enterprise](index.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Manage software updates in Intune](/intune/windows-update-for-business-configure) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index d6f97a6fae..bc2accd828 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -1,5 +1,5 @@ --- -title: Deploy Windows 10 updates using Windows Server Update Services (Windows 10) +title: Deploy Windows client updates using Windows Server Update Services description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates. ms.prod: w10 ms.mktglfcycl: manage @@ -11,12 +11,13 @@ manager: laurawi ms.topic: article --- -# Deploy Windows 10 updates using Windows Server Update Services (WSUS) +# Deploy Windows client updates using Windows Server Update Services (WSUS) **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) @@ -329,33 +330,16 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
-## Steps to manage updates for Windows 10 +## Steps to manage updates for Windows client |  |  | | --- | --- | | ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | -| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | -| ![done.](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | -| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | -| ![done.](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![done.](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or Deploy Windows 10 updates using Windows Server Update Services (this topic)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | +| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | +| ![done.](images/checklistdone.png) | [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) | +| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) | +| ![done.](images/checklistdone.png) | [Optimize update delivery for Windows client updates](waas-optimize-windows-10-updates.md) | +| ![done.](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or Deploy Windows client updates using Windows Server Update Services (this topic)
or [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Overview of Windows as a service](waas-overview.md) -- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) -- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index 672e2ff5a9..32f43cc742 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -1,5 +1,5 @@ --- -title: Optimize update delivery for Windows 10 updates (Windows 10) +title: Optimize update delivery for Windows client updates description: Two methods of peer-to-peer content distribution are available in Windows 10, Delivery Optimization and BranchCache. ms.prod: w10 ms.mktglfcycl: manage @@ -11,24 +11,25 @@ manager: laurawi ms.topic: article --- -# Optimize Windows 10 update delivery +# Optimize Windows client update delivery **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10. +When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows client offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows client. -Two methods of peer-to-peer content distribution are available in Windows 10. +Two methods of peer-to-peer content distribution are available. -- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfill peer-to-peer requests. +- [Delivery Optimization](waas-delivery-optimization.md) is a peer-to-peer distribution method in Windows. Windows clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfill peer-to-peer requests. Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates. -- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. +- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. >[!NOTE] >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations. @@ -49,7 +50,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10. ## Express update delivery -Windows 10 quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express. +Windows client quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express. > [!NOTE] > Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. @@ -84,25 +85,15 @@ At this point, the download is complete and the update is ready to be installed. > [!TIP] > Express will **always** be leveraged if your machines are updated regularly with the latest cumulative updates. -## Steps to manage updates for Windows 10 +## Steps to manage updates for Windows client |  |  | | --- | --- | | ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | -| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | -| ![done.](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | -| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | +| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | +| ![done.](images/checklistdone.png) | [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) | +| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) | | ![done.](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this topic) | -| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | +| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows client updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index e22c1fd433..86a3d1f00d 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -1,6 +1,6 @@ --- -title: Prepare servicing strategy for Windows 10 updates (Windows 10) -description: A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. +title: Prepare servicing strategy for Windows client updates +description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -17,7 +17,8 @@ ms.collection: m365initiative-coredeploy **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) @@ -48,25 +49,13 @@ Each time Microsoft releases a Windows 10 feature update, the IT department shou 3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department. -## Steps to manage updates for Windows 10 +## Steps to manage updates for Windows client |  |  | | --- | --- | | ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) | -| ![done.](images/checklistdone.png) | Prepare servicing strategy for Windows 10 updates (this topic) | -| ![to do.](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | -| ![to do.](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | -| ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | -| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | - - -## Related topics - -- [Update Windows 10 in the enterprise](index.md) -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file +| ![done.](images/checklistdone.png) | Prepare servicing strategy for Windows client updates (this topic) | +| ![to do.](images/checklistbox.gif) | [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) | +| ![to do.](images/checklistbox.gif) | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) | +| ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows client updates](waas-optimize-windows-10-updates.md) | +| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows client updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | From 57cf71fe3bb1334aaf49dadd7f1bc1d916abe0a8 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 17 Sep 2021 09:24:04 -0700 Subject: [PATCH 67/81] adding description --- windows/deployment/update/update-policies.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md index 0fd8905103..41ba2897fd 100644 --- a/windows/deployment/update/update-policies.md +++ b/windows/deployment/update/update-policies.md @@ -1,8 +1,8 @@ --- -title: Policies for update compliance, activity, and end-user experience +title: Policies for update compliance, activity, and user experience ms.reviewer: manager: laurawi -description: +description: Explanation and recommendations for settings keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage @@ -14,7 +14,7 @@ ms.topic: article ms.collection: M365-modern-desktop --- -# Policies for update compliance, activity, and end-user experience +# Policies for update compliance, activity, and user experience **Applies to** From b092353fccb7b5d5d34e7a223150b5a31e0f2dc8 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 17 Sep 2021 10:28:41 -0700 Subject: [PATCH 68/81] more small updates for Win11 --- .../update/deployment-service-troubleshoot.md | 5 ++++- .../update/how-windows-update-works.md | 7 +++++-- windows/deployment/update/safeguard-opt-out.md | 13 +++++++++---- .../update/windows-update-error-reference.md | 5 ++++- .../deployment/update/windows-update-errors.md | 5 ++++- .../update/windows-update-troubleshooting.md | 17 ++++++++++------- 6 files changed, 36 insertions(+), 16 deletions(-) diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md index 1f9675d1d9..e1b83d057b 100644 --- a/windows/deployment/update/deployment-service-troubleshoot.md +++ b/windows/deployment/update/deployment-service-troubleshoot.md @@ -16,7 +16,10 @@ ms.topic: article # Troubleshoot the Windows Update for Business deployment service -> Applies to: Windows 10 +**Applies to** + +- Windows 10 +- Windows 11 This troubleshooting guide addresses the most common issues that IT administrators face when using the Windows Update for Business [deployment service](deployment-service-overview.md). For a general troubleshooting guide for Windows Update, see [Windows Update troubleshooting](windows-update-troubleshooting.md). diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index a926abfb28..1cb0a47bf7 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -15,9 +15,12 @@ ms.topic: article ms.custom: seo-marvel-apr2020 --- -# How does Windows Update work? +# How Windows Update works -> Applies to: Windows 10 +**Applies to** + +- Windows 10 +- Windows 11 The Windows Update workflow has four core areas of functionality: diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md index a6ad9a0b05..928b215cef 100644 --- a/windows/deployment/update/safeguard-opt-out.md +++ b/windows/deployment/update/safeguard-opt-out.md @@ -12,21 +12,26 @@ ms.topic: article # Opt out of safeguard holds -Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows 10 feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. For more information about safeguard holds, see [Safeguard holds](safeguard-holds.md). +**Applies to** + +- Windows 10 +- Windows 11 + +Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows client feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. For more information about safeguard holds, see [Safeguard holds](safeguard-holds.md). ## How can I opt out of safeguard holds? -IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update. +IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update and in Windows 11. > [!CAUTION] > Opting out of a safeguard hold can put devices at risk from known performance issues. -We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows 10 feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business. +We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows client feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business. Disabling safeguards does not guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you are bypassing the protection against known issues. > [!NOTE] -> After a device installs a new Windows 10 version, the **Disable safeguards for Feature Updates** Group Policy will revert to “not configured” even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update. +> After a device installs a new Windows client version, the **Disable safeguards for Feature Updates** Group Policy will revert to “not configured” even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update. diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index def8d11796..508a27d244 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -17,7 +17,10 @@ ms.custom: seo-marvel-apr2020 # Windows Update error codes by component -> Applies to: Windows 10 +**Applies to** + +- Windows 10 +- Windows 11 This section lists the error codes for Microsoft Windows Update. diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index d66be080b0..eb178f7528 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -15,7 +15,10 @@ ms.custom: seo-marvel-apr2020 # Windows Update common errors and mitigation ->Applies to: Windows 10 +**Applies to** + +- Windows 10 +- Windows 11 The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 802e6f9aa3..affb4df80e 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -15,13 +15,16 @@ ms.custom: seo-marvel-apr2020 # Windows Update troubleshooting ->Applies to: Windows 10 +**Applies to** + +- Windows 10 +- Windows 11 If you run into problems when using Windows Update, start with the following steps: 1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. -2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on servicing stack updates. +2. Install the most recent Servicing Stack Update that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on servicing stack updates. 3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: @@ -171,11 +174,11 @@ Ensure that devices can reach necessary Windows Update endpoints through the fir > [!NOTE] > Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail. -The specific endpoints can vary between Windows 10 versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows 10 versions are available in the table of contents nearby. +The specific endpoints can vary between Windows client versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows client versions are available in the table of contents nearby. ## Updates aren't downloading from the intranet endpoint (WSUS or Configuration Manager) -Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: +Windows client devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: 1. Start Windows PowerShell as an administrator. 2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". @@ -186,7 +189,7 @@ Check the output for the Name and OffersWindowsUPdates parameters, which you can |Output|Meaning| |-|-| |- Name: Microsoft Update
-OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
- Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) | -|- Name: DCat Flighting Prod
- OffersWindowsUpdates: True |- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
- Indicates that the client is configured to receive feature updates from Windows Update. | +|- Name: DCat Flighting Prod
- OffersWindowsUpdates: True |- Starting with Windows 10, version 1709, feature updates are always delivered through the DCAT service.
- Indicates that the client is configured to receive feature updates from Windows Update. | |- Name: Windows Store (DCat Prod)
- OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps.
- Indicates that the client will not receive or is not configured to receive these updates.| |- Name: Windows Server Update Service
- OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server.
- The client is configured to receive updates from WSUS. | |- Name: Windows Update
- OffersWindowsUpdates: True|- The source is Windows Update.
- The client is configured to receive updates from Windows Update Online.| @@ -230,8 +233,8 @@ As shown in the following logs, automatic update runs the scan and finds no upda 2018-08-06 10:58:47:383 480 5d8 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] ``` -## High bandwidth usage on Windows 10 by Windows Update -Users might see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that might consume bandwidth expand beyond Windows Update components. +## High bandwidth usage on Windows client by Windows Update +Users might see that Windows is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that might consume bandwidth expand beyond Windows Update components. The following group policies can help mitigate this situation: From a86009d94657d4a1d63e93a72b13a680dc982175 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 17 Sep 2021 10:46:49 -0700 Subject: [PATCH 69/81] fixing typos --- windows/deployment/update/update-baseline.md | 2 +- windows/deployment/update/update-policies.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index ed9feda6cd..a8e162f8c3 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -18,7 +18,7 @@ ms.topic: article > [!NOTE] > Update Baseline is not currently available for Windows 11. -With the large number of different policies offered for Windows 10, Update Baseline provides a clear list of recommended Windows Update policy settings for IT administrators who want the best user experience while also meeting their monthly update compliance goals. See [Policies included in the Update Baseline](#policies-included-in-the-update-baseline) for the full list of policy configurations. +With the large number of different policies offered for Windows client, Update Baseline provides a clear list of recommended Windows Update policy settings for IT administrators who want the best user experience while also meeting their monthly update compliance goals. See [Policies included in the Update Baseline](#policies-included-in-the-update-baseline) for the full list of policy configurations. ## Why is Update Baseline needed? diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md index 41ba2897fd..54d768fbfe 100644 --- a/windows/deployment/update/update-policies.md +++ b/windows/deployment/update/update-policies.md @@ -20,7 +20,7 @@ ms.collection: M365-modern-desktop - Windows 10 - Windows 11 -- + Keeping devices up to date is the best way to keep them working smoothly and securely. ## Deadlines for update compliance From 737487990f432251753651c2c31204141b24a840 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 17 Sep 2021 11:04:34 -0700 Subject: [PATCH 70/81] typo --- windows/deployment/update/update-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md index 54d768fbfe..f6bb3195f2 100644 --- a/windows/deployment/update/update-policies.md +++ b/windows/deployment/update/update-policies.md @@ -46,7 +46,7 @@ restarts for maximum update velocity). We recommend you set deadlines as follows: - Quality update deadline, in days: 3 - Feature update deadline, in days: 7 -- + Notifications are automatically presented to the user at appropriate times, and users can choose to be reminded later, to reschedule, or to restart immediately, depending on how close the deadline is. We recommend that you do **not** set any notification policies, because they are automatically configured with appropriate defaults. An exception is if you From d91709bf3260bef8981cf359afafe2c6822766e7 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Sat, 18 Sep 2021 13:52:21 +0530 Subject: [PATCH 71/81] minor changes --- .../threat-protection/windows-firewall/boundary-zone.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md index a78415035a..9c0d1186eb 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -31,7 +31,7 @@ Devices in the boundary zone are trusted devices that can accept communication r The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but don't require it. -These boundary zone devices receive unsolicited inbound communications from untrusted devices that use plaintext. Therefore, they must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the additional risk. The following illustration shows a sample process that can help make such a decision. +These boundary zone devices might receive unsolicited inbound communications from untrusted devices that use plaintext and must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the additional risk. The following illustration shows a sample process that can help make such a decision. ![design flowchart.](images/wfas-designflowchart1.gif) From 17e9e58a6da94d0f6fb7a861c1e4114600dc80fd Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sat, 18 Sep 2021 15:08:27 +0530 Subject: [PATCH 72/81] updated --- .../policy-configuration-service-provider.md | 7 + .../mdm/policy-csp-admx-leakdiagnostic.md | 123 ++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 3 files changed, 132 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 2cfb72007a..c7181e248d 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1618,6 +1618,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_LeakDiagnostic policies +
+
+ ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy +
+
+ ### ADMX_LinkLayerTopologyDiscovery policies
diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md new file mode 100644 index 0000000000..23ab94d3d1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md @@ -0,0 +1,123 @@ +--- +title: Policy CSP - ADMX_LeakDiagnostic +description: Policy CSP - ADMX_LeakDiagnostic +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/17/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_LeakDiagnostic +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_LeakDiagnostic policies + +
+
+ ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy +
+
+ + +
+ + +**ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. + +- If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. + +- If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message. + +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. + +This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. + +The DPS can be configured with the Services snap-in to the Microsoft Management Console. + +> [!NOTE] +> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure custom alert text* +- GP name: *WdiScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic* +- GP ADMX file name: *LeakDiagnostic.admx* + + + +
+ + + +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index eb0e3b7e08..5a2779b257 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -507,6 +507,8 @@ items: href: policy-csp-admx-lanmanserver.md - name: ADMX_LanmanWorkstation href: policy-csp-admx-lanmanworkstation.md + - name: ADMX_LeakDiagnostic + href: policy-csp-admx-leakdiagnostic.md - name: ADMX_LinkLayerTopologyDiscovery href: policy-csp-admx-linklayertopologydiscovery.md - name: ADMX_Logon From 47268eeea5d00f6afe4a242f89b7fa5594b80423 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sat, 18 Sep 2021 15:26:45 +0530 Subject: [PATCH 73/81] Update policies-in-policy-csp-admx-backed.md --- .../client-management/mdm/policies-in-policy-csp-admx-backed.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 912040f409..b3c2dcc841 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -417,6 +417,7 @@ ms.date: 10/08/2020 - [ADMX_LanmanWorkstation/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-ciphersuiteorder) - [ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enablehandlecachingforcafiles) - [ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enableofflinefilesforcashares) +- [ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy](./policy-csp-admx-leakdiagnostic.md#admx-leakdiagnostic-wdiscenarioexecutionpolicy) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr) - [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin) From 3e597cfb6b4fc6fcd8e76cc290bf152ec2b9661d Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 20 Sep 2021 09:30:01 -0600 Subject: [PATCH 74/81] Update policies-in-policy-csp-admx-backed.md fixed link syntax --- .../mdm/policies-in-policy-csp-admx-backed.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index c31aaee266..2dbb97d08c 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -284,7 +284,7 @@ ms.date: 10/08/2020 - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) - [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification) -- ADMX_FileSys/DisableEncryption](./policy-csp-admx-filesys.md#admx-filesys-disableencryption) +- [ADMX_FileSys/DisableEncryption](./policy-csp-admx-filesys.md#admx-filesys-disableencryption) - [ADMX_FileSys/EnablePagefileEncryption](./policy-csp-admx-filesys.md#admx-filesys-enablepagefileencryption) - [ADMX_FileSys/LongPathsEnabled](./policy-csp-admx-filesys.md#admx-filesys-longpathsenabled) - [ADMX_FileSys/ShortNameCreationSettings](./policy-csp-admx-filesys.md#admx-filesys-shortnamecreationsettings) @@ -1766,4 +1766,4 @@ ms.date: 10/08/2020 ## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file +[Policy CSP](policy-configuration-service-provider.md) From c753e380312f9cf45cd838fe3415c4d1a1b5e817 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Mon, 20 Sep 2021 12:53:16 -0400 Subject: [PATCH 75/81] Created include, and added to key files --- .../app-v/appv-evaluating-appv.md | 3 +++ .../application-management/app-v/appv-for-windows.md | 3 +++ .../app-v/appv-getting-started.md | 3 +++ .../app-v/appv-planning-for-appv.md | 3 +++ windows/application-management/apps-in-windows-10.md | 2 +- .../includes/app-v-end-life-statement.md | 12 ++++++++++++ 6 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 windows/application-management/includes/app-v-end-life-statement.md diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index 3ee9e20feb..731ea42546 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -18,6 +18,9 @@ ms.author: greglin **Applies to** - Windows 10, version 1607 +> [!NOTE] +> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] + Before you deploy App-V into a production environment, you should evaluate it in a lab environment. You can use the information in this topic to set up App-V in a lab environment for evaluation purposes only. ## Configure lab computers for App-V Evaluation diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index bcea5b5e47..51b2a21a10 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -16,6 +16,9 @@ ms.topic: article >Applies to: Windows 10, version 1607 +> [!NOTE] +> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] + The topics in this section provide information and instructions to help you administer App-V and its components. This information is for system administrators who manage large installations with many servers and clients, and for support personnel who interact directly with the computers or users. [Getting started with App-V](appv-getting-started.md) diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index 56cf023ddc..fd20851076 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -16,6 +16,9 @@ ms.topic: article >Applies to: Windows 10, version 1607 +> [!NOTE] +> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] + Microsoft Application Virtualization (App-V) for Windows 10 delivers Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on an as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally. With the release of Windows 10, version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise). If you're new to Windows 10 and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. To learn what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md). diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md index 94081c7ff8..9f7685040d 100644 --- a/windows/application-management/app-v/appv-planning-for-appv.md +++ b/windows/application-management/app-v/appv-planning-for-appv.md @@ -16,6 +16,9 @@ ms.topic: article >Applies to: Windows 10, version 1607 +> [!NOTE] +> [!INCLUDE [Application Virtualization will be end of life in April 2026](../includes/app-v-end-life-statement.md)] + Use the following information to plan to deploy App-V without disrupting your existing network or user experience. ## Planning information diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 4fc3710369..f30e8fa94f 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -134,7 +134,7 @@ When your apps are ready, you can add or deploy these apps to your Windows devic - **Application Virtualization (App-V)**: App-V allows Win32 apps to be used as virtual apps. > [!NOTE] - > Application Virtualization will be [end of life in April 2026](/lifecycle/announcements/mdop-extended). We recommend looking at **Azure Virtual desktop with MSIX app attach**. For more information, see [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) and [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal). + > [!INCLUDE [Application Virtualization will be end of life in April 2026](./includes/app-v-end-life-statement.md)] On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they're installed locally. diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md new file mode 100644 index 0000000000..f016963135 --- /dev/null +++ b/windows/application-management/includes/app-v-end-life-statement.md @@ -0,0 +1,12 @@ +--- +author: MandiOhlinger +ms.author: mandia +ms.date: 09/20/2021 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: w10 +ms.topic: include +--- + +Application Virtualization will be [end of life in April 2026](/lifecycle/announcements/mdop-extended). We recommend looking at Azure Virtual Desktop with MSIX app attach. For more information, see [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) and [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal). From 04b929803969b0bd2b5ed4bae640b4618cd21e61 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Mon, 20 Sep 2021 10:16:28 -0700 Subject: [PATCH 76/81] a few more updates --- .../update/deployment-service-overview.md | 25 +++++++++++-------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 4eca196e15..01812adc48 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -16,7 +16,10 @@ ms.topic: article # Windows Update for Business deployment service -> Applies to: Windows 10 +**Applies to** + +- Windows 10 +- Windows 11 The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. It's designed to work in harmony with your existing Windows Update for Business policies. @@ -56,18 +59,18 @@ The deployment service exposes these capabilities through Microsoft [Graph REST To work with the deployment service, devices must meet all these requirements: -- Be running Windows 10, version 1709 or later +- Be running Windows 10, version 1709 or later (or Windows 11) - Be joined to Azure Active Directory (AD) or Hybrid AD -- Have one of the following Windows 10 editions installed: - - Windows 10 Pro - - Windows 10 Enterprise - - Windows 10 Education - - Windows 10 Pro Education - - Windows 10 Pro for Workstations +- Have one of the following Windows 10 or Windows 11 editions installed: + - Pro + - Enterprise + - Education + - Pro Education + - Pro for Workstations Additionally, your organization must have one of the following subscriptions: -- Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) -- Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5) +- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) +- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) - Windows Virtual Desktop Access E3 or E5 - Microsoft 365 Business Premium @@ -78,7 +81,7 @@ To use the deployment service, you use a management tool built on the platform, ### Using Microsoft Endpoint Manager -Microsoft Endpoint Manager integrates with the deployment service to provide Windows 10 update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates). +Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates). ### Scripting common actions using PowerShell From 877ef1bebf8c99859d7aa562af7aff7739487fdb Mon Sep 17 00:00:00 2001 From: jaimeo Date: Mon, 20 Sep 2021 10:40:38 -0700 Subject: [PATCH 77/81] adding article on safeguard holds --- windows/deployment/update/safeguard-holds.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md index 735acd6e97..eb28dce097 100644 --- a/windows/deployment/update/safeguard-holds.md +++ b/windows/deployment/update/safeguard-holds.md @@ -12,9 +12,14 @@ ms.topic: article # Safeguard holds -Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available. +**Applies to** -Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows 10. +- Windows 10 +- Windows 11 + +Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available. + +Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client. The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices. From 97b2691d63b6e1e56b69f84155dd20217ccd349d Mon Sep 17 00:00:00 2001 From: Kaushik Ainapure Date: Tue, 21 Sep 2021 00:23:48 +0530 Subject: [PATCH 78/81] Format changes and additional error codes 1. Updated article with H2 formatting for better discoverability of the error codes. 2. Updated article to include 17 additional error codes. --- .../update/windows-update-errors.md | 227 ++++++++++++++++-- 1 file changed, 205 insertions(+), 22 deletions(-) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index eb178f7528..0604df39cc 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -3,13 +3,14 @@ title: Windows Update common errors and mitigation description: In this article, learn about some common issues you might experience with Windows Update, as well as steps to resolve them. ms.prod: w10 ms.mktglfcycl: -audience: itpro itproauthor: jaimeo ms.audience: itpro author: jaimeo -ms.reviewer: -manager: laurawi -ms.topic: article +ms.reviewer: kaushika +manager: dcscontentpm +audience: itpro +ms.topic: troubleshooting +ms.technology: windows-client-deployment ms.custom: seo-marvel-apr2020 --- @@ -22,22 +23,204 @@ ms.custom: seo-marvel-apr2020 The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. +## 0x8024402F -| Error Code | Message | Description | Mitigation | -|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | -| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | -| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. | -| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | -| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | -| 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | -| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | -| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | -| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | -| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update installation. | -| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | -| 0x8024000B | WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | -| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | -| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | -| 0x80070422 | | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | + +## 0x80242006 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
- Ren %systemroot%\system32\catroot2 \*.bak | + +## 0x80070BC9 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system | + +## 0x80200053 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).| + +## 0x80072EE2 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | + +## 0x80072EFD or 0x80072EFE or 0x80D02002 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | + +## 0X8007000D + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred.| Attempt to re-download the update and initiate installation. | + +## 0x8024A10A + +| Message | Description | Mitigation | +|---------|-------------|------------| +| USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | + +## 0x80240020 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | + +## 0x80242014 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update nstallation. | + +## 0x80246017 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).| + +## 0x8024000B + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | + +## 0x8024000E + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | + +## 0x8024D009 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | + +## 0x80244007 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | + +## 0x80070422 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| NA | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| + +## 0x800f0821 + + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it.| + +## 0x800f0825 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x800F0920 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_HANG_DETECTED; A hang was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it. | + +## 0x800f081f + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x800f0831 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x80070005 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an ACCESS DENIED.
Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the ACCESS DENIED, it could be acess denied to a file, registry key,etc. Determine what object needs the right permissions and change the permissions | + +## 0x80070570 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + + +## 0x80070003 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. | + + +## 0x80070020 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by 3rd party filter drivers like Antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool process monitor -> https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
3. Run procmon.exe. It will start data capture automatically
4. Install the Update package again
5. With procmon program main window in focus, press Ctrl + E or click the magnifying glass to terminate data capture
6. Click File > Save > All Events > PML, and choose an adequate path to save the .PML file
7. Go to %windir%\logs\cbs and open the last cbs.log file and search for the error
8. After finding the error line a bit above you should have the file being accessed during the installation that is giving the sharing violation error
9. In the Procmon windows filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”)
10. After checking which process is accessing that file try to stop it or uninstall it from the machine | + +## 0x80073701 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x8007371b + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x80072EFE + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_CONNECTION_ABORTED; The connection with the server was terminated abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking/downloading updates.
From a cmd prompt run: **BITSADMIN /LIST /ALLUSERS /VERBOSE**
Search for the 0x80072EFE error code. You should see a reference to a HTTP code with a specific file, try to download it manually from your browser making sure you’re using your proxy organization settings. If it fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | + +## 0x80072F8F + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client machine. | This error generally means that the Windows Update Agent was unable to decode the received content. You need to install and configure TLS 1.2 by installing this KB: https://support.microsoft.com/help/3140245/ + +## 0x80072EE2 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to WU, SCCM, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc.
Check with your network team if the machine is able to get to your WSUS/SCCM/MEM/etc or the internet servers. See, https://docs.microsoft.com/en-US/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures
In case you’re using the public MS update servers, check that your device can access the following Windows Update endpoints:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com | + +## 0x80240022 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is where Anti-Virus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. | + +## 0x8024401B + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc due to a Proxy error.
- Verify the proxy settings on the client, and make sure that they are configured correctly. The Windows Update Agent uses WinHTTP to scan for available updates. So, when there is a proxy server between the client and the WSUS computer, the proxy settings must be configured correctly on the clients to enable them to communicate with WSUS by using the computer's FQDN.
- Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication | + + +## 0x80244022 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication. | From 8018fc90224e43e4c1c5f9c078bbad24e7c0e0e8 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 20 Sep 2021 13:44:38 -0700 Subject: [PATCH 79/81] Fixed broken note; added vertical space for nicer layout --- .../update/deployment-service-overview.md | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 01812adc48..f78e87008d 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -136,26 +136,35 @@ To enroll devices in Windows Update for Business cloud processing, set the **All > [!NOTE] > Setting this policy by using Group Policy isn't currently supported. - -| Policy | Sets registry key under **HKLM\\Software** | -|--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| -| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | +> +> | Policy | Sets registry key under **HKLM\\Software** | +> |--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| +> | MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | Following is an example of setting the policy using Microsoft Endpoint Manager: 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + 2. Select **Devices** > **Configuration profiles** > **Create profile**. + 3. Select **Windows 10 and later** in **Platform**, select **Templates** in **Profile type**, select **Custom** in **Template name**, and then select **Create**. + 4. In **Basics**, enter a meaningful name and a description for the policy, and then select **Next**. + 5. In **Configuration settings**, select **Add**, enter the following settings, select **Save**, and then select **Next**. - Name: **AllowWUfBCloudProcessing** - Description: Enter a description. - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing` - Data type: **Integer** - Value: **8** + 6. In **Assignments**, select the groups that will receive the profile, and then select **Next**. + 7. In **Review + create**, review your settings, and then select **Create**. -8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**. + +8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: + + **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing** ## Best practices Follow these suggestions for the best results with the service. @@ -163,6 +172,7 @@ Follow these suggestions for the best results with the service. ### Device onboarding - Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day). + - Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors. ### General From 03c5cb308d48731ed17a3a6c2597f31f78645c83 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Mon, 20 Sep 2021 13:47:16 -0700 Subject: [PATCH 80/81] Revert "Format changes and additional error codes" --- .../update/windows-update-errors.md | 227 ++---------------- 1 file changed, 22 insertions(+), 205 deletions(-) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 0604df39cc..eb178f7528 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -3,14 +3,13 @@ title: Windows Update common errors and mitigation description: In this article, learn about some common issues you might experience with Windows Update, as well as steps to resolve them. ms.prod: w10 ms.mktglfcycl: +audience: itpro itproauthor: jaimeo ms.audience: itpro author: jaimeo -ms.reviewer: kaushika -manager: dcscontentpm -audience: itpro -ms.topic: troubleshooting -ms.technology: windows-client-deployment +ms.reviewer: +manager: laurawi +ms.topic: article ms.custom: seo-marvel-apr2020 --- @@ -23,204 +22,22 @@ ms.custom: seo-marvel-apr2020 The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. -## 0x8024402F -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | - -## 0x80242006 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
- Ren %systemroot%\system32\catroot2 \*.bak | - -## 0x80070BC9 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system | - -## 0x80200053 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).| - -## 0x80072EE2 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | - -## 0x80072EFD or 0x80072EFE or 0x80D02002 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | - -## 0X8007000D - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred.| Attempt to re-download the update and initiate installation. | - -## 0x8024A10A - -| Message | Description | Mitigation | -|---------|-------------|------------| -| USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | - -## 0x80240020 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | - -## 0x80242014 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update nstallation. | - -## 0x80246017 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).| - -## 0x8024000B - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | - -## 0x8024000E - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | - -## 0x8024D009 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | - -## 0x80244007 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | - -## 0x80070422 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| NA | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| - -## 0x800f0821 - - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it.| - -## 0x800f0825 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x800F0920 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_HANG_DETECTED; A hang was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it. | - -## 0x800f081f - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x800f0831 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x80070005 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an ACCESS DENIED.
Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the ACCESS DENIED, it could be acess denied to a file, registry key,etc. Determine what object needs the right permissions and change the permissions | - -## 0x80070570 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - - -## 0x80070003 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. | - - -## 0x80070020 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by 3rd party filter drivers like Antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool process monitor -> https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
3. Run procmon.exe. It will start data capture automatically
4. Install the Update package again
5. With procmon program main window in focus, press Ctrl + E or click the magnifying glass to terminate data capture
6. Click File > Save > All Events > PML, and choose an adequate path to save the .PML file
7. Go to %windir%\logs\cbs and open the last cbs.log file and search for the error
8. After finding the error line a bit above you should have the file being accessed during the installation that is giving the sharing violation error
9. In the Procmon windows filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”)
10. After checking which process is accessing that file try to stop it or uninstall it from the machine | - -## 0x80073701 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x8007371b - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x80072EFE - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WININET_E_CONNECTION_ABORTED; The connection with the server was terminated abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking/downloading updates.
From a cmd prompt run: **BITSADMIN /LIST /ALLUSERS /VERBOSE**
Search for the 0x80072EFE error code. You should see a reference to a HTTP code with a specific file, try to download it manually from your browser making sure you’re using your proxy organization settings. If it fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | - -## 0x80072F8F - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client machine. | This error generally means that the Windows Update Agent was unable to decode the received content. You need to install and configure TLS 1.2 by installing this KB: https://support.microsoft.com/help/3140245/ - -## 0x80072EE2 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to WU, SCCM, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc.
Check with your network team if the machine is able to get to your WSUS/SCCM/MEM/etc or the internet servers. See, https://docs.microsoft.com/en-US/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures
In case you’re using the public MS update servers, check that your device can access the following Windows Update endpoints:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com | - -## 0x80240022 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is where Anti-Virus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. | - -## 0x8024401B - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc due to a Proxy error.
- Verify the proxy settings on the client, and make sure that they are configured correctly. The Windows Update Agent uses WinHTTP to scan for available updates. So, when there is a proxy server between the client and the WSUS computer, the proxy settings must be configured correctly on the clients to enable them to communicate with WSUS by using the computer's FQDN.
- Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication | - - -## 0x80244022 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication. | +| Error Code | Message | Description | Mitigation | +|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | +| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | +| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. | +| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | +| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | +| 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | +| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | +| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | +| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | +| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update installation. | +| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | +| 0x8024000B | WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | +| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | +| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | +| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | +| 0x80070422 | | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| From 2ad81bb7395678071dc8e7d13c3c254d1e767f21 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 20 Sep 2021 13:58:02 -0700 Subject: [PATCH 81/81] Revert joining of note with table --- windows/deployment/update/deployment-service-overview.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index f78e87008d..63c9c6aa24 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -136,10 +136,10 @@ To enroll devices in Windows Update for Business cloud processing, set the **All > [!NOTE] > Setting this policy by using Group Policy isn't currently supported. -> -> | Policy | Sets registry key under **HKLM\\Software** | -> |--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| -> | MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | + +| Policy | Sets registry key under **HKLM\\Software** | +|--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| +| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | Following is an example of setting the policy using Microsoft Endpoint Manager: