From 3aef331ebadf79b44fc14ee681e038833b6d0d6f Mon Sep 17 00:00:00 2001 From: Nathaniel Chin <22572406+nathanielcwm@users.noreply.github.com> Date: Wed, 21 Oct 2020 17:16:44 +0800 Subject: [PATCH 01/40] update kms keys link --- windows/deployment/upgrade/windows-10-edition-upgrades.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index e2806e3c0c..ff9c6ae451 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -93,7 +93,7 @@ You can run the changepk.exe command-line tool to upgrade devices to a supported `changepk.exe /ProductKey ` -You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise. +You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/en-us/windows-server/get-started/kmsclientkeys). For example, the following command will upgrade to Windows 10 Enterprise. `Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43` From bbf1bff0771821a4d0ab178a6d454a0e91ebe9d5 Mon Sep 17 00:00:00 2001 From: Nathaniel Chin <22572406+nathanielcwm@users.noreply.github.com> Date: Thu, 29 Oct 2020 08:04:13 +0800 Subject: [PATCH 02/40] Update windows/deployment/upgrade/windows-10-edition-upgrades.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/upgrade/windows-10-edition-upgrades.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index ff9c6ae451..033f0e0e0d 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -93,7 +93,7 @@ You can run the changepk.exe command-line tool to upgrade devices to a supported `changepk.exe /ProductKey ` -You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/en-us/windows-server/get-started/kmsclientkeys). For example, the following command will upgrade to Windows 10 Enterprise. +You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/windows-server/get-started/kmsclientkeys). For example, the following command will upgrade to Windows 10 Enterprise. `Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43` From badb28bbd4d401364027aecd06f0c499bde05cfe Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sun, 27 Dec 2020 23:54:35 +0100 Subject: [PATCH 03/40] Update manage-windows-20H2-endpoints.md From issue ticket #8873 (**typo in FQDN**) : > The FQDN "1storecatalogrevocation.storequality.microsoft.com" does not exist, it should probably be "storecatalogrevocation.storequality.microsoft.com" See also the comment below, stating as follows: > It would probably make sense to merge the lines and use "TLSv1.2/HTTPS/HTTP" as the protocol like on other lines. > I did not see any use of 1storecatalogrevocation.storequality.microsoft.com in my tests, also there is no A or AAAA DNS record for this endpoint, which makes me assume this is a typo. Thanks to ruffy91 for noticing and reporting this typo issue. Changes proposed: - Remove the leading digit 1 from the hostname in `1storecatalogrevocation.storequality.microsoft.com` - Remove 1 redundant `HTTPS` from the row below, making it only `HTTPS/HTTP` - Merge the 2 lines since they now point to the same host FQDN Whitespace changes: - add 1 editorial blank line between the metadata section and the page title - remove 2 redundant end-of-line blanks Closes #8873 --- windows/privacy/manage-windows-20H2-endpoints.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index a2c7dbbed9..57c2ce989d 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -14,6 +14,7 @@ ms.collection: M365-security-compliance ms.topic: article ms.date: 12/17/2020 --- + # Manage connection endpoints for Windows 10 Enterprise, version 20H2 **Applies to** @@ -35,7 +36,7 @@ The following methodology was used to derive these network endpoints: 1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. 2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. 6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here. @@ -85,8 +86,7 @@ The following methodology was used to derive these network endpoints: |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| ||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| ||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com| -||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2|1storecatalogrevocation.storequality.microsoft.com| -|||HTTPS/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| ||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com| ||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com| |||HTTPS|pti.store.microsoft.com| @@ -130,7 +130,7 @@ The following methodology was used to derive these network endpoints: ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| |Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store)| |||HTTPS|dlassets-ssl.xboxlive.com| -| + ## Other Windows 10 editions From 41e8df746f3b9c42482e7ef178742adec589c89e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 28 Dec 2020 22:59:10 +0500 Subject: [PATCH 04/40] Broken link update A link to the OMA standard was broken and has been updated to the correct one. --- .../mdm/disconnecting-from-mdm-unenrollment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index 3cb1682333..36cae102c0 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -44,7 +44,7 @@ In Windows, after the user confirms the account deletion command and before the This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. -> **Note**  The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526). +> **Note**  The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).   The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. From 8368db79c2613c1caf186d34aab485675bc7f2d1 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 29 Dec 2020 11:12:43 +0500 Subject: [PATCH 05/40] Update windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../mdm/disconnecting-from-mdm-unenrollment.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index 36cae102c0..35fe6568b0 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -44,7 +44,8 @@ In Windows, after the user confirms the account deletion command and before the This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. -> **Note**  The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). +> [!NOTE] +> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).   The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. @@ -157,4 +158,3 @@ When the disconnection is completed, the user is notified that the device has be - From 3403fc0d96b4e8e6dfc684c3f2f16c7149cc0614 Mon Sep 17 00:00:00 2001 From: AlastairBateman <10553180+AlastairBateman@users.noreply.github.com> Date: Thu, 31 Dec 2020 21:48:19 +1100 Subject: [PATCH 06/40] Fixing a minor typo (Brose -> Browse) --- .../hello-for-business/hello-cert-trust-adfs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 8e3e7d4f74..a3f57c0d37 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -41,7 +41,7 @@ Prepare the Active Directory Federation Services deployment by installing and up > [!NOTE] >For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: > -> 1. Launch AD FS management console. Brose to "Services > Scope Descriptions". +> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions". > 2. Right click "Scope Descriptions" and select "Add Scope Description". > 3. Under name type "ugs" and Click Apply > OK. > 4. Launch PowerShell as an administrator. From ded8a8e23ca92c7d98cc0cdc6865006ea8031de6 Mon Sep 17 00:00:00 2001 From: AlastairBateman <10553180+AlastairBateman@users.noreply.github.com> Date: Fri, 1 Jan 2021 08:54:05 +1100 Subject: [PATCH 07/40] Added Markdown indentation Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-cert-trust-adfs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index a3f57c0d37..18abc2bc44 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -39,7 +39,7 @@ A new Active Directory Federation Services farm should have a minimum of two fed Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. > [!NOTE] ->For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: +> For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: > > 1. Launch AD FS management console. Browse to "Services > Scope Descriptions". > 2. Right click "Scope Descriptions" and select "Add Scope Description". From 10a7156ee97e4595336ddfccdb17a3e9aed68854 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 1 Jan 2021 13:47:50 +0500 Subject: [PATCH 08/40] Update dg-readiness-tool.md --- .../identity-protection/credential-guard/dg-readiness-tool.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md index e609c9469d..76ff4796bb 100644 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md @@ -732,11 +732,11 @@ function IsDomainController function CheckOSSKU { - $osname = $((gwmi win32_operatingsystem).Name).ToLower() + $osname = $((Get-ComputerInfo).WindowsProductName).ToLower() $_SKUSupported = 0 Log "OSNAME:$osname" $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server") - $HLKAllowed = @("microsoft windows 10 pro") + $HLKAllowed = @("windows 10 pro") foreach ($SKUent in $SKUarray) { if($osname.ToString().Contains($SKUent.ToLower())) From d8a892afa921d0a08022a391754486355dea6b49 Mon Sep 17 00:00:00 2001 From: Peter Upfold Date: Fri, 1 Jan 2021 10:52:08 +0000 Subject: [PATCH 09/40] Fix typo MTD -> MDT --- .../prepare-for-windows-deployment-with-mdt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 52246fddfd..c4445493e4 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -81,7 +81,7 @@ The following OU structure is used in this guide. Instructions are provided [bel These steps assume that you have the MDT01 member server running and configured as a domain member server. -On **MTD01**: +On **MDT01**: Visit the [Download and install the Windows ADK](https://go.microsoft.com/fwlink/p/?LinkId=526803) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder): - [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042) From edd467581c1a0ddab89d37cdbfaac8955691d959 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sat, 2 Jan 2021 07:31:44 +0100 Subject: [PATCH 10/40] MarkDown formatting, whitespace consistency, typos This PR is meant to make it easier for the next editor of this page to start with a known ordered content, with regards to layout formatting, general typos and MarkDown usage. Viewing this content in Rich Diff view, or without the "Hide whitespace changes" feature, might look confusing or disordered. Changes proposed: - MarkDown formatting improvements (incorrect usage/layout corrected and properly formatted) - Whitespace corrections, both for consistency, codestyle, and for easier future editing - Typo corrections and a couple of minor phrasing adjustments for readability & coherency Ref. my comments in PR #8732 and at the end of issue ticket #8548 (regarding incorrect MarkDown code block usage) --- .../hello-hybrid-aadj-sso-cert.md | 242 ++++++++++-------- 1 file changed, 135 insertions(+), 107 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 95638c7735..e8dc2df8f2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -1,7 +1,7 @@ --- title: Using Certificates for AADJ On-premises Single-sign On single sign-on description: If you want to use certificates for on-premises single-sign on for Azure Active Directory joined devices, then follow these additional steps. -keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, +keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -14,11 +14,12 @@ ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +ms.reviewer: --- + # Using Certificates for AADJ On-premises Single-sign On -**Applies to** +**Applies to:** - Windows 10 - Azure Active Directory joined - Hybrid Deployment @@ -27,7 +28,7 @@ ms.reviewer: If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD joined devices. > [!IMPORTANT] -> Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. +> Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. Steps you will perform include: - [Prepare Azure AD Connect](#prepare-azure-ad-connect) @@ -45,7 +46,7 @@ You need to install and configure additional infrastructure to provide Azure AD - A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role ### High Availaibilty -The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority. +The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority. The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion). @@ -58,14 +59,14 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificates templates to reduce the number of certificate templates. ### Network Requirements -All communication occurs securely over port 443. +All communication occurs securely over port 443. ## Prepare Azure AD Connect Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name. Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller. -To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules need to for these attributes. +To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules need to for these attributes. ### Verify AAD Connect version Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_. @@ -100,8 +101,8 @@ Sign-in to a domain controller or management workstation with access equivalent Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Open **Active Directory Users and Computers**. -2. Expand the domain node from the navigation pane. -3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**. +2. Expand the domain node from the navigation pane. +3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**. 4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog. > [!NOTE] @@ -118,7 +119,7 @@ Sign-in to a domain controller or management workstation with access equivalent 4. Click **Finish**. > [!IMPORTANT] -> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires. +> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires. ### Create the NDES Service User Rights Group Policy object The Group Policy object ensures the NDES Service account has the proper user right assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through Group Policy. @@ -135,10 +136,10 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. 9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. 10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times. -11. Close the **Group Policy Management Editor**. +11. Close the **Group Policy Management Editor**. ### Configure security for the NDES Service User Rights Group Policy object -The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group. +The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. @@ -159,7 +160,7 @@ Sign-in to a domain controller or management workstation with access equivalent 3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**. > [!IMPORTANT] -> Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object. +> Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object. ## Prepare Active Directory Certificate Authority You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role. In this task, you will @@ -177,46 +178,52 @@ When deploying certificates using Microsoft Intune, you have the option of provi Sign-in to the issuing certificate authority with access equivalent to _local administrator_. -1. Open and elevated command prompt. Type the command +1. Open an elevated command prompt and type the following command: ``` certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE ``` -2. Restart the **Active Directory Certificate Services** service. +2. Restart the **Active Directory Certificate Services** service. ### Create an NDES-Intune authentication certificate template -NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point. +NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point. Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. +1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. 3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**. -4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. - **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the lab. -5. On the **Subject** tab, select **Supply in the request**. -6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**. -7. On the **Security** tab, click **Add**. -8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**. -9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -10. Click on the **Apply** to save changes and close the console. +4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. + + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. + +5. On the **Subject** tab, select **Supply in the request**. +6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**. +7. On the **Security** tab, click **Add**. +8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**. +9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +10. Click on the **Apply** to save changes and close the console. ### Create an Azure AD joined Windows Hello for Business authentication certificate template During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from the Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server. -Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. +Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. - **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. -6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. + + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. + +6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. 8. On the **Subject** tab, select **Supply in the request**. 9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**. 10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**. -12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for the **Read**, **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for the **Read**, **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 13. Close the console. ### Publish certificate templates @@ -231,7 +238,7 @@ Sign-in to the certificate authority or management workstations with an _Enterpr 2. Expand the parent node from the navigation pane. 3. Click **Certificate Templates** in the navigation pane. 4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. -5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. +5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. 6. Close the console. ## Install and Configure the NDES Role @@ -250,10 +257,10 @@ Install the Network Device Enrollment Service role on a computer other than the Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. 1. Open **Server Manager** on the NDES server. -2. Click **Manage**. Click **Add Roles and Features**. +2. Click **Manage**. Click **Add Roles and Features**. 3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**. ![Server Manager destination server](images/aadjCert/servermanager-destination-server-ndes.png) -4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list. +4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list. ![Server Manager AD CS Role](images/aadjCert/servermanager-adcs-role.png) Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**. ![Server Manager Add Features](images/aadjcert/serverManager-adcs-add-features.png) @@ -271,7 +278,7 @@ Sign-in to the certificate authority or management workstations with an _Enterpr ![Server Manager Web Server Role](images/aadjcert/servermanager-adcs-webserver-role.png) 9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**. > [!Important] - > The .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\ + > .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\ ![.NET Side by Side](images/aadjcert/dotNet35sidebyside.png) ### Configure the NDES service account @@ -280,7 +287,7 @@ This task adds the NDES service account to the local IIS_USRS group. The task a #### Add the NDES service account to the IIS_USRS group Sign-in the NDES server with access equivalent to _local administrator_. -1. Start the **Local Users and Groups** management console (lusrmgr.msc). +1. Start the **Local Users and Groups** management console (`lusrmgr.msc`). 2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group. 3. In the **IIS_IUSRS Properties** dialog box, click **Add**. Type **NDESSvc** or the name of your NDES service account. Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box. 4. Close the management console. @@ -289,10 +296,14 @@ Sign-in the NDES server with access equivalent to _local administrator_. Sign-in the NDES server with a access equivalent to _Domain Admins_. 1. Open an elevated command prompt. -2. Type the following command to register the service principal name
-```setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]```
-where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following.
-```setspn -s http/ndes.corp.contoso.com contoso\ndessvc``` +2. Type the following command to register the service principal name + ``` + setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount] + ``` + where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following: + ``` + setspn -s http/ndes.corp.contoso.com contoso\ndessvc + ``` > [!NOTE] > If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs. @@ -306,16 +317,16 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 1. Open **Active Directory Users and Computers** 2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab. -![NDES Delegation Tab](images/aadjcert/ndessvcdelegationtab.png) + ![NDES Delegation Tab](images/aadjcert/ndessvcdelegationtab.png) 3. Select **Trust this user for delegation to specified services only**. 4. Select **Use any authentication protocol**. 5. Click **Add**. 6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**. -![NDES Service delegation to NDES host](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) + ![NDES Service delegation to NDES host](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) 7. Repeat steps 5 and 6 for each NDES server using this service account.8. Click **Add**. 8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates. -![NDES Service delegation complete](images/aadjcert/ndessvcdelegation-host-ca-spn.png) + ![NDES Service delegation complete](images/aadjcert/ndessvcdelegation-host-ca-spn.png) 10. Click **OK**. Close **Active Directory Users and Computers**. ### Configure the NDES Role and Certificate Templates @@ -325,61 +336,65 @@ This task configures the NDES role and the certificate templates the NDES server Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. > [!NOTE] -> If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point. +> If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point. ![Server Manager Post-Install Yellow flag](images/aadjcert/servermanager-post-ndes-yellowactionflag.png) 1. Click the **Configure Active Directory Certificate Services on the destination server** link. 2. On the **Credentials** page, click **Next**. -![NDES Installation Credentials](images/aadjcert/ndesconfig01.png) + ![NDES Installation Credentials](images/aadjcert/ndesconfig01.png) 3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next** -![NDES Role Services](images/aadjcert/ndesconfig02.png) + ![NDES Role Services](images/aadjcert/ndesconfig02.png) 4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...** Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**. -![NDES Service Account for NDES](images/aadjcert/ndesconfig03b.png) + ![NDES Service Account for NDES](images/aadjcert/ndesconfig03b.png) 5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**. -![NDES CA selection](images/aadjcert/ndesconfig04.png) + ![NDES CA selection](images/aadjcert/ndesconfig04.png) 6. On the **RA Information**, click **Next**. 7. On the **Cryptography for NDES** page, click **Next**. 8. Review the **Confirmation** page. Click **Configure**. -![NDES Confirmation](images/aadjcert/ndesconfig05.png) + ![NDES Confirmation](images/aadjcert/ndesconfig05.png) 8. Click **Close** after the configuration completes. #### Configure Certificate Templates on NDES -A single NDES server can request a maximum of three certificate template. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values. +A single NDES server can request a maximum of three certificate template. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values. * Digital Signature * Key Encipherment * Key Encipherment, Digital Signature Each value maps to a registry value name in the NDES server. The NDES server translate an incoming SCEP provide value into the correspond certificate template. The table belows shows the SCEP profile value to the NDES certificate template registry value name -|SCEP Profile Key usage| NDES Registry Value Name| -|:----------:|:-----------------------:| -|Digital Signature|SignatureTemplate| -|Key Encipherment|EncryptionTemplate| -|Key Encipherment
Digital Signature|GeneralPurposeTemplate| +| SCEP Profile Key usage| NDES Registry Value Name | +| :-------------------: | :----------------------: | +| Digital Signature | SignatureTemplate | +| Key Encipherment | EncryptionTemplate | +| Key Encipherment
Digital Signature | GeneralPurposeTemplate | Ideally, you should match the certificate request with registry value name to keep the configuration intuitive (encryption certificates use the encryptionTemplate, signature certificates use the signature template, etc.). A result of this intuitive design is the potential exponential growth in NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise. - If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure. This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it. +If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure. This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it. Sign-in to the NDES Server with _local administrator_ equivalent credentials. 1. Open an elevated command prompt. 2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices. -3. Type the following command
-```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]```
-where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example:
-```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication```
+3. Type the following command: + ``` + reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName] + ``` + where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example: + ``` + reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication + ``` 4. Type **Y** when the command asks for permission to overwrite the existing value. 5. Close the command prompt. > [!IMPORTANT] -> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (certtmpl.msc). +> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (`certtmpl.msc`). ### Create a Web Application Proxy for the internal NDES URL. Certificate enrollment for Azure AD joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services. -Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies. +Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies. Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications. @@ -395,7 +410,7 @@ Sign-in a workstation with access equivalent to a _domain user_. ![Azure Application Proxy Connectors](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png) 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_. > [!IMPORTANT] - > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategtically locate Azure AD application proxy connectors throughout your organization to ensure maximum availablity. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers. + > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers. 6. Start **AADApplicationProxyConnectorInstaller.exe**. 7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**. @@ -412,9 +427,9 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. 3. Under **MANAGE**, click **Application proxy**. -![Azure Application Proxy Connector groups](images/aadjcert/azureconsole-applicationproxy-connectors-default.png) + ![Azure Application Proxy Connector groups](images/aadjcert/azureconsole-applicationproxy-connectors-default.png) 4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**. -![Azure Application New Connector Group](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png) + ![Azure Application New Connector Group](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png) 5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests. 6. Click **Save**. @@ -426,18 +441,18 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Under **MANAGE**, click **Application proxy**. 4. Click **Configure an app**. 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL. -6. Next to **Internal Url**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**. -7. Under **Internal Url**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net). +6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**. +7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net). ![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png) 8. Select **Passthrough** from the **Pre Authentication** list. 9. Select **NDES WHFB Connectors** from the **Connector Group** list. 10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**. 11. Click **Add**. 12. Sign-out of the Azure Portal. + > [!IMPORTANT] > Write down the internal and external URLs. You will need this information when you enroll the NDES-Intune Authentication certificate. - ### Enroll the NDES-Intune Authentication certificate This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server. @@ -449,8 +464,8 @@ Sign-in the NDES server with access equivalent to _local administrators_. 4. Click **Next** on the **Before You Begin** page. 5. Click **Next** on the **Select Certificate Enrollment Policy** page. 6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link + ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png) 8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**. 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished. 9. Click **Enroll** @@ -462,44 +477,46 @@ This task configures the Web Server role on the NDES server to use the server au Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. -2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. -![NDES IIS Console](images/aadjcert/ndes-iis-console.png) +2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. + ![NDES IIS Console](images/aadjcert/ndes-iis-console.png) 3. Click **Bindings...*** under **Actions**. Click **Add**. -![NDES IIS Console](images/aadjcert/ndes-iis-bindings.png) + ![NDES IIS Console](images/aadjcert/ndes-iis-bindings.png) 4. Select **https** from **Type**. Confirm the value for **Port** is **443**. 5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**. -![NDES IIS Console](images/aadjcert/ndes-iis-bindings-add-443.png) -6. Select **http** from the **Site Bindings** list. Click **Remove**. + ![NDES IIS Console](images/aadjcert/ndes-iis-bindings-add-443.png) +6. Select **http** from the **Site Bindings** list. Click **Remove**. 7. Click **Close** on the **Site Bindings** dialog box. -8. Close **Internet Information Services (IIS) Manager**. +8. Close **Internet Information Services (IIS) Manager**. ### Verify the configuration This task confirms the TLS configuration for the NDES server. Sign-in the NDES server with access equivalent to _local administrator_. -#### Disable Internet Explorer Enhanced Security Configuration +#### Disable Internet Explorer Enhanced Security Configuration 1. Open **Server Manager**. Click **Local Server** from the navigation pane. 2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section. 3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**. 4. Close **Server Manager**. #### Test the NDES web server -1. Open **Internet Explorer**. -2. In the navigation bar, type -```https://[fqdnHostName]/certsrv/mscep/mscep.dll``` -where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. +1. Open **Internet Explorer**. +2. In the navigation bar, type + ``` + https://[fqdnHostName]/certsrv/mscep/mscep.dll + ``` + where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. A web page similar to the following should appear in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. ![NDES IIS Console](images/aadjcert/ndes-https-website-test-01.png) -Confirm the web site uses the server authentication certificate. +Confirm the web site uses the server authentication certificate. ![NDES IIS Console](images/aadjcert/ndes-https-website-test-01-show-cert.png) ## Configure Network Device Enrollment Services to work with Microsoft Intune -You have successfully configured the Network Device Enrollment Services. You must now modify the configuration to work with the Intune Certificate Connector. In this task, you will enable the NDES server and http.sys to handle long URLs. +You have successfully configured the Network Device Enrollment Services. You must now modify the configuration to work with the Intune Certificate Connector. In this task, you will enable the NDES server and http.sys to handle long URLs. - Configure NDES to support long URLs @@ -510,7 +527,7 @@ Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. 3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane. -![Intune NDES Request filtering](images/aadjcert/NDES-IIS-RequestFiltering.png) + ![Intune NDES Request filtering](images/aadjcert/NDES-IIS-RequestFiltering.png) 4. Select **Allow unlisted file name extensions**. 5. Select **Allow unlisted verbs**. 6. Select **Allow high-bit characters**. @@ -521,21 +538,23 @@ Sign-in the NDES server with access equivalent to _local administrator_. #### Configure Parameters for HTTP.SYS 1. Open an elevated command prompt. -2. Run the following commands
-```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534```
-```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```
+2. Run the following commands: + ``` + reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534 + reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534 + ``` 3. Restart the NDES server. ## Download, Install and Configure the Intune Certificate Connector -The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune. +The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune. -### Download Intune Certificate Connector +### Download Intune Certificate Connector Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**. 3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section. -![Intune Certificate Authority](images/aadjcert/profile01.png) + ![Intune Certificate Authority](images/aadjcert/profile01.png) 4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server. 5. Sign-out of the Microsoft Endpoint Manager admin center. @@ -544,30 +563,33 @@ Sign-in the NDES server with access equivalent to _domain administrator_. 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. 2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server. -3. On the **Microsoft Intune** page, click **Next**. +3. On the **Microsoft Intune** page, click **Next**. ![Intune Connector Install 01](images/aadjcert/intunecertconnectorinstall-01.png) 4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation. 5. On the **Destination Folder** page, click **Next**. 6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**. ![Intune Connector Install 03](images/aadjcert/intunecertconnectorinstall-03.png) -7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. +7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. ![Intune Connector Install 05](images/aadjcert/intunecertconnectorinstall-05.png) + > [!NOTE] > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page. 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**. 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**. ![Intune Connector Install 06](images/aadjcert/intunecertconnectorinstall-06.png) + > [!NOTE] > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder -10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. +10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. ![Intune Connector install 07](images/aadjcert/intunecertconnectorinstall-07.png) ### Configure the Intune Certificate Connector Sign-in the NDES server with access equivalent to _domain administrator_. 1. The **NDES Connector** user interface should be open from the last task. + > [!NOTE] > If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**. @@ -576,10 +598,11 @@ Sign-in the NDES server with access equivalent to _domain administrator_. 3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role. ![Intune Certificate Connector Configuration 02](images/aadjcert/intunecertconnectorconfig-02.png) - > [!IMPORTANT] - > The user account must have a valid Intune licenese assigned. If the user account does not have a valid Intune license, the sign-in fails. -4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task. + > [!IMPORTANT] + > The user account must have a valid Intune license assigned. If the user account does not have a valid Intune license, the sign-in fails. + +4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task. ### Configure the NDES Connector for certificate revocation (**Optional**) @@ -591,7 +614,7 @@ Sign-in the certificate authority used by the NDES Connector with access equival 1. Start the **Certification Authority** management console. 2. In the navigation pane, right-click the name of the certificate authority and select **Properties**. 3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**. -![Configure Intune certificate revocation 02](images/aadjcert/intuneconfigcertrevocation-02.png) + ![Configure Intune certificate revocation 02](images/aadjcert/intuneconfigcertrevocation-02.png) 4. Close the **Certification Authority** #### Enable the NDES Connector for certificate revocation @@ -599,22 +622,26 @@ Sign-in the NDES server with access equivalent to _domain administrator_. 1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**). 2. Click the **Advanced** tab. Select **Specify a different account username and password**. TYpe the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. -![Intune Connector cert revocation configuration 04](images/aadjcert/intunecertconnectorconfig-04.png) + ![Intune Connector cert revocation configuration 04](images/aadjcert/intunecertconnectorconfig-04.png) 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**. ### Test the NDES Connector Sign-in the NDES server with access equivalent to _domain admin_. 1. Open a command prompt. -2. Type the following command to confirm the NDES Connector's last connection time is current.
-```reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
+2. Type the following command to confirm the NDES Connector's last connection time is current. + ``` + reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus + ``` 3. Close the command prompt. 4. Open **Internet Explorer**. -5. In the navigation bar, type
-```https://[fqdnHostName]/certsrv/mscep/mscep.dll```
-where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
-A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. -![NDES web site test after Intune Certificate Connector](images/aadjcert/ndes-https-website-test-after-intune-connector.png) +5. In the navigation bar, type: + ``` + https://[fqdnHostName]/certsrv/mscep/mscep.dll + ``` + where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. + A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. + ![NDES web site test after Intune Certificate Connector](images/aadjcert/ndes-https-website-test-after-intune-connector.png) 6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**. ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile @@ -629,7 +656,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**. 6. Provide a **Group description**, if applicable. 7. Select **Assigned** from the **Membership type** list. -![Azure AD new group creation](images/aadjcert/azureadcreatewhfbcertgroup.png) + ![Azure AD new group creation](images/aadjcert/azureadcreatewhfbcertgroup.png) 8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**. 9. Click **Create**. @@ -646,6 +673,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 7. Next to **Description**, provide a description meaningful for your environment, then select **Next**. 8. Select **User** as a certificate type. 9. Configure **Certificate validity period** to match your organization. + > [!IMPORTANT] > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity. @@ -669,7 +697,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Click **WHFB Certificate Enrollment**. 4. Select **Properties**, and then click **Edit** next to the **Assignments** section. 5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**. -![WHFB SCEP Profile Assignment](images/aadjcert/profile04.png) + ![WHFB SCEP Profile Assignment](images/aadjcert/profile04.png) 6. Select the **AADJ WHFB Certificate Users** group. Click **Select**. 7. Click **Review + Save**, and then **Save**. @@ -679,7 +707,7 @@ You have successfully completed the configuration. Add users that need to enrol > [!div class="checklist"] > * Requirements > * Prepare Azure AD Connect -> * Prepare the Network Device Enrollment Services (NDES) Service Acccount +> * Prepare the Network Device Enrollment Services (NDES) Service Account > * Prepare Active Directory Certificate Authority > * Install and Configure the NDES Role > * Configure Network Device Enrollment Services to work with Microsoft Intune From 16cd7c964c3ba94b8dba60d4cf82b17f931dcfb3 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:04:34 +0100 Subject: [PATCH 11/40] missing period dot ( . ) in line 348 Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index e8dc2df8f2..23c62b474a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -345,7 +345,7 @@ Sign-in to the certificate authority or management workstations with an _Enterpr ![NDES Installation Credentials](images/aadjcert/ndesconfig01.png) 3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next** ![NDES Role Services](images/aadjcert/ndesconfig02.png) -4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...** Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**. +4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**. ![NDES Service Account for NDES](images/aadjcert/ndesconfig03b.png) 5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**. ![NDES CA selection](images/aadjcert/ndesconfig04.png) From fef05431b3baec7f5f13282596ad649e7150e1a0 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:06:08 +0100 Subject: [PATCH 12/40] missing plural S in "three certificate template" (line 359) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 23c62b474a..82d0d79705 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -356,7 +356,7 @@ Sign-in to the certificate authority or management workstations with an _Enterpr 8. Click **Close** after the configuration completes. #### Configure Certificate Templates on NDES -A single NDES server can request a maximum of three certificate template. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values. +A single NDES server can request a maximum of three certificate templates. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values. * Digital Signature * Key Encipherment * Key Encipherment, Digital Signature From 8fa226d4f0eabf152c01c7ff57736de5d6819f88 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:10:47 +0100 Subject: [PATCH 13/40] multiple grammar issues in one sentence (line 364) - translate -> translates - provide -> provided - correspond -> corresponding - belows -> below - value to -> values of - name -> names Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 82d0d79705..e41296761c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -361,7 +361,7 @@ A single NDES server can request a maximum of three certificate templates. The * Key Encipherment * Key Encipherment, Digital Signature -Each value maps to a registry value name in the NDES server. The NDES server translate an incoming SCEP provide value into the correspond certificate template. The table belows shows the SCEP profile value to the NDES certificate template registry value name +Each value maps to a registry value name in the NDES server. The NDES server translates an incoming SCEP provided value into the corresponding certificate template. The table below shows the SCEP profile values of the NDES certificate template registry value names. | SCEP Profile Key usage| NDES Registry Value Name | | :-------------------: | :----------------------: | From d775c3fc4ddb8d1466a548d4de3e66feddde7760 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:15:06 +0100 Subject: [PATCH 14/40] grammar & template reference naming - missing definite article, 2 occurrences (line 372) - encryptionTemplate -> encryption template Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index e41296761c..5b3a471495 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -369,7 +369,7 @@ Each value maps to a registry value name in the NDES server. The NDES server tr | Key Encipherment | EncryptionTemplate | | Key Encipherment
Digital Signature | GeneralPurposeTemplate | -Ideally, you should match the certificate request with registry value name to keep the configuration intuitive (encryption certificates use the encryptionTemplate, signature certificates use the signature template, etc.). A result of this intuitive design is the potential exponential growth in NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise. +Ideally, you should match the certificate request with the registry value name to keep the configuration intuitive (encryption certificates use the encryption template, signature certificates use the signature template, etc.). A result of this intuitive design is the potential exponential growth in the NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise. If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure. This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it. From bbd85b903da1ce62f7a9d6ada6ed86b5ab1125a2 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:16:47 +0100 Subject: [PATCH 15/40] URLLs double L typo correction (line 449) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 5b3a471495..31b2fc5946 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -446,7 +446,7 @@ Sign-in a workstation with access equivalent to a _domain user_. ![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png) 8. Select **Passthrough** from the **Pre Authentication** list. 9. Select **NDES WHFB Connectors** from the **Connector Group** list. -10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**. +10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**. 11. Click **Add**. 12. Sign-out of the Azure Portal. From 49ec0a4a5cef7476eae87e8eb11c73bd2d04ad0e Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:18:13 +0100 Subject: [PATCH 16/40] missing indefinite article, missing noun (line 510) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 31b2fc5946..bd48c6427b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -507,7 +507,7 @@ Sign-in the NDES server with access equivalent to _local administrator_. ``` where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. -A web page similar to the following should appear in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. +A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. ![NDES IIS Console](images/aadjcert/ndes-https-website-test-01.png) From e3cbee4767dfa592313d17f3e5079b1fb322191d Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:18:54 +0100 Subject: [PATCH 17/40] missing period dot ( . ) (line 583) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index bd48c6427b..b72a7ff097 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -580,7 +580,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_. ![Intune Connector Install 06](images/aadjcert/intunecertconnectorinstall-06.png) > [!NOTE] - > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder + > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder. 10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. ![Intune Connector install 07](images/aadjcert/intunecertconnectorinstall-07.png) From 02d5692cc1c2c9b73284feded43fd68893f1cd6d Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:20:22 +0100 Subject: [PATCH 18/40] Double capitalized letter word typo (line 624) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index b72a7ff097..7a58e40fde 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -621,7 +621,7 @@ Sign-in the certificate authority used by the NDES Connector with access equival Sign-in the NDES server with access equivalent to _domain administrator_. 1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**). -2. Click the **Advanced** tab. Select **Specify a different account username and password**. TYpe the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. +2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**. ![Intune Connector cert revocation configuration 04](images/aadjcert/intunecertconnectorconfig-04.png) 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**. From c1947a84ad9f4b8d0ad99a46cf3a591d3e14f4a6 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:22:20 +0100 Subject: [PATCH 19/40] verb typo correction, add missing noun (line 643) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 7a58e40fde..88cac79cd9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -640,7 +640,7 @@ Sign-in the NDES server with access equivalent to _domain admin_. https://[fqdnHostName]/certsrv/mscep/mscep.dll ``` where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. - A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. + A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. ![NDES web site test after Intune Certificate Connector](images/aadjcert/ndes-https-website-test-after-intune-connector.png) 6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**. From 2ffc55bd3ec7dac166274a302a36b5e51e8c1dba Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:24:36 +0100 Subject: [PATCH 20/40] verb form correction (line 69) - "need to" -> needed Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 88cac79cd9..ec87491d7d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -66,7 +66,7 @@ Successful authentication to on-premises resources using a certificate requires Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller. -To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules need to for these attributes. +To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes. ### Verify AAD Connect version Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_. From 5671cfff44e143723262222d1a8c267621db9d1e Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:25:51 +0100 Subject: [PATCH 21/40] missing definite article & infinitive marker (line 125) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index ec87491d7d..4b4966566f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -122,7 +122,7 @@ Sign-in to a domain controller or management workstation with access equivalent > Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires. ### Create the NDES Service User Rights Group Policy object -The Group Policy object ensures the NDES Service account has the proper user right assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through Group Policy. +The Group Policy object ensures the NDES Service account has the proper user right to assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through the Group Policy. Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. From f3f6450556f26cc071628c2dc1922f3ab4371135 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:39:07 +0100 Subject: [PATCH 22/40] plural/singular noun correction (line 59) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 4b4966566f..94c374762b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -56,7 +56,7 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u - Encryption - Signature and Encryption -If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificates templates to reduce the number of certificate templates. +If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates. ### Network Requirements All communication occurs securely over port 443. From 3cb16011e49b3fa777c0686188502faf821f7e70 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:40:01 +0100 Subject: [PATCH 23/40] redundant double spacing inside sentence (line 142) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 94c374762b..230e8fc1a3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -139,7 +139,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 11. Close the **Group Policy Management Editor**. ### Configure security for the NDES Service User Rights Group Policy object -The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group. +The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. From c89b7d07943895d7b6ba9d809b1ee99c4b1af4bd Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:41:07 +0100 Subject: [PATCH 24/40] incorrect definite particle in front of proper noun (line 208) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 230e8fc1a3..bd6bc2384e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -205,7 +205,7 @@ Sign-in to the issuing certificate authority or management workstations with _Do 10. Click on the **Apply** to save changes and close the console. ### Create an Azure AD joined Windows Hello for Business authentication certificate template -During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from the Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server. +During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server. Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. From fa9ef702ed2ea255dae2a85454883ae416dddab2 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:42:53 +0100 Subject: [PATCH 25/40] incorrect definite particle & conjunction comma (line 226) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index bd6bc2384e..df2d14cdb3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -223,7 +223,7 @@ Sign in a certificate authority or management workstations with _Domain Admin eq 8. On the **Subject** tab, select **Supply in the request**. 9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**. 10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**. -12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for the **Read**, **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 13. Close the console. ### Publish certificate templates From c24cb2021a1e760afeb0a1b53faa6c72eb68cfe7 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:44:30 +0100 Subject: [PATCH 26/40] codestyle: all uppercase in MD [!Important] note blob (line 280) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index df2d14cdb3..ed0cfab100 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -277,7 +277,7 @@ Sign-in to the certificate authority or management workstations with an _Enterpr * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility** ![Server Manager Web Server Role](images/aadjcert/servermanager-adcs-webserver-role.png) 9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**. - > [!Important] + > [!IMPORTANT] > .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\ ![.NET Side by Side](images/aadjcert/dotNet35sidebyside.png) From e06dc94e2bfb7b906a134ec1c91497de9cb56762 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:45:11 +0100 Subject: [PATCH 27/40] removal of incorrectly placed indefinite article (line 296) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index ed0cfab100..2ef81da96e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -293,7 +293,7 @@ Sign-in the NDES server with access equivalent to _local administrator_. 4. Close the management console. #### Register a Service Principal Name on the NDES Service account -Sign-in the NDES server with a access equivalent to _Domain Admins_. +Sign-in the NDES server with access equivalent to _Domain Admins_. 1. Open an elevated command prompt. 2. Type the following command to register the service principal name From e9bcd27ac267a6376359f598916f8d035116249e Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:48:15 +0100 Subject: [PATCH 28/40] remove unused numbered list item number (line 326) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 2ef81da96e..c5273dc500 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -323,7 +323,7 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 5. Click **Add**. 6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**. ![NDES Service delegation to NDES host](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) -7. Repeat steps 5 and 6 for each NDES server using this service account.8. Click **Add**. +7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**. 8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates. ![NDES Service delegation complete](images/aadjcert/ndessvcdelegation-host-ca-spn.png) From 85f66153f659cfc3feb4fb2d0d9895d30242a34c Mon Sep 17 00:00:00 2001 From: ShowMeMore Date: Wed, 6 Jan 2021 16:45:56 +0100 Subject: [PATCH 29/40] Update minimum-requirements.md Updated licensing requirements match academic licensing: - Added Microsoft 365 A5 Security to the list of licensing requirements for Microsoft Defender for Endpoint - Added Microsoft 365 A5 Security to the note for Microsoft Defender for Endpoint for Servers --- .../microsoft-defender-atp/minimum-requirements.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 8605eac87e..96515f8a95 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -39,8 +39,9 @@ Microsoft Defender for Endpoint requires one of the following Microsoft volume l - Windows 10 Enterprise E5 - Windows 10 Education A5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 -- Microsoft 365 E5 Security - Microsoft 365 A5 (M365 A5) +- Microsoft 365 E5 Security +- Microsoft 365 A5 Security > [!NOTE] > Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices. @@ -57,7 +58,7 @@ Microsoft Defender for Endpoint, on Windows Server, requires one of the followin > * Microsoft Defender for Endpoint > * Windows E5/A5 > * Microsoft 365 E5/A5 -> * Microsoft 365 E5 Security +> * Microsoft 365 E5/A5 Security For detailed licensing information, see the [Product Terms site](https://www.microsoft.com/licensing/terms/) and work with your account team to learn more about the terms and conditions. From 1dc25a2dc52b8d2d932ad3a83b8cd97d06a739c0 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 7 Jan 2021 15:51:47 -0800 Subject: [PATCH 30/40] add link to onboarding video --- .../microsoft-defender-atp/onboarding.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index 5cbe6e5c30..bdcafd18a1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -43,6 +43,15 @@ These are the steps you need to take to deploy Defender for Endpoint: ## Step 1: Onboard endpoints using any of the supported management tools The [Plan deployment](deployment-strategy.md) topic outlines the general steps you need to take to deploy Defender for Endpoint. + +Watch this video for a quick overview of the onboarding process and learn about the available tools and methods. +
+
+ +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr] + + + After identifying your architecture, you'll need to decide which deployment method to use. The deployment tool you choose influences how you onboard endpoints to the service. ### Onboarding tool options From 6c9cf28542a96b25c59d2d1571ff7371553ac46d Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Fri, 8 Jan 2021 01:27:31 +0100 Subject: [PATCH 31/40] Update enable-exploit-protection.md From issue ticket #8927 (**No such property as TerminateOnHeapError**): > In the list of properties used for different security exploit settings for the cmdlets, the properties to be set for 'Validate heap integrity' is labeled wrong. > > | Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available | > > **The property 'TerminateOnHeapError' doesn't exist for Heap. It should be TerminateOnError.** Thanks to dennisl68-castra for noticing and reporting this incorrect term variant. Changes proposed: - Change "TerminateOnHeapError" to 'TerminateOnError' Whitespace changes: - Add recommended minimum cell divider spacing to the MarkDown table cells - Align table dividing row cell dividers with the table title row cell dividers - Add editorial line between footnote mark [2] and second last H2 (##) heading Closes #8927 Ref. old PR #4351 from July 5, 2019 (before Windows Defender Exploit Guard was changed or retired) --- .../enable-exploit-protection.md | 53 ++++++++++--------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 7b1c044a64..cb9f2e13d1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -54,8 +54,8 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au 3. Go to **Program settings** and choose the app you want to apply mitigations to.
- If the app you want to configure is already listed, click it and then click **Edit**. - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows. @@ -114,7 +114,7 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab 3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. +4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. 5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
![Enable network protection in Intune](../images/enable-ep-intune.png)
@@ -209,29 +209,29 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. -|Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet | -|:---|:---|:---|:---| -|Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available | -|Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available | -|Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available | -|Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available -|Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available -|Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available -|Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode -|Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad -|Block remote images | App-level only | BlockRemoteImages | Audit not available -|Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly -|Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned -|Disable extension points | App-level only | ExtensionPoint | Audit not available -|Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall -|Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess -|Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] | -|Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] | -|Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] | -|Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] | -|Validate handle usage | App-level only | StrictHandle | Audit not available | -|Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available | -|Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] | +| Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet | +| :--------- | :--------- | :----------------- | :---------------- | +| Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available | +| Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available | +| Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available | +| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available +| Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available | +| Validate heap integrity | System and app-level | TerminateOnError | Audit not available | +| Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode | +| Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad | +| Block remote images | App-level only | BlockRemoteImages | Audit not available | +| Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly | +| Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned | +| Disable extension points | App-level only | ExtensionPoint | Audit not available | +| Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall | +| Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess | +| Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] | +| Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] | +| Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] | +| Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] | +| Validate handle usage | App-level only | StrictHandle | Audit not available | +| Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available | +| Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] | \[1\]: Use the following format to enable EAF modules for DLLs for a process: @@ -239,6 +239,7 @@ This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll ``` \[2\]: Audit for this mitigation is not available via Powershell cmdlets. + ## Customize the notification See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. From 22a2aaed3a53254cad33114b48768ac2a43003f3 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Fri, 8 Jan 2021 01:59:20 +0100 Subject: [PATCH 32/40] Ticket #8926 (Table of PowerShell cmdlets isn't) > "This table lists the PowerShell cmdlets" doesn't list the cmdlets (there are only three). > The column marked PowerShell cmdlets seems to refer to property names. Current table description text: "This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation." **Suggested description:** This table lists the individual **Mitigations** (and **Audits**, when available) to be used with the `-Enable` or `-Disable` cmdlet parameters. Closes #8926 --- .../microsoft-defender-atp/enable-exploit-protection.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index cb9f2e13d1..8fe52a9432 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -207,10 +207,10 @@ If you need to restore the mitigation back to the system default, you need to in Set-Processmitigation -Name test.exe -Remove -Disable DEP ``` -This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. +This table lists the individual **Mitigations** (and **Audits**, when available) to be used with the `-Enable` or `-Disable` cmdlet parameters. -| Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet | -| :--------- | :--------- | :----------------- | :---------------- | +| Mitigation type | Applies to | Mitigation cmdlet parameter keyword | Audit mode cmdlet parameter | +| :-------------- | :--------- | :---------------------------------- | :-------------------------- | | Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available | | Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available | | Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available | From a6b6fb7504436fdb26503baadf99034da0e358de Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 8 Jan 2021 07:15:27 +0530 Subject: [PATCH 33/40] added admx templates link for windows 10 20h2 as per user report #8922 , so i added admx templates link for windows 10 20h2 --- ...unwanted-apps-microsoft-defender-antivirus.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index cb05c08abe..73b0e26503 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -110,19 +110,21 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw #### Use Group Policy to configure PUA protection -1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and select **Edit**. +1. First download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) -2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. +2. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and select **Edit**. -3. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**. +3. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. -4. Double-click **Configure detection for potentially unwanted applications**. +4. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**. -5. Select **Enabled** to enable PUA protection. +5. Double-click **Configure detection for potentially unwanted applications**. -6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. +6. Select **Enabled** to enable PUA protection. -7. Deploy your Group Policy object as you usually do. +7. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. + +8. Deploy your Group Policy object as you usually do. #### Use PowerShell cmdlets to configure PUA protection From 1bac573680eca1f8f8856b85e0aedb5eb942a1b8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 8 Jan 2021 09:39:32 -0800 Subject: [PATCH 34/40] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...ck-potentially-unwanted-apps-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 73b0e26503..2e9a3babb4 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: 11/30/2020 +ms.date: 01/08/2021 ms.reviewer: manager: dansimp --- From 9841d91419757ca722fdd55cdb356b6d9c91384f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 8 Jan 2021 09:41:20 -0800 Subject: [PATCH 35/40] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...wanted-apps-microsoft-defender-antivirus.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 2e9a3babb4..9be1ca37a3 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -110,21 +110,23 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw #### Use Group Policy to configure PUA protection -1. First download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) +1. Download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) -2. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and select **Edit**. +2. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). -3. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. +3. Select the Group Policy Object you want to configure, and then choose **Edit**. -4. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**. +4. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. -5. Double-click **Configure detection for potentially unwanted applications**. +5. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**. -6. Select **Enabled** to enable PUA protection. +6. Double-click **Configure detection for potentially unwanted applications**. -7. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. +7. Select **Enabled** to enable PUA protection. -8. Deploy your Group Policy object as you usually do. +8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. + +9. Deploy your Group Policy object as you usually do. #### Use PowerShell cmdlets to configure PUA protection From 2e7e01b0ae18ed40d1c6b0a5506e51e258197957 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 8 Jan 2021 09:43:28 -0800 Subject: [PATCH 36/40] Update enable-exploit-protection.md --- .../microsoft-defender-atp/enable-exploit-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 8fe52a9432..6af9be7d68 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -47,7 +47,7 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au ## Windows Security app -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Security**. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**. From f556d65b446200c395df9087b5e3a12645fb3513 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 8 Jan 2021 09:46:11 -0800 Subject: [PATCH 37/40] Update enable-exploit-protection.md --- .../enable-exploit-protection.md | 22 ++++++++----------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 6af9be7d68..c015175767 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -30,14 +30,13 @@ manager: dansimp Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. -You can enable each mitigation separately by using any of these methods: - -* [Windows Security app](#windows-security-app) -* [Microsoft Intune](#intune) -* [Mobile Device Management (MDM)](#mdm) -* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) -* [Group Policy](#group-policy) -* [PowerShell](#powershell) +You can enable each mitigation separately by using any of these methods: +- [Windows Security app](#windows-security-app) +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options. @@ -160,11 +159,8 @@ Get-ProcessMitigation -Name processName.exe > [!IMPORTANT] > System-level mitigations that have not been configured will show a status of `NOTSET`. -> -> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. -> -> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. -> +> - For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. +> - For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. > The default setting for each system-level mitigation can be seen in the Windows Security. Use `Set` to configure each mitigation in the following format: From e1b5c852b3ad22d351b96c9be83f1a63278f8e0c Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Fri, 8 Jan 2021 09:59:09 -0800 Subject: [PATCH 38/40] added file name extension lines 66 74 131 --- windows/privacy/manage-windows-20H2-endpoints.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index 57c2ce989d..d449b47b4c 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -63,7 +63,7 @@ The following methodology was used to derive these network endpoints: |||HTTPS|s-ring.msedge.net| |Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| ||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| -|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval)| +|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| |||HTTP|dmd.metaservices.microsoft.com| |Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com| @@ -71,7 +71,7 @@ The following methodology was used to derive these network endpoints: |||HTTP|www.microsoft.com| ||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| |||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com| -|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming)| +|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| |||HTTPS|fs.microsoft.com| |Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)| |||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com| @@ -128,7 +128,7 @@ The following methodology was used to derive these network endpoints: |||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| ||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com| ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| -|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store)| +|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| |||HTTPS|dlassets-ssl.xboxlive.com| From 3feb98073f1dd6cb03f646e9f623a95715a0a316 Mon Sep 17 00:00:00 2001 From: Thomas Date: Fri, 8 Jan 2021 10:19:23 -0800 Subject: [PATCH 39/40] Update customize-exploit-protection.md update links --- .../customize-exploit-protection.md | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md index 964158b256..3c72846e6a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md @@ -48,27 +48,27 @@ For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r | Mitigation | Description | Can be applied to | Audit mode available | | ---------- | ----------- | ----------------- | -------------------- | -| Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] | -| Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] | -| Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] | -| Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] | -| Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] | -| Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] | -| Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] | -| Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] | -| Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Don't allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] | -| Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] | -| Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | +| Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | ![Check mark yes](../images/svg/check-yes.svg)| +| Block remote images | Prevents loading of images from remote devices. | App-level only | ![Check mark no](../images/svg/check-no.svg | +| Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | !include[Check mark yes](../images/svg/check-yes.svg) | +| Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | ![Check mark no](../images/svg/check-no.svg) | +| Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Don't allow child processes | Prevents an app from creating child processes. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | ![Check mark no](../images/svg/check-no.svg) | +| Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | ![Check mark no](../images/svg/check-no.svg) | +| Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | > [!IMPORTANT] > If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: @@ -76,10 +76,10 @@ For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r > > | Enabled in **Program settings** | Enabled in **System settings** | Behavior | > | ------------------------------- | ------------------------------ | -------- | -> | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** | -> | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** | -> | [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** | -> | [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option | +> | ![Check mark yes](../images/svg/check-yes.svg) | ![Check mark no](../images/svg/check-no.svg) | As defined in **Program settings** | +> | ![Check mark yes](../images/svg/check-yes.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **Program settings** | +> | ![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **System settings** | +> | ![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | Default as defined in **Use default** option | > > > From ad73f161db7095f445502d8f7bbb1dc1e058b961 Mon Sep 17 00:00:00 2001 From: Thomas Date: Fri, 8 Jan 2021 10:21:55 -0800 Subject: [PATCH 40/40] Update enable-exploit-protection.md update links --- .../microsoft-defender-atp/enable-exploit-protection.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index c015175767..91a6dc887a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -71,10 +71,10 @@ If you add an app to the **Program settings** section and configure individual m |Enabled in **Program settings** | Enabled in **System settings** | Behavior | |:---|:---|:---| -|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** | -|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** | -|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** | -|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option | +|![Check mark yes](../images/svg/check-yes.svg) | ![Check mark no](../images/svg/check-no.svg) | As defined in **Program settings** | +|![Check mark yes](../images/svg/check-yes.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **Program settings** | +|![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **System settings** | +|![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | Default as defined in **Use default** option | ### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default