- -**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways** - - -
| Windows Edition | -Supported? | -
|---|---|
| Home | - |
-
| Pro | - 4 |
-
| Business | -4 |
-
| Enterprise | -4 |
-
| Education | -4 |
-
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -> [!WARNING] -> Starting in the version 1809 of Windows, this policy is deprecated. - -Domain member: Digitally encrypt or sign secure channel data (always) - -This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: - -Domain member: Digitally encrypt secure channel data (when possible) -Domain member: Digitally sign secure channel data (when possible) - -Default: Enabled. - -Notes: - -If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. -If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. -Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not. - - - -GP Info: -- GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - - - - - - -
- - -**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible** - - -
| Windows Edition | -Supported? | -
|---|---|
| Home | - |
-
| Pro | -4 |
-
| Business | -4 |
-
| Enterprise | -4 |
-
| Education | -4 |
-
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -> [!WARNING] -> Starting in the version 1809 of Windows, this policy is deprecated. - -Domain member: Digitally encrypt secure channel data (when possible) - -This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. - -Default: Enabled. - -Important - -There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted. - -Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains. - - - -GP Info: -- GP English name: *Domain member: Digitally encrypt secure channel data (when possible)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - - - - - - -
- - -**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges** - - -
| Windows Edition | -Supported? | -
|---|---|
| Home | - |
-
| Pro | -4 |
-
| Business | -4 |
-
| Enterprise | -4 |
-
| Education | -4 |
-
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -> [!WARNING] -> Starting in the version 1809 of Windows, this policy is deprecated. - -Domain member: Disable machine account password changes - -Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. - -Default: Disabled. - -Notes - -This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions. -This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names. - - - -GP Info: -- GP English name: *Domain member: Disable machine account password changes* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - - - - - - -
- **LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked** @@ -2902,60 +2637,6 @@ GP Info:
- -**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon** - - -
| Windows Edition | -Supported? | -
|---|---|
| Home | - |
-
| Pro | -3 |
-
| Business | -3 |
-
| Enterprise | -3 |
-
| Education | -3 |
-
- - -Recovery console: Allow automatic administrative logon - -This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system. - -Default: This policy is not defined and automatic administrative logon is not allowed. - -Value type is integer. Supported operations are Add, Get, Replace, and Delete. - - - -Valid values: -- 0 - disabled -- 1 - enabled (allow automatic administrative logon) - - - - -
- **LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn** @@ -3095,63 +2776,6 @@ GP Info:
- -**LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems** - - -
| Windows Edition | -Supported? | -
|---|---|
| Home | - |
-
| Pro | -4 |
-
| Business | -4 |
-
| Enterprise | -4 |
-
| Education | -4 |
-
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -System objects: Require case insensitivity for non-Windows subsystems - -This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. - -If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting does not allow the Win32 subsystem to become case sensitive. - -Default: Enabled. - - - - -
- **LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation** diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 38e9dd4066..4eb6ccaccf 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -194,6 +194,9 @@ manager: dansimp
+ + +**Update/SetProxyBehaviorForUpdateDetection** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | +1 |
+
| Business | +1 |
+
| Enterprise | +1 |
+
| Education | +1 |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10, version 1607 and later. By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP based intranet server despite the vulnerabilities it presents. + +This policy setting does not impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security. + + + +ADMX Info: +- GP English name: *Select the proxy behavior for Windows Update client for detecting updates with non-TLS (HTTP) based service* +- GP name: *Select the proxy behavior* +- GP element: *Select the proxy behavior* +- GP path: *Windows Components/Windows Update/Specify intranet Microsoft update service location* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) - Allow system proxy only for HTTP scans. +- 1 - Allow user proxy to be used as a fallback if detection using system proxy fails. +> [!NOTE] +> Configuring this policy setting to 1 exposes your environment to potential security risk and makes scans unsecure. + + + + +
+ **Update/TargetReleaseVersion** diff --git a/windows/client-management/mdm/policy-csps-supported-by-group-policy.md b/windows/client-management/mdm/policy-csps-supported-by-group-policy.md index 328dfe2238..651f088e72 100644 --- a/windows/client-management/mdm/policy-csps-supported-by-group-policy.md +++ b/windows/client-management/mdm/policy-csps-supported-by-group-policy.md @@ -533,9 +533,6 @@ ms.date: 07/18/2019 - [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia) - [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters) - [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly) -- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways) -- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible) -- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges) - [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked) - [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) - [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin) diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md index 617be22113..8e70dd707e 100644 --- a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md +++ b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md @@ -66,6 +66,7 @@ ms.date: 07/18/2019 - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) - [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) +- [Update/SetProxyBehaviorForUpdateDetection](policy-csp-update.md#update-setproxybehaviorforupdatedetection) ## Related topics diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 4693bb6596..239c1f1379 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -5,7 +5,7 @@ ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D ms.reviewer: manager: dansimp ms.author: dansimp -keywords: ["MDM", "Group Policy"] +keywords: ["MDM", "Group Policy", "GP"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -21,9 +21,12 @@ ms.topic: reference **Applies to** - Windows 10 -- Windows 10 Mobile -Windows 10 includes the following new policies for management. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://www.microsoft.com/download/100591). +As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference". + +For example, searching for "Windows 2004" + "Group Policy Settings Reference Spreadsheet" in a web browser will return to you the link to download the Group Policy Settings Reference Spreadsheet for Windows 2004. + +The latest [group policy reference for Windows 10 version 2004 is available here](https://www.microsoft.com/download/101451). ## New Group Policy settings in Windows 10, version 1903 diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 671e14612b..9274477150 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -131,4 +131,4 @@ This section contains advanced troubleshooting topics and links to help you reso ## Other Resources -### [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-support-solutions) +- [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-troubleshooting) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 515ad60203..b101477546 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -135,7 +135,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection - 0 = not set - 1 = AD Site - 2 = Authenticated domain SID -- 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 235 and use the returned GUID value as the Group ID) +- 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID) - 4 = DNS Suffix - 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index 0dca1d9e70..a93a577f74 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -95,7 +95,7 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload much more content over a longer period. -To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **6048000** (7 days) or more (up to 30 days). +To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **604800** (7 days) or more (up to 30 days). To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DOMaxCacheAge to 7 or more (up to 30 days). @@ -191,7 +191,7 @@ With no options, this cmdlet returns these data: - overall efficiency - efficiency in the peered files -Using the `-ListConnections` option returns these detauls about peers: +Using the `-ListConnections` option returns these details about peers: - destination IP address - peer type diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 32b31d106f..bf3f571358 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -115,7 +115,8 @@ If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_M You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: *.download.windowsupdate.com -*.dl.delivery.mp.microsoft.com +*.dl.delivery.mp.microsoft.com +*.delivery.mp.microsoft.com *.emdl.ws.microsoft.com If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work). @@ -166,6 +167,10 @@ Check that your device can access these Windows Update endpoints: - `http://*.download.windowsupdate.com` - `http://wustat.windows.com` - `http://ntservicepack.microsoft.com` +- `https://*.prod.do.dsp.mp.microsoft.com` +- `http://*.dl.delivery.mp.microsoft.com` +- `https://*.delivery.mp.microsoft.com` +- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` Allow these endpoints for future use. diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 61f9a5cf61..fe1e8ae442 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -64,10 +64,10 @@ A final set of changes includes two new policies that can help you fine-tune dia - The **Limit dump collection** policy is a new policy that can be used to limit the types of [crash dumps](https://docs.microsoft.com/windows/win32/dxtecharts/crash-dump-analysis) that can be sent back to Microsoft. If this policy is enabled, Windows Error Reporting will send only kernel mini dumps and user mode triage dumps. - Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Dump Collection** - - MDM policy: System/ LimitDiagnosticLogCollection + - MDM policy: System/LimitDumpCollection - The **Limit diagnostic log collection** policy is another new policy that limits the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs are not sent back to Microsoft. - Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Diagnostic Log Collection** - - MDM policy: System/LimitDumpCollection + - MDM policy: System/LimitDiagnosticLogCollection >[!Important] >All of the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier. diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index f378372d1d..956ca7dc78 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1458,15 +1458,15 @@ To turn this Off in the UI: -OR- -- Create a REG_DWORD registry setting named **EnableActivityFeed** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 2 (two)** +- Create a REG_DWORD registry setting named **EnableActivityFeed** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)** -and- -- Create a REG_DWORD registry setting named **PublishUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 2 (two)** +- Create a REG_DWORD registry setting named **PublishUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)** -and- -- Create a REG_DWORD registry setting named **UploadUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 2 (two)** +- Create a REG_DWORD registry setting named **UploadUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)** ### 18.23 Voice Activation diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index 4e3f264246..61198672fc 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -2189,7 +2189,7 @@ This security group was introduced in Windows Server 2012, and it has not chang IIS\_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the IUSR\_MachineName account and the IIS\_WPG group with the IIS\_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of the Windows operating system that you install, the IIS account name will always be IUSR, and the group name will be IIS\_IUSRS. -For more information, see [Understanding Built-In User and Group Accounts in IIS 7](http://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis). +For more information, see [Understanding Built-In User and Group Accounts in IIS 7](https://docs.microsoft.com/iis/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis). This security group has not changed since Windows Server 2008. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 6e1445768e..0686de8a9a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -44,11 +44,12 @@ Windows Hello for Business uses asymmetric keys as user credentials (rather than Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials. -1. Open an elevated command prompt. -2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. -3. To update the schema, type ```adprep /forestprep```. -4. Read the Adprep Warning. Type the letter **C** and press **Enter** to update the schema. -5. Close the Command Prompt and sign-out. +1. Mount the ISO file (or insert the DVD) containing the Windows Server 2016 or later installation media. +2. Open an elevated command prompt. +3. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. +4. To update the schema, type ```adprep /forestprep```. +5. Read the Adprep Warning. Type the letter **C** and press **Enter** to update the schema. +6. Close the Command Prompt and sign-out. ## Create the KeyCredential Admins Security Global Group diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index babc49afc3..390355cb33 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -77,9 +77,7 @@ Communicating with Azure Active Directory uses the following URLs: - login.windows.net If your environment uses Microsoft Intune, you need these additional URLs: -- enrollment.manage-beta.microsoft.com - enrollment.manage.microsoft.com -- portal.manage-beta.microsoft.com - portal.manage.microsoft.com ## What is the difference between non-destructive and destructive PIN reset? diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index 0a52de0945..028fdd4868 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -49,7 +49,7 @@ In this task you will ### Configure Active Directory to support Domain Administrator enrollment -The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy. +The designed Windows Hello for Business configuration gives the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy. Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 8df0ef33bb..cd9f264b8a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -76,10 +76,12 @@ Certificate authorities write CRL distribution points in certificates as they ar Windows Hello for Business enforces the strict KDC validation security feature, which imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: - The domain controller has the private key for the certificate provided. -- The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. +- The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. - Use the **Kerberos Authentication certificate template** instead of any other older template. - The domain controller's certificate has the **KDC Authentication** enhanced key usage. - The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain. +- The domain controller's certificate's signature hash algorithm is **sha256**. +- The domain controller's certificate's public key is **RSA (2048 Bits)**. > [!Tip] @@ -301,35 +303,32 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted Sign-in a workstation with access equivalent to a _domain user_. -1. Sign-in to the [Azure Portal](https://portal.azure.com/). -2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**. -3. Click **device enrollment**. -4. Click **Windows enrollment** -5. Under **Windows enrollment**, click **Windows Hello for Business**. -  -6. Under **Priority**, click **Default**. -7. Under **All users and all devices**, click **Settings**. -8. Select **Enabled** from the **Configure Windows Hello for Business** list. -9. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software based keys. -10. Type the desired **Minimum PIN length** and **Maximum PIN length**. +1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +2. Select **Devices**. +3. Choose **Enroll devices**. +4. Select **Windows enrollment**. +5. Under **Windows enrollment**, select **Windows Hello for Business**. +  +6. Select **Enabled** from the **Configure Windows Hello for Business** list. +7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys. +8. Enter the desired **Minimum PIN length** and **Maximum PIN length**. > [!IMPORTANT] - > The default minimum PIN length for Windows Hello for Business on Windows 10 is 6. Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to 6. + > The default minimum PIN length for Windows Hello for Business on Windows 10 is six. Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to six. - - -11. Select the appropriate configuration for the following settings. +9. Select the appropriate configuration for the following settings: * **Lowercase letters in PIN** * **Uppercase letters in PIN** * **Special characters in PIN** * **PIN expiration (days)** * **Remember PIN history** + > [!NOTE] > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature. -12. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**. -13. Select **No** to **Allow phone sign-in**. This feature has been deprecated. -14. Click **Save** -15. Sign-out of the Azure portal. +10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**. +11. Select **No** to **Allow phone sign-in**. This feature has been deprecated. +12. Choose **Save**. +13. Sign out of the Microsoft Endpoint Manager admin center. > [!IMPORTANT] > For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 00c8e2e6f2..8a9763ebcd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -71,7 +71,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva > 2. Right click "Scope Descriptions" and select "Add Scope Description". > 3. Under name type "ugs" and Click Apply > OK. > 4. Launch Powershell as Administrator. -> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier. +> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier is equal to 38aa3b87-a06d-4817-b275-7a316988d93b and make a note of the ObjectIdentifier. > 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier
| Requirement | -Description | -
|---|---|
Hardware configuration |
-The computer must meet the minimum requirements for the supported Windows versions. |
-
Operating system |
-BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later. |
-
Hardware TPM |
-TPM version 1.2 or 2.0 -A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication. |
-
BIOS configuration |
-
|
-
File system |
-For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive. -For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. -For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition. |
-
Hardware encrypted drive prerequisites (optional) |
-To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled. |
-
A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| +|BIOS configuration|
For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| +|Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| + Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive. @@ -106,8 +72,9 @@ When the recovery key has been properly stored, the BitLocker Drive Encryption W It is recommended that drives with little to no data utilize the **used disk space only** encryption option and that drives with data or an operating system utilize the **encrypt entire drive** option. -> **Note:** Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. - +> [!NOTE] +> Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. + Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. It is recommended to run this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel. @@ -143,52 +110,20 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -
Encryption Type |
-Windows 10 and Windows 8.1 |
-Windows 8 |
-Windows 7 |
-
Fully encrypted on Windows 8 |
-Presents as fully encrypted |
-N/A |
-Presented as fully encrypted |
-
Used Disk Space Only encrypted on Windows 8 |
-Presents as encrypt on write |
-N/A |
-Presented as fully encrypted |
-
Fully encrypted volume from Windows 7 |
-Presents as fully encrypted |
-Presented as fully encrypted |
-N/A |
-
Partially encrypted volume from Windows 7 |
-Windows 10 and Windows 8.1 will complete encryption regardless of policy |
-Windows 8 will complete encryption regardless of policy |
-N/A |
-
Name |
-Parameters |
+Name |
+Parameters |
Add-BitLockerKeyProtector |
+Add-BitLockerKeyProtector |
-ADAccountOrGroup -ADAccountOrGroupProtector -Confirm @@ -279,26 +215,26 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us-WhatIf |
|
Backup-BitLockerKeyProtector |
+Backup-BitLockerKeyProtector |
-Confirm -KeyProtectorId -MountPoint -WhatIf |
|
Disable-BitLocker |
+Disable-BitLocker |
-Confirm -MountPoint -WhatIf |
|
Disable-BitLockerAutoUnlock |
+Disable-BitLockerAutoUnlock |
-Confirm -MountPoint -WhatIf |
|
Enable-BitLocker |
+Enable-BitLocker |
-AdAccountOrGroup -AdAccountOrGroupProtector -Confirm @@ -323,44 +259,44 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us-WhatIf |
|
Enable-BitLockerAutoUnlock |
+Enable-BitLockerAutoUnlock |
-Confirm -MountPoint -WhatIf |
|
Get-BitLockerVolume |
+Get-BitLockerVolume |
-MountPoint |
|
Lock-BitLocker |
+Lock-BitLocker |
-Confirm -ForceDismount -MountPoint -WhatIf |
|
Remove-BitLockerKeyProtector |
+Remove-BitLockerKeyProtector |
-Confirm -KeyProtectorId -MountPoint -WhatIf |
|
Resume-BitLocker |
+Resume-BitLocker |
-Confirm -MountPoint -WhatIf |
|
Suspend-BitLocker |
+Suspend-BitLocker |
-Confirm -MountPoint -RebootCount -WhatIf |
|
Unlock-BitLocker |
+Unlock-BitLocker |
-AdAccountOrGroup -Confirm -MountPoint @@ -372,28 +308,38 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us |
Get-BitLocker volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
-Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
-> **Note:** In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
-
-`Get-BitLockerVolume C: | fl`
+Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
+
+A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
+
+Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
+
+> [!NOTE]
+> In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
+
+```powershell
+Get-BitLockerVolume C: | fl
+```
If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below:
+
```powershell
$vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
```
+
Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector.
Using this information, we can then remove the key protector for a specific volume using the command:
+
```powershell
Remove-BitLockerKeyProtector Policy description |
-With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices. |
-
Introduced |
-Windows 10, version 1703 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-This setting overrides the Require startup PIN with TPM option of the Require additional authentication at startup policy on compliant hardware. +||| +|--- |--- | +|Policy description|With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.| +|Introduced|Windows 10, version 1703| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware.| +|When enabled|Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.| +|When disabled or not configured|The options of the [Require additional authentication at startup](#bkmk-unlockpol1) policy apply.| - |
-
When enabled |
-Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication. |
-
When disabled or not configured |
-The options of the Require additional authentication at startup policy apply. |
-
Policy description |
-With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors. |
-
When disabled or not configured |
-Clients cannot create and use Network Key Protectors |
-
Policy description |
-With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-If one authentication method is required, the other methods cannot be allowed. -Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled. |
-
When enabled |
-Users can configure advanced startup options in the BitLocker Setup Wizard. |
-
When disabled or not configured |
-Users can configure only basic options on computers with a TPM. -Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs. |
-
Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.| -Reference +**Reference** If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive. @@ -276,101 +194,46 @@ There are four options for TPM-enabled computers or devices: This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. -
Policy description |
-With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected. |
-
When disabled or not configured |
-Enhanced PINs will not be used. |
-
Policy description |
-With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits. |
-
When disabled or not configured |
-Users can configure a startup PIN of any length between 6 and 20 digits. |
-
Policy description |
-With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-Standard users are not allowed to change BitLocker PINs or passwords. |
-
When disabled or not configured |
-Standard users are permitted to change BitLocker PINs or passwords. |
-
Policy description |
-With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-Passwords cannot be used if FIPS-compliance is enabled. -
-Note
-The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled. -
-
- |
-
When enabled |
-Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select Require complexity. |
-
When disabled or not configured |
-The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur. |
-
**NOTE:** The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options** specifies whether FIPS-compliance is enabled.|
+|When enabled|Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select **Require complexity**.|
+|When disabled or not configured|The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur.|
**Reference**
If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled.
->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+> [!NOTE]
+> These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
@@ -516,44 +318,17 @@ When this policy setting is enabled, you can set the option **Configure password
This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista.
-
Policy description |
-With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts. |
-
Introduced |
-Windows Server 2008 and Windows Vista |
-
Drive type |
-Operating system drives (Windows Server 2008 and Windows Vista) |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-If you choose to require an additional authentication method, other authentication methods cannot be allowed. |
-
When enabled |
-The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM. |
-
When disabled or not configured |
-The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured. |
-
Policy description |
-With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Fixed data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
Conflicts |
-To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates. |
-
When enabled |
-Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box. |
-
When disabled |
-Users cannot use smart cards to authenticate their access to BitLocker-protected fixed data drives. |
-
When not configured |
-Smart cards can be used to authenticate user access to a BitLocker-protected drive. |
-
Policy description |
-With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Fixed data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
Conflicts |
-To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled. |
-
When enabled |
-Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity. |
-
When disabled |
-The user is not allowed to use a password. |
-
When not configured |
-Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters. |
-
Policy description |
-With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Removable data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates. |
-
When enabled |
-Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box. |
-
When disabled or not configured |
-Users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives. |
-
When not configured |
-Smart cards are available to authenticate user access to a BitLocker-protected removable data drive. |
-
Policy description |
-With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Removable data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled. |
-
When enabled |
-Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity. |
-
When disabled |
-The user is not allowed to use a password. |
-
When not configured |
-Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters. |
-
Policy description |
-With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Fixed and removable data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
Conflicts |
-None |
-
When enabled |
-The object identifier that is specified in the Object identifier setting must match the object identifier in the smart card certificate. |
-
When disabled or not configured |
-The default object identifier is used. |
-
Policy description |
-With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drive |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive |
-
Conflicts |
-None |
-
When enabled |
-Devices must have an alternative means of preboot input (such as an attached USB keyboard). |
-
When disabled or not configured |
-The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password. |
-
Policy description |
-With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Fixed data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
Conflicts |
-See the Reference section for a description of conflicts. |
-
When enabled |
-All fixed data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access. |
-
When disabled or not configured |
-All fixed data drives on the computer are mounted with Read and Write access. |
-
Policy description |
-With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Removable data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-See the Reference section for a description of conflicts. |
-
When enabled |
-All removable data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access. |
-
When disabled or not configured |
-All removable data drives on the computer are mounted with Read and Write access. |
-
Policy description |
-With this policy setting, you can control the use of BitLocker on removable data drives. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Removable data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-None |
-
When enabled |
-You can select property settings that control how users can configure BitLocker. |
-
When disabled |
-Users cannot use BitLocker on removable data drives. |
-
When not configured |
-Users can use BitLocker on removable data drives. |
-
Policy description |
-With this policy setting, you can control the encryption method and strength for drives. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-All drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
Conflicts |
-None |
-
When enabled |
-You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives. |
-
When disabled or not configured |
-Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy. |
-
Policy description |
-With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Fixed data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
Conflicts |
-None |
-
When enabled |
-You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-
When disabled |
-BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-
When not configured |
-BitLocker software-based encryption is used irrespective of hardware-based encryption ability. - |
-
Policy description |
-With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-
When disabled |
-BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-
When not configured |
-BitLocker software-based encryption is used irrespective of hardware-based encryption ability. |
-
Policy description |
-With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Removable data drive |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-None |
-
When enabled |
-You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-
When disabled |
-BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-
When not configured |
-BitLocker software-based encryption is used irrespective of hardware-based encryption ability. |
-
Policy description |
-With this policy setting, you can configure the encryption type that is used by BitLocker. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Fixed data drive |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
Conflicts |
-None |
-
When enabled |
-This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-
When disabled or not configured |
-The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
-
Policy description |
-With this policy setting, you can configure the encryption type that is used by BitLocker. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drive |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-
When disabled or not configured |
-The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
-
Policy description |
-With this policy setting, you can configure the encryption type that is used by BitLocker. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Removable data drive |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-None |
-
When enabled |
-The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-
When disabled or not configured |
-The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
-
Policy description |
-With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled. -When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting. |
-
When enabled |
-You can control the methods that are available to users to recover data from BitLocker-protected operating system drives. |
-
When disabled or not configured |
-The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
-
When using data recovery agents, you must enable the **Provide the unique identifiers for your organization** policy setting.| +|When enabled|You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.| +|When disabled or not configured|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. @@ -1501,50 +805,24 @@ In **Save BitLocker recovery information to Active Directory Domain Services**, Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. ->**Note:** If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated. +> [!NOTE] +> If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated. ### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista. -
Policy description |
-With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options. |
-
Introduced |
-Windows Server 2008 and Windows Vista |
-
Drive type |
-Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
Conflicts |
-This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error. |
-
When enabled |
-You can configure the options that the Bitlocker Setup Wizard displays to users for recovering BitLocker encrypted data. |
-
When disabled or not configured |
-The BitLocker Setup Wizard presents users with ways to store recovery options. |
-
Policy description |
-With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information. |
-
Introduced |
-Windows Server 2008 and Windows Vista |
-
Drive type |
-Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista. |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
Conflicts |
-None |
-
When enabled |
-BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer. |
-
When disabled or not configured |
-BitLocker recovery information is not backed up to AD DS. |
-
Policy description |
-With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password. |
-
Introduced |
-Windows Vista |
-
Drive type |
-All drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
Conflicts |
-None |
-
When enabled |
-You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view. |
-
When disabled or not configured |
-The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder. |
-
Policy description |
-With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Fixed data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled. -When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting. |
-
When enabled |
-You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives. |
-
When disabled or not configured |
-The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
-
When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.| +|When enabled|You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.| +|When disabled or not configured|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. @@ -1717,55 +916,29 @@ Select **Omit recovery options from the BitLocker setup wizard** to prevent user In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. -For more information about the BitLocker repair tool, see [Repair-bde](https://technet.microsoft.com/library/ff829851.aspx). +For more information about the BitLocker repair tool, see [Repair-bde](/windows-server/administration/windows-commands/repair-bde). Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. ->**Note:** If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. +> [!NOTE] +> If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. ### Choose how BitLocker-protected removable drives can be recovered This policy setting is used to configure recovery methods for removable data drives. -
Policy description |
-With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Removable data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled. -When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting. |
-
When enabled |
-You can control the methods that are available to users to recover data from BitLocker-protected removable data drives. |
-
When disabled or not configured |
-The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
-
Policy description |
-With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL. |
-
Introduced |
-Windows 10 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL |
-
Conflicts |
-None |
-
When enabled |
-The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the Use default recovery message and URL option. |
-
When disabled or not configured |
-If the setting has not been previously enabled the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is subsequently disabled the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message. |
-
Policy description |
-With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-All drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-If you enable Allow Secure Boot for integrity validation, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation. -For more information about PCR 7, see Platform Configuration Register (PCR) in this topic. |
-
When enabled or not configured |
-BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation. |
-
When disabled |
-BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation. |
-
For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.| +|When enabled or not configured|BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.| +|When disabled|BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.| -Reference +**Reference** Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker. ->**Warning:** Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. +> [!WARNING] +> Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. ### Provide the unique identifiers for your organization This policy setting is used to establish an identifier that is applied to all drives that are encrypted in your organization. -
Policy description |
-With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-All drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
Conflicts |
-Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it is identical to the value that is configured on the computer. |
-
When enabled |
-You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization. |
-
When disabled or not configured |
-The identification field is not required. |
-
Policy description |
-With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets. |
-
Introduced |
-Windows Vista |
-
Drive type |
-All drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
Conflicts |
-None |
-
When enabled |
-The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets. |
-
When disabled or not configured |
-BitLocker secrets are removed from memory when the computer restarts. |
-
Policy description |
-With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-
When disabled or not configured |
-The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
-
Policy description |
-With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key. |
-
Introduced |
-Windows Server 2008 and Windows Vista |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-
When disabled or not configured |
-The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
-
Policy description |
-With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. -If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured. -For more information about PCR 7, see Platform Configuration Register (PCR) in this topic. |
-
When enabled |
-Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-
When disabled or not configured |
-BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
-
If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.
For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.| +|When enabled|Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| +|When disabled or not configured|BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.| -Reference +**Reference** This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection. ->**Important:** This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled. +> [!IMPORTANT] +> This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11). @@ -2210,54 +1200,25 @@ The following list identifies all of the PCRs available: - PCR 14: Boot Authorities - PCR 15 – 23: Reserved for future use ->**Warning:** Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. +> [!WARNING] +> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. ### Reset platform validation data after BitLocker recovery This policy setting determines if you want platform validation data to refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23. -
Policy description |
-With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-Platform validation data is refreshed when Windows is started following a BitLocker recovery. |
-
When disabled |
-Platform validation data is not refreshed when Windows is started following a BitLocker recovery. |
-
When not configured |
-Platform validation data is refreshed when Windows is started following a BitLocker recovery. |
-
Policy description |
-With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored (as defined by the Allow Secure Boot for integrity validation Group Policy setting). |
-
When enabled |
-You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings. |
-
When disabled |
-The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7. |
-
When not configured |
-The computer verifies the default BCD settings in Windows. |
-
Policy description |
-With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2). |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Fixed data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
Conflicts |
-None |
-
When enabled and When not configured |
-Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives. |
-
When disabled |
-Fixed data drives that are formatted with the FAT file system and are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed. |
-
Policy description |
-With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Removable data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-None |
-
When enabled and When not configured |
-Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives. |
-
When disabled |
-Removable data drives that are formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed. |
-
Policy description |
-Notes |
-
Introduced |
-Windows Server 2003 with SP1 |
-
Drive type |
-System-wide |
-
Policy path |
-Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
-
Conflicts |
-Some applications, such as Terminal Services, do not support FIPS-140 on all operating systems. |
-
When enabled |
-Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password. |
-
When disabled or not configured |
-No BitLocker encryption key is generated |
-
-
This update has reboot flag for systems that are experiencing the hang issue.
the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
+> [!IMPORTANT] +> This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update) +
August-2020 (Platform: 4.18.2008.3 | Engine: 1.1.17400.5)
+August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)
Security intelligence update version: **1.323.9.0** Released: **August 27, 2020** @@ -72,6 +76,7 @@ All our updates contain: * Improved scan event telemetry * Improved behavior monitoring for memory scans * Improved macro streams scanning +* Added "AMRunningMode" to Get-MpComputerStatus Powershell CmdLet ### Known Issues No known issues @@ -221,7 +226,7 @@ Support phase: **Technical upgrade Support (Only)** * Support platform updates when TMP is redirected to network path * Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) * extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) -* Fix 4.18.1911.10 hang +* Fix 4.18.1911.3 hang ### Known Issues [**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform. @@ -229,14 +234,17 @@ Support phase: **Technical upgrade Support (Only)** > [!IMPORTANT] > This updates is needed by RS1 devices running lower version of the platform to support SHA2.This update has reboot flag for systems that are experiencing the hang issue.
the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
+> [!IMPORTANT] +> This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update) +
-
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 67723aa1a3..04d381db5b 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 03/28/2019
+ms.date: 09/07/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -18,6 +18,7 @@ ms.custom: asr
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
## What is Application Guard and how does it work?
diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx
index 84b5f2a664..bd35122350 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index f081c6ad4a..b54b1ac8a7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -1,6 +1,6 @@
---
-title: Turning on network protection
-description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager.
+title: Turn on network protection
+description: Enable network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager.
keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -14,7 +14,7 @@ ms.reviewer:
manager: dansimp
---
-# Turning on network protection
+# Turn on network protection
**Applies to:**
@@ -22,6 +22,8 @@ manager: dansimp
[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it.
+[Learn more about network filtering configuration options](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering)
+
## Check if network protection is enabled
Check if network protection has been enabled on a local device by using Registry editor.
@@ -40,9 +42,8 @@ Check if network protection has been enabled on a local device by using Registry
Enable network protection by using any of these methods:
* [PowerShell](#powershell)
-* [Microsoft Intune](#intune)
* [Mobile Device Management (MDM)](#mobile-device-management-mdm)
-* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
+* [Microsoft Endpoint Manager / Intune](#microsoft-endpoint-manager-formerly-intune)
* [Group Policy](#group-policy)
### PowerShell
@@ -62,41 +63,17 @@ Enable network protection by using any of these methods:
Use `Disabled` instead of `AuditMode` or `Enabled` to turn off the feature.
-### Intune
-
-1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-
-2. Go to **Device configuration** > **Profiles** > **Create profile**.
-
-3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
-
- 
-
-4. Select **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
-
- 
-
-5. Select **OK** to save each open section and **Create**.
-
-6. Select the profile called **Assignments**, assign to **All Users & All Devices**, and **Save**.
-
-### Mobile Device Management (MDM)
+### Mobile device management (MDM)
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
-## Microsoft Endpoint Configuration Manager
+### Microsoft Endpoint Manager (formerly Intune)
-1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
+1. Sign into the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com)
-2. Then go to **Home** > **Create Exploit Guard Policy**.
+2. Create or edit an [endpoint protection configuration profile](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure)
-3. Enter a name and a description, select **Network protection**, and then **Next**.
-
-4. Choose whether to block or audit access to suspicious domains and select **Next**.
-
-5. Review the settings and select **Next** to create the policy.
-
-6. After the policy is created, **Close**.
+3. Under "Configuration Settings" in the profile flow, go to **Microsoft Defender Exploit Guard** > **Network filtering** > **Network protection** > **Enable** or **Audit only**
### Group Policy
@@ -112,6 +89,9 @@ Use the following procedure to enable network protection on domain-joined comput
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
+> [!NOTE]
+> On older versions of Windows, the group policy path may say "Windows Defender Antivirus" instead of "Microsoft Defender Antivirus."
+
4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options:
* **Block** - Users can't access malicious IP addresses and domains
* **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png b/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png
new file mode 100644
index 0000000000..e1003dbe5c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png b/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png
new file mode 100644
index 0000000000..d631a23a7a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png b/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png
new file mode 100644
index 0000000000..624db40b02
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png b/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png
new file mode 100644
index 0000000000..00757fde1a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png b/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png
new file mode 100644
index 0000000000..3222b1f66d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png b/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png
new file mode 100644
index 0000000000..8979120d8f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png b/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png
new file mode 100644
index 0000000000..6b378bc697
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png b/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png
new file mode 100644
index 0000000000..ac2634f33b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png b/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png
new file mode 100644
index 0000000000..157e426bc0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png b/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png
new file mode 100644
index 0000000000..32a776aef9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png b/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png
new file mode 100644
index 0000000000..9f4126d345
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png b/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png
new file mode 100644
index 0000000000..6ffdab3e67
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png b/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png
new file mode 100644
index 0000000000..7f542a3c8c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png b/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png
new file mode 100644
index 0000000000..d0679c71a7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png b/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png
new file mode 100644
index 0000000000..2f6d99294b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png b/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png
new file mode 100644
index 0000000000..88682c78a0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png b/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png
new file mode 100644
index 0000000000..ca1ff72715
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png b/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png
new file mode 100644
index 0000000000..72a6a9e334
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png b/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png
new file mode 100644
index 0000000000..5e7cf47523
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png b/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png
new file mode 100644
index 0000000000..026b643022
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png b/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png
new file mode 100644
index 0000000000..2775ac9cda
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png b/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png
new file mode 100644
index 0000000000..fa53f0826c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png b/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png
new file mode 100644
index 0000000000..d4fd512845
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png b/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png
new file mode 100644
index 0000000000..8db6715ccd
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png b/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png
new file mode 100644
index 0000000000..24eede07b8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png b/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png
new file mode 100644
index 0000000000..2159bbe1ad
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png b/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png
new file mode 100644
index 0000000000..7935e15763
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png b/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png
new file mode 100644
index 0000000000..82c5aa9d19
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png b/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png
new file mode 100644
index 0000000000..41be549fd6
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png b/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png
new file mode 100644
index 0000000000..be6531a2f0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png b/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png
new file mode 100644
index 0000000000..2111e5ee9c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png b/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png
new file mode 100644
index 0000000000..f0d844cbf7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png b/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png
new file mode 100644
index 0000000000..696a84fc1b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png b/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png
new file mode 100644
index 0000000000..feff40a8fa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png b/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png
new file mode 100644
index 0000000000..1b3302994b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png b/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png
new file mode 100644
index 0000000000..b7a63ecc3e
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png b/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png
new file mode 100644
index 0000000000..7c2c572329
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png b/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png
new file mode 100644
index 0000000000..2b44054fc5
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png b/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png
new file mode 100644
index 0000000000..85d6d6dd51
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png b/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png
new file mode 100644
index 0000000000..e49c575125
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png b/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png
new file mode 100644
index 0000000000..2dd6492036
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png b/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png
new file mode 100644
index 0000000000..912ae2f634
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png b/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png
new file mode 100644
index 0000000000..741d4af9b9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png b/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png
new file mode 100644
index 0000000000..a588c74aae
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png b/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png
new file mode 100644
index 0000000000..835c7fbd32
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
index a60e510583..298cbcee39 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md
@@ -38,7 +38,7 @@ It's important to understand the following requirements prior to creating indica
- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
-- Supported on machines on Windows 10, version 1703 or later.
+- Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
- The virus and threat protection definitions must be up-to-date.
- This feature currently supports entering .CER or .PEM file extensions.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
index c3312ea5e8..d350f89d1c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md
@@ -37,7 +37,7 @@ It's important to understand the following prerequisites prior to creating indic
- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
-- Supported on machines on Windows 10, version 1703 or later.
+- Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019.
- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
@@ -76,4 +76,4 @@ Files automatically blocked by an indicator won't show up in the file's Action c
- [Create indicators](manage-indicators.md)
- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
- [Create indicators based on certificates](indicator-certificates.md)
-- [Manage indicators](indicator-manage.md)
\ No newline at end of file
+- [Manage indicators](indicator-manage.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
new file mode 100644
index 0000000000..1a7490d88e
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md
@@ -0,0 +1,226 @@
+---
+title: Microsoft Defender ATP for iOS Application license terms
+ms.reviewer:
+description: Describes the Microsoft Defender ATP for iOS license terms
+keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope,
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: sunasing
+author: sunasing
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+hideEdit: true
+---
+
+# Microsoft Defender ATP for iOS application license terms
+
+## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP
+
+These license terms ("Terms") are an agreement between Microsoft Corporation (or
+based on where you live, one of its affiliates) and you. Please read them. They
+apply to the application named above. These Terms also apply to any Microsoft
+
+- updates,
+
+- supplements,
+
+- Internet-based services, and
+
+- support services
+
+for this application, unless other terms accompany those items. If so, those
+terms apply.
+
+**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM,
+DO NOT USE THE APPLICATION.**
+
+**If you comply with these Terms, you have the perpetual rights below.**
+
+1. **INSTALLATION AND USE RIGHTS.**
+
+ 1. **Installation and Use.** You may install and use any number of copies
+ of this application on iOS enabled device or devices which you own
+ or control. You may use this application with your company's valid
+ subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or
+ an online service that includes MDATP functionalities.
+
+ 2. **Updates.** Updates or upgrades to MDATP may be required for full
+ functionality. Some functionality may not be available in all countries.
+
+ 3. **Third Party Programs.** The application may include third party
+ programs that Microsoft, not the third party, licenses to you under this
+ agreement. Notices, if any, for the third-party program are included for
+ your information only.
+
+2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
+ Internet access, data transfer and other services per the terms of the data
+ service plan and any other agreement you have with your network operator due
+ to use of the application. You are solely responsible for any network
+ operator charges.
+
+3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with
+ the application. It may change or cancel them at any time.
+
+ 1. Consent for Internet-Based or Wireless Services. The application may
+ connect to Internet-based wireless services. Your use of the application
+ operates as your consent to the transmission of standard device
+ information (including but not limited to technical information about
+ your device, system and application software, and peripherals) for
+ Internet-based or wireless services. If other terms are provided in
+ connection with your use of the services, those terms also apply.
+
+ - Data. Some online services require, or may be enhanced by, the
+ installation of local software like this one. At your, or your
+ admin's direction, this software may send data from a device to or
+ from an online service.
+
+ - Usage Data. Microsoft automatically collects usage and performance
+ data over the internet. This data will be used to provide and
+ improve Microsoft products and services and enhance your experience.
+ You may limit or control collection of some usage and performance
+ data through your device settings. Doing so may disrupt your use of
+ certain features of the application. For additional information on
+ Microsoft's data collection and use, see the [Online Services
+ Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
+
+ 2. Misuse of Internet-based Services. You may not use any Internet-based
+ service in any way that could harm it or impair anyone else's use of it
+ or the wireless network. You may not use the service to try to gain
+ unauthorized access to any service, data, account or network by any
+ means.
+
+4. **FEEDBACK.** If you give feedback about the application to Microsoft, you
+ give to Microsoft, without charge, the right to use, share and commercialize
+ your feedback in any way and for any purpose. You also give to third
+ parties, without charge, any patent rights needed for their products,
+ technologies and services to use or interface with any specific parts of a
+ Microsoft software or service that includes the feedback. You will not give
+ feedback that is subject to a license that requires Microsoft to license its
+ software or documentation to third parties because we include your feedback
+ in them. These rights survive this agreement.
+
+5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement
+ only gives you some rights to use the application. Microsoft reserves all
+ other rights. Unless applicable law gives you more rights despite this
+ limitation, you may use the application only as expressly permitted in this
+ agreement. In doing so, you must comply with any technical limitations in
+ the application that only allow you to use it in certain ways. You may not
+
+ - work around any technical limitations in the application;
+
+ - reverse engineer, decompile or disassemble the application, except and
+ only to the extent that applicable law expressly permits, despite this
+ limitation;
+
+ - make more copies of the application than specified in this agreement or
+ allowed by applicable law, despite this limitation;
+
+ - publish the application for others to copy;
+
+ - rent, lease or lend the application; or
+
+ - transfer the application or this agreement to any third party.
+
+6. **EXPORT RESTRICTIONS.** The application is subject to United States export
+ laws and regulations. You must comply with all domestic and international
+ export laws and regulations that apply to the application. These laws
+ include restrictions on destinations, end users and end use. For additional
+ information,
+ see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
+
+7. **SUPPORT SERVICES.** Because this application is "as is," we may not
+ provide support services for it. If you have any issues or questions about
+ your use of this application, including questions about your company's
+ privacy policy, please contact your company's admin. Do not contact the
+ application store, your network operator, device manufacturer, or Microsoft.
+ The application store provider has no obligation to furnish support or
+ maintenance with respect to the application.
+
+8. **APPLICATION STORE.**
+
+ 1. If you obtain the application through an application store (e.g., App
+ Store), please review the applicable application store terms to ensure
+ your download and use of the application complies with such terms.
+ Please note that these Terms are between you and Microsoft and not with
+ the application store.
+
+ 2. The respective application store provider and its subsidiaries are third
+ party beneficiaries of these Terms, and upon your acceptance of these
+ Terms, the application store provider(s) will have the right to directly
+ enforce and rely upon any provision of these Terms that grants them a
+ benefit or rights.
+
+9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and
+ Microsoft 365 are registered or common-law trademarks of Microsoft
+ Corporation in the United States and/or other countries.
+
+10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates,
+ Internet-based services, and support services that you use are the entire
+ agreement for the application and support services.
+
+11. **APPLICABLE LAW.**
+
+ 1. **United States.** If you acquired the application in the United States,
+ Washington state law governs the interpretation of this agreement and
+ applies to claims for breach of it, regardless of conflict of laws
+ principles. The laws of the state where you live govern all other
+ claims, including claims under state consumer protection laws, unfair
+ competition laws, and in tort.
+
+ 2. **Outside the United States.** If you acquired the application in any
+ other country, the laws of that country apply.
+
+12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may
+ have other rights under the laws of your country. You may also have rights
+ with respect to the party from whom you acquired the application. This
+ agreement does not change your rights under the laws of your country if the
+ laws of your country do not permit it to do so.
+
+13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL
+ FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND
+ WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND
+ EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO
+ EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE
+ APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+ APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE
+ ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL
+ CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
+ THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ NON-INFRINGEMENT.**
+
+ **FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.**
+
+14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT
+ PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO
+ ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER
+ DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR
+ INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
+
+This limitation applies to:
+
+- anything related to the application, services, content (including code) on
+ third party Internet sites, or third party programs; and
+
+- claims for breach of contract, warranty, guarantee or condition; consumer
+ protection; deception; unfair competition; strict liability, negligence,
+ misrepresentation, omission, trespass or other tort; violation of statute or
+ regulation; or unjust enrichment; all to the extent permitted by applicable
+ law.
+
+It also applies even if:
+
+a. Repair, replacement or refund for the application does not fully compensate
+ you for any losses; or
+
+b. Covered Parties knew or should have known about the possibility of the
+ damages.
+
+The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md
new file mode 100644
index 0000000000..5a3d023354
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md
@@ -0,0 +1,355 @@
+---
+title: Onboarding using Microsoft Endpoint Configuration Manager
+description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Configuration Manager
+keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-endpointprotect
+ms.topic: article
+---
+
+# Onboarding using Microsoft Endpoint Configuration Manager
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Collection creation
+To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
+deployment can target either and existing collection or a new collection can be
+created for testing. The onboarding like group policy or manual method does
+not install any agent on the system. Within the Configuration Manager console
+the onboarding process will be configured as part of the compliance settings
+within the console. Any system that receives this required configuration will
+maintain that configuration for as long as the Configuration Manager client
+continues to receive this policy from the management point. Follow the steps
+below to onboard systems with Configuration Manager.
+
+1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
+
+ 
+
+2. Right Click **Device Collection** and select **Create Device Collection**.
+
+ 
+
+3. Provide a **Name** and **Limiting Collection**, then select **Next**.
+
+ 
+
+4. Select **Add Rule** and choose **Query Rule**.
+
+ 
+
+5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
+
+ 
+
+6. Select **Criteria** and then choose the star icon.
+
+ 
+
+7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.
+
+ 
+
+8. Select **Next** and **Close**.
+
+ 
+
+9. Select **Next**.
+
+ 
+
+After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
+
+## Endpoint detection and response
+### Windows 10
+From within the Microsoft Defender Security Center it is possible to download
+the '.onboarding' policy that can be used to create the policy in System Center Configuration
+Manager and deploy that policy to Windows 10 devices.
+
+1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
+
+
+
+2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.
+
+ 
+
+3. Select **Download package**.
+
+ 
+
+4. Save the package to an accessible location.
+5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
+
+6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
+
+ 
+
+7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
+
+ 
+
+8. Click **Browse**.
+
+9. Navigate to the location of the downloaded file from step 4 above.
+
+10. Click **Next**.
+11. Configure the Agent with the appropriate samples (**None** or **All file types**).
+
+ 
+
+12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
+
+ 
+
+14. Verify the configuration, then click **Next**.
+
+ 
+
+15. Click **Close** when the Wizard completes.
+
+16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
+
+ 
+
+17. On the right panel, select the previously created collection and click **OK**.
+
+ 
+
+
+### Previous versions of Windows Client (Windows 7 and Windows 8.1)
+Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
+
+1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
+
+2. Under operating system choose **Windows 7 SP1 and 8.1**.
+
+3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
+
+ 
+
+4. Install the Microsoft Monitoring Agent (MMA). November-2019 (Platform: 4.18.1911.2 | Engine: 1.1.16600.7)
+November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)
Security intelligence update version: **1.307.13.0** Released: **December 7, 2019** -Platform: **4.18.1911.2** +Platform: **4.18.1911.3** Engine: **1.1.17000.7** Support phase: **No support** @@ -248,7 +256,7 @@ Support phase: **No support** * add MRT logs to support files ### Known Issues -No known issues +When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.+ MMA is currently (as of January 2019) supported on the following Windows Operating + Systems: + + - Server SKUs: Windows Server 2008 SP1 or Newer + + - Client SKUs: Windows 7 SP1 and later + + The MMA agent will need to be installed on Windows devices. To install the + agent, some systems will need to download the [Update for customer experience + and diagnostic + telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) + in order to collect the data with MMA. These system versions include but may not + be limited to: + + - Windows 8.1 + + - Windows 7 + + - Windows Server 2016 + + - Windows Server 2012 R2 + + - Windows Server 2008 R2 + + Specifically, for Windows 7 SP1, the following patches must be installed: + + - Install + [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) + + - Install either [.NET Framework + 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or + later) **or** + [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). + Do not install both on the same system. + +5. If you're using a proxy to connect to the Internet see the Configure proxy settings section. + +Once completed, you should see onboarded endpoints in the portal within an hour. + +## Next generation protection +Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. + +1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**. + +  + +2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**. + +  + + In certain industries or some select enterprise customers might have specific +needs on how Antivirus is configured. + + + [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan) + + For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework) + + +  + +  + +  + +  + +  + +  + +  + +  + +3. Right-click on the newly created antimalware policy and select **Deploy**. + +  + +4. Target the new antimalware policy to your Windows 10 collection and click **OK**. + +  + +After completing this task, you now have successfully configured Windows +Defender Antivirus. + +## Attack surface reduction +The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit +Protection. + +All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode. + +To set ASR rules in Audit mode: + +1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. + +  + + +2. Select **Attack Surface Reduction**. + + +3. Set rules to **Audit** and click **Next**. + +  + +4. Confirm the new Exploit Guard policy by clicking on **Next**. + +  + + +5. Once the policy is created click **Close**. + +  + + + +6. Right-click on the newly created policy and choose **Deploy**. + +  + +7. Target the policy to the newly created Windows 10 collection and click **OK**. + +  + +After completing this task, you now have successfully configured ASR rules in audit mode. + +Below are additional steps to verify whether ASR rules are correctly applied to +endpoints. (This may take few minutes) + + +1. From a web browser, navigate to
+> For more information, see [Add groups to organize users and devices](https://docs.microsoft.com/mem/intune/fundamentals/groups-add). + +### Create a group + +1. Open the MEM portal. + +2. Open **Groups > New Group**. + +  + +3. Enter details and create a new group. + +  + +4. Add your test user or device. + +5. From the **Groups > All groups** pane, open your new group. + +6. Select **Members > Add members**. + +7. Find your test user or device and select it. + +  + +8. Your testing group now has a member to test. + +## Create configuration policies +In the following section, you'll create a number of configuration policies. +First is a configuration policy to select which groups of users or devices will +be onboarded to Microsoft Defender ATP. Then you will continue by creating several +different types of Endpoint security policies. + +### Endpoint detection and response + +1. Open the MEM portal. + +2. Navigate to **Endpoint security > Endpoint detection and response**. Click + on **Create Profile**. + +  + +3. Under **Platform, select Windows 10 and Later, Profile - Endpoint detection + and response > Create**. + +4. Enter a name and description, then select **Next**. + +  + +5. Select settings as required, then select **Next**. + +  + + >[!NOTE] + >In this instance, this has been auto populated as Microsoft Defender ATP has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender ATP in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp).
+ + +  + +6. Add scope tags if necessary, then select **Next**. + +  + +7. Add test group by clicking on **Select groups to include** and choose your group, then select **Next**. + +  + +8. Review and accept, then select **Create**. + +  + +9. You can view your completed policy. + +  + +### Next-generation protection + +1. Open the MEM portal. + +2. Navigate to **Endpoint security > Antivirus > Create Policy**. + +  + +3. Select **Platform - Windows 10 and Later - Windows and Profile – Microsoft + Defender Antivirus > Create**. + +4. Enter name and description, then select **Next**. + +  + +5. In the **Configuration settings page**: Set the configurations you require for + Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time + Protection, and Remediation). + +  + +6. Add scope tags if necessary, then select **Next**. + +  + +7. Select groups to include, assign to your test group, then select **Next**. + +  + +8. Review and create, then select **Create**. + +  + +9. You'll see the configuration policy you created. + +  + +### Attack Surface Reduction – Attack surface reduction rules + +1. Open the MEM portal. + +2. Navigate to **Endpoint security > Attack surface reduction**. + +3. Select **Create Policy**. + +4. Select **Platform - Windows 10 and Later – Profile - Attack surface reduction + rules > Create**. + +  + +5. Enter a name and description, then select **Next**. + +  + +6. In the **Configuration settings page**: Set the configurations you require for + Attack surface reduction rules, then select **Next**. + + >[!NOTE] + >We will be configuring all of the Attack surface reduction rules to Audit. + + For more information, see [Attack surface reduction rules](attack-surface-reduction.md). + +  + +7. Add Scope Tags as required, then select **Next**. + +  + +8. Select groups to include and assign to test group, then select **Next**. + +  + +9. Review the details, then select **Create**. + +  + +10. View the policy. + +  + +### Attack Surface Reduction – Web Protection + +1. Open the MEM portal. + +2. Navigate to **Endpoint security > Attack surface reduction**. + +3. Select **Create Policy**. + +4. Select **Windows 10 and Later – Web protection > Create**. + +  + +5. Enter a name and description, then select **Next**. + +  + +6. In the **Configuration settings page**: Set the configurations you require for + Web Protection, then select **Next**. + + >[!NOTE] + >We are configuring Web Protection to Block. + + For more information, see [Web Protection](web-protection-overview.md). + +  + +7. Add **Scope Tags as required > Next**. + +  + +8. Select **Assign to test group > Next**. + +  + +9. Select **Review and Create > Create**. + +  + +10. View the policy. + +  + +## Validate configuration settings + + +### Confirm Policies have been applied + + +Once the Configuration policy has been assigned, it will take some time to apply. + +For information on timing, see [Intune configuration information](https://docs.microsoft.com/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). + +To confirm that the configuration policy has been applied to your test device, follow the following process for each configuration policy. + +1. Open the MEM portal and navigate to the relevant policy as shown in the + steps above. The following example shows the next generation protection settings. + +  + +2. Select the **Configuration Policy** to view the policy status. + +  + +3. Select **Device Status** to see the status. + +  + +4. Select **User Status** to see the status. + +  + +5. Select **Per-setting status** to see the status. + + >[!TIP] + >This view is very useful to identify any settings that conflict with another policy. + +  + +### Endpoint detection and response + + +1. Before applying the configuration, the Microsoft Defender ATP + Protection service should not be started. + +  + +2. After the configuration has been applied, the Microsoft Defender ATP + Protection Service should be started. + +  + +3. After the services are running on the device, the device appears in Microsoft + Defender Security Center. + +  + +### Next-generation protection + +1. Before applying the policy on a test device, you should be able to manually + manage the settings as shown below. + +  + +2. After the policy has been applied, you should not be able to manually manage + the settings. + + >[!NOTE] + > In the following image **Turn on cloud-delivered protection** and + **Turn on real-time protection** are being shown as managed. + +  + +### Attack Surface Reduction – Attack surface reduction rules + + +1. Before applying the policy on a test device, pen a PowerShell Window and type `Get-MpPreference`. + +2. This should respond with the following lines with no content: + + AttackSurfaceReductionOnlyExclusions: + + AttackSurfaceReductionRules_Actions: + + AttackSurfaceReductionRules_Ids: + +  + +3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`. + +4. This should respond with the following lines with content as shown below: + +  + +### Attack Surface Reduction – Web Protection + +1. On the test device, open a PowerShell Windows and type + `(Get-MpPreference).EnableNetworkProtection`. + +2. This should respond with a 0 as shown below. + +  + +3. After applying the policy, open a PowerShell Windows and type + `(Get-MpPreference).EnableNetworkProtection`. + +4. This should respond with a 1 as shown below. + +  diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index 79394ceaf0..734f99dee0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -51,343 +51,21 @@ You are currently in the onboarding phase. -To deploy Microsoft Defender ATP, you'll need to onboard devices to the service. Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements. +To deploy Microsoft Defender ATP, you'll need to onboard devices to the service. -The deployment guide uses Microsoft Endpoint Configuration Manager as the management tool to demonstrate an end-to-end deployment. +Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements. -This article will guide you on: -- Setting up Microsoft Endpoint Configuration Manager +After onboarding the devices, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction. + + +This article provides resources to guide you on: +- Using various management tools to onboard devices + - [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md) + - [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md) - Endpoint detection and response configuration - Next-generation protection configuration - Attack surface reduction configuration -## Onboarding using Microsoft Endpoint Configuration Manager -### Collection creation -To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the -deployment can target either and existing collection or a new collection can be -created for testing. The onboarding like group policy or manual method does -not install any agent on the system. Within the Configuration Manager console -the onboarding process will be configured as part of the compliance settings -within the console. Any system that receives this required configuration will -maintain that configuration for as long as the Configuration Manager client -continues to receive this policy from the management point. Follow the steps -below to onboard systems with Configuration Manager. - -1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. - -  - -2. Right Click **Device Collection** and select **Create Device Collection**. - -  - -3. Provide a **Name** and **Limiting Collection**, then select **Next**. - -  - -4. Select **Add Rule** and choose **Query Rule**. - -  - -5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**. - -  - -6. Select **Criteria** and then choose the star icon. - -  - -7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**. - -  - -8. Select **Next** and **Close**. - -  - -9. Select **Next**. - -  - -After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. - -## Endpoint detection and response -### Windows 10 -From within the Microsoft Defender Security Center it is possible to download -the '.onboarding' policy that can be used to create the policy in System Center Configuration -Manager and deploy that policy to Windows 10 devices. - -1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding). - - - -2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**. - -  - -3. Select **Download package**. - -  - -4. Save the package to an accessible location. -5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**. - -6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**. - -  - -7. Enter the name and description, verify **Onboarding** is selected, then select **Next**. - -  - -8. Click **Browse**. - -9. Navigate to the location of the downloaded file from step 4 above. - -10. Click **Next**. -11. Configure the Agent with the appropriate samples (**None** or **All file types**). - -  - -12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**. - -  - -14. Verify the configuration, then click **Next**. - -  - -15. Click **Close** when the Wizard completes. - -16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**. - -  - -17. On the right panel, select the previously created collection and click **OK**. - -  - - -### Previous versions of Windows Client (Windows 7 and Windows 8.1) -Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows. - -1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**. - -2. Under operating system choose **Windows 7 SP1 and 8.1**. - -3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process. - -  - -4. Install the Microsoft Monitoring Agent (MMA).
- MMA is currently (as of January 2019) supported on the following Windows Operating - Systems: - - - Server SKUs: Windows Server 2008 SP1 or Newer - - - Client SKUs: Windows 7 SP1 and later - - The MMA agent will need to be installed on Windows devices. To install the - agent, some systems will need to download the [Update for customer experience - and diagnostic - telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) - in order to collect the data with MMA. These system versions include but may not - be limited to: - - - Windows 8.1 - - - Windows 7 - - - Windows Server 2016 - - - Windows Server 2012 R2 - - - Windows Server 2008 R2 - - Specifically, for Windows 7 SP1, the following patches must be installed: - - - Install - [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) - - - Install either [.NET Framework - 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or - later) **or** - [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). - Do not install both on the same system. - -5. If you're using a proxy to connect to the Internet see the Configure proxy settings section. - -Once completed, you should see onboarded endpoints in the portal within an hour. - -## next-generation protection -Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. - -1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**. - -  - -2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**. - -  - - In certain industries or some select enterprise customers might have specific -needs on how Antivirus is configured. - - - [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan) - - For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework) - - -  - -  - -  - -  - -  - -  - -  - -  - -3. Right-click on the newly created antimalware policy and select **Deploy**. - -  - -4. Target the new antimalware policy to your Windows 10 collection and click **OK**. - -  - -After completing this task, you now have successfully configured Windows -Defender Antivirus. - -## Attack surface reduction -The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit -Protection. - -All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode. - -To set ASR rules in Audit mode: - -1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. - -  - - -2. Select **Attack Surface Reduction**. - - -3. Set rules to **Audit** and click **Next**. - -  - -4. Confirm the new Exploit Guard policy by clicking on **Next**. - -  - - -5. Once the policy is created click **Close**. - -  - - - -6. Right-click on the newly created policy and choose **Deploy**. - -  - -7. Target the policy to the newly created Windows 10 collection and click **OK**. - -  - -After completing this task, you now have successfully configured ASR rules in audit mode. - -Below are additional steps to verify whether ASR rules are correctly applied to -endpoints. (This may take few minutes) - - -1. From a web browser, navigate to