From 924e677459027a8c126e20abb35a922fe7bcb395 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 2 Oct 2023 16:02:29 -0700 Subject: [PATCH 001/114] xplat-copilot-8348943 --- windows/client-management/copilot-overview.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 windows/client-management/copilot-overview.md diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md new file mode 100644 index 0000000000..03652ef8a4 --- /dev/null +++ b/windows/client-management/copilot-overview.md @@ -0,0 +1,14 @@ +--- +title: Copilot in Windows Overview +description: Learn about Copilot in Windows. +ms.topic: overview +ms.date: 10/26/2023 +appliesto: +- ✅ Windows 11, version 22H2 or later +--- + +# What is Copilot in Windows? + +Copilot in Windows provides centralized generative AI assistance to your users right from the desktop. + +## From 4a4aabf26cb2092d3f6c866d05789fc5476c382b Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 4 Oct 2023 15:01:31 -0700 Subject: [PATCH 002/114] xplat-copilot-8348943 --- windows/client-management/copilot-overview.md | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 03652ef8a4..557a48b03e 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -9,6 +9,19 @@ appliesto: # What is Copilot in Windows? -Copilot in Windows provides centralized generative AI assistance to your users right from the desktop. +>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). + +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows is a bit different from Copilot in Edge, which provides assistance in the browser. However, both user experiences can share the same underlying chat provider platform. + +## Chat provider platforms for Copilot in Windows + +Copilot in Windows uses one of the following chat provider platforms, dependant on your organization's configuration: + +- [Bing chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it), which is intended for consumer use scenarios +- [Bing chat enterprise](/bing-chat-enterprise/overview), which is intended for business use scenarios + - Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. + + + + -## From ce9bbd317623170639adbdfac43c8769819f2f8d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 5 Oct 2023 07:15:01 -0700 Subject: [PATCH 003/114] xplat-copilot-8348943 --- windows/client-management/copilot-overview.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 557a48b03e..3d37b8c2f9 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -11,7 +11,9 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows is a bit different from Copilot in Edge, which provides assistance in the browser. However, both user experiences can share the same underlying chat provider platform. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar on the Windows desktop, docked to the right. + +Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences can share the same underlying chat provider platform. ## Chat provider platforms for Copilot in Windows From a31e324d8a007257aa1f0ae1ed9b4f9af5cb45e2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 5 Oct 2023 07:29:56 -0700 Subject: [PATCH 004/114] dep-psr-8412957 --- windows/whats-new/deprecated-features.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index e13121f3d9..44e79e6fc5 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -1,7 +1,7 @@ --- title: Deprecated features in the Windows client description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11. -ms.date: 09/01/2023 +ms.date: 10/07/2023 ms.prod: windows-client ms.technology: itpro-fundamentals ms.localizationpriority: medium @@ -36,9 +36,10 @@ The features in this article are no longer being actively developed, and might b |Feature | Details and mitigation | Deprecation announced | | ----------- | --------------------- | ---- | -| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 | -| AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 | -| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023| +| Steps Recorder (psr.exe) | Steps Recorder is no longer being updated and will be removed in a future release of Windows. For screen recording, we recommend the Snipping Tool, Xbox Game Bar, or Microsoft ClipChamp. | October 2023 | +| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 | +| AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 | +| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023| | Cortana in Windows | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 | | Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 | | Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content is not applicable. If you are not sure which type of processor you have, check **Settings** > **System** > **About**.

Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 | From 8740f322058e496378a1e0f6126db3e499f49692 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 5 Oct 2023 07:35:43 -0700 Subject: [PATCH 005/114] dep-psr-8412957 --- windows/whats-new/deprecated-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index 44e79e6fc5..c15728063a 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -36,7 +36,7 @@ The features in this article are no longer being actively developed, and might b |Feature | Details and mitigation | Deprecation announced | | ----------- | --------------------- | ---- | -| Steps Recorder (psr.exe) | Steps Recorder is no longer being updated and will be removed in a future release of Windows. For screen recording, we recommend the Snipping Tool, Xbox Game Bar, or Microsoft ClipChamp. | October 2023 | +| Steps Recorder (psr.exe) | Steps Recorder is no longer being updated and will be removed in a future release of Windows. For screen recording, we recommend the Snipping Tool, Xbox Game Bar, or Microsoft Clipchamp. | October 2023 | | WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 | | AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 | | TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023| From 6e6ce0a2979b6e99270aa70d950cc198cd94a759 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 9 Oct 2023 08:30:28 -0700 Subject: [PATCH 006/114] stash --- windows/client-management/copilot-overview.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 3d37b8c2f9..6164173c16 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -11,9 +11,8 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar on the Windows desktop, docked to the right. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar on the Windows desktop, docked to the right. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it can possibly be used to access sensitive information. -Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences can share the same underlying chat provider platform. ## Chat provider platforms for Copilot in Windows @@ -23,7 +22,9 @@ Copilot in Windows uses one of the following chat provider platforms, dependant - [Bing chat enterprise](/bing-chat-enterprise/overview), which is intended for business use scenarios - Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. - +## How to enable Copilot in Windows + +Copilot in Windows won't be enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). One a managed device installs the 2023 annual update, From 4f9dfe5e188f43ed55bb2dcff92c6f620ac9b302 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 9 Oct 2023 15:58:26 -0700 Subject: [PATCH 007/114] copilot-xplat-8348943 --- windows/client-management/copilot-overview.md | 45 +++++++++++++++++-- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 6164173c16..b82d5e86ed 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -11,20 +11,57 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar on the Windows desktop, docked to the right. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it can possibly be used to access sensitive information. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar on the Windows desktop, docked to the right. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. ## Chat provider platforms for Copilot in Windows Copilot in Windows uses one of the following chat provider platforms, dependant on your organization's configuration: -- [Bing chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it), which is intended for consumer use scenarios -- [Bing chat enterprise](/bing-chat-enterprise/overview), which is intended for business use scenarios +- [Bing Chat Enterprise](/bing-chat-enterprise/overview), which is intended for business use scenarios - Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. + - With Bing Chat Enterprise, user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. +- [Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it), which is intended for consumer use scenarios ## How to enable Copilot in Windows -Copilot in Windows won't be enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). One a managed device installs the 2023 annual update, +1. [Configure the chat provider](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) platform that Copilot in Windows uses: + - [Bing Chat Enterprise](/bing-chat-enterprise/overview) (highly recommended for business environments) + - Bing Chat (default, intended for consumer environments) + +1. Ensure the Copilot in Windows user experience is enabled: + - Windows 11, version 22H2 clients + - Windows 11 clients with the 2023 annual update installed (coming soon) +### Configure the chat provider platform that Copilot in Windows uses +**Bing Chat Enterprise:** +1. By default, Bing Chat Enterprise is enabled for users with one of the following licenses: + - Microsoft 365 E3 or E5 + - Microsoft 365 A3 or A5 for faculty + - Business Standard + - Business Premium +1. Verify that users have the license by signing into the [Microsoft 365 admin center](https://admin.microsoft.com/). +1. In the admin enter, select **Users** > **Active users** and verify that they have one of the licenses listed above. +1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. +1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. +1. Verify that **Bing Chat Enterprise** is enabled for the user. + + + +### Enable Copilot in Windows for Windows 11, version 22H2 clients + +Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. + +To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: + +**GPOs/CSPs to set** + +### Windows 11 clients with the 2023 annual update installed (coming soon) + + +One a managed device installs the 2023 annual update, the Copilot in Windows user experience is enabled by default. Organizations that aren't ready to use Copilot in Windows can disable it until they are ready by using either of the following permanent controls: + +- **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) +- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** \ No newline at end of file From 4124d5918ae3041225d011a8cbacf2d95c9a1bc9 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 10 Oct 2023 15:25:09 -0700 Subject: [PATCH 008/114] edits --- windows/client-management/copilot-overview.md | 47 ++++++++++++++++--- 1 file changed, 40 insertions(+), 7 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index b82d5e86ed..3e25d89345 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -36,27 +36,60 @@ Copilot in Windows uses one of the following chat provider platforms, dependant ### Configure the chat provider platform that Copilot in Windows uses -**Bing Chat Enterprise:** -1. By default, Bing Chat Enterprise is enabled for users with one of the following licenses: +Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. + +#### Bing Chat as the chat provider platform + +Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: +- Bing Chat Enterprise isn't configured for the user +- Bing Chat Enterprise is turned off +- The user isn't signed in with a Microsoft account rather than a Microsoft Entra account, + +Bing Chat is intended for consumer use scenarios and has the following privacy and security protections: + +1. Review [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a), and the privacy statement for using Bing Chat, which is in the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement). Ensure you include the product specific guidance in the Microsoft privacy statement for Bing under the Search, Microsoft Edge, and artificial intelligence section. + +#### Bing Chat Enterprise as the chat provider platform (recommended for business environments) + +1. Review the Bing Chat Enterprise [privacy statement](https://learn.microsoft.com/bing-chat-enterprise/privacy-and-protections). +1. By default, Bing Chat Enterprise is enabled for users that are assigned one of the following licenses: - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty - Business Standard - Business Premium 1. Verify that users have the license by signing into the [Microsoft 365 admin center](https://admin.microsoft.com/). -1. In the admin enter, select **Users** > **Active users** and verify that they have one of the licenses listed above. +1. In the admin center, select **Users** > **Active users** and verify that users have one of the licenses listed above. 1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Bing Chat Enterprise** is enabled for the user. - +```http +*would be nice to have a Graph query that lists users that do/do not have BCE app enabled* +*licensedetails does output BCE, so its a matter of just getting the query right* +**powershell or http preferably** +Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails +{ + "servicePlanId": "0d0c0d31-fae7-41f2-b909-eaf4d7f26dba", + "servicePlanName": "Bing_Chat_Enterprise", + "provisioningStatus": "Success", + "appliesTo": "User" +}, +https://learn.microsoft.com/graph/api/resources/licensedetails +``` ### Enable Copilot in Windows for Windows 11, version 22H2 clients -Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. +Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. -To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: +To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you'll need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: -**GPOs/CSPs to set** +1. Verify that the users accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. +1. Apply a policy to disable temporary enterprise control. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: + - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** + + - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) + - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. +1. ### Windows 11 clients with the 2023 annual update installed (coming soon) From 4d13dbacffdfd99be3afb6363259bbe8706b8fa1 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 10 Oct 2023 15:56:18 -0700 Subject: [PATCH 009/114] edits --- windows/client-management/copilot-overview.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 3e25d89345..89a8bd5042 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -39,15 +39,17 @@ Copilot in Windows uses one of the following chat provider platforms, dependant Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. #### Bing Chat as the chat provider platform - -Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: + +Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: + - Bing Chat Enterprise isn't configured for the user -- Bing Chat Enterprise is turned off -- The user isn't signed in with a Microsoft account rather than a Microsoft Entra account, +- Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage) +- The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise -Bing Chat is intended for consumer use scenarios and has the following privacy and security protections: +The Bing Chat is a consumer experience and doesn't offer commercial data protection. Users in your organization get consumer Bing Chat without these extra protections. The following privacy and security protections apply for Bing Chat: -1. Review [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a), and the privacy statement for using Bing Chat, which is in the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement). Ensure you include the product specific guidance in the Microsoft privacy statement for Bing under the Search, Microsoft Edge, and artificial intelligence section. +- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) +- The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. #### Bing Chat Enterprise as the chat provider platform (recommended for business environments) From cf7868e20428c47745c9fed019a57f898ddf003f Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Fri, 13 Oct 2023 16:06:01 -0700 Subject: [PATCH 010/114] add enable opt updates --- windows/client-management/copilot-overview.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 89a8bd5042..d3c255916f 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -91,7 +91,13 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you'l - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. -1. +1. Depending on how soon you start deploying Copilot in Windows, you may also need to also enable optional updates with one of the following policies: + Enable optional updates for Windows 11, version 22H2 and later + - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** + - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) + - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. + > [!NOTE] + > Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). When setting the policy for optional updates, ensure you select an option that includes CFRs. For more information, see [Enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) ### Windows 11 clients with the 2023 annual update installed (coming soon) From 8df1cfe248fe173620a8d3bd803c9a700ac1c0ec Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 10:17:27 -0700 Subject: [PATCH 011/114] edits --- windows/client-management/copilot-overview.md | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index d3c255916f..ba951762b1 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -1,6 +1,6 @@ --- title: Copilot in Windows Overview -description: Learn about Copilot in Windows. +description: Learn about managing Copilot in Windows for commercial environments. ms.topic: overview ms.date: 10/26/2023 appliesto: @@ -91,18 +91,25 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you'l - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. -1. Depending on how soon you start deploying Copilot in Windows, you may also need to also enable optional updates with one of the following policies: - Enable optional updates for Windows 11, version 22H2 and later +1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you may also need to also [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. - > [!NOTE] - > Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). When setting the policy for optional updates, ensure you select an option that includes CFRs. For more information, see [Enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) + + > [!Note] + > These optional updates policies apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs: + > - Automatically receive optional updates (including CFRs) + > - Users can select which optional updates to receive + + + + + ### Windows 11 clients with the 2023 annual update installed (coming soon) - -One a managed device installs the 2023 annual update, the Copilot in Windows user experience is enabled by default. Organizations that aren't ready to use Copilot in Windows can disable it until they are ready by using either of the following permanent controls: +One a managed device installs the 2023 annual update, likely to be called 23H2, the Copilot in Windows user experience is enabled by default. Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: - **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) -- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** \ No newline at end of file +- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** + From 7b459fa2f3444cf2bdae60cebfeaeee7de6538f2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 11:27:41 -0700 Subject: [PATCH 012/114] edits --- windows/client-management/copilot-overview.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index ba951762b1..7478d3f8a9 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -18,15 +18,15 @@ Copilot in Windows provides centralized generative AI assistance to your users r Copilot in Windows uses one of the following chat provider platforms, dependant on your organization's configuration: -- [Bing Chat Enterprise](/bing-chat-enterprise/overview), which is intended for business use scenarios - - Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. +- **[Bing Chat Enterprise](/bing-chat-enterprise/overview)**: intended for commercial use scenarios - With Bing Chat Enterprise, user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. -- [Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it), which is intended for consumer use scenarios + - Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. +- **[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it)**: intended for consumer use scenarios ## How to enable Copilot in Windows 1. [Configure the chat provider](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) platform that Copilot in Windows uses: - - [Bing Chat Enterprise](/bing-chat-enterprise/overview) (highly recommended for business environments) + - [Bing Chat Enterprise](/bing-chat-enterprise/overview) (highly recommended for commercial environments) - Bing Chat (default, intended for consumer environments) 1. Ensure the Copilot in Windows user experience is enabled: @@ -34,11 +34,11 @@ Copilot in Windows uses one of the following chat provider platforms, dependant - Windows 11 clients with the 2023 annual update installed (coming soon) -### Configure the chat provider platform that Copilot in Windows uses +## Configure the chat provider platform that Copilot in Windows uses Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. -#### Bing Chat as the chat provider platform +### Bing Chat as the chat provider platform Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: @@ -51,7 +51,7 @@ The Bing Chat is a consumer experience and doesn't offer commercial data protect - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. -#### Bing Chat Enterprise as the chat provider platform (recommended for business environments) +### Bing Chat Enterprise as the chat provider platform (recommended for commercial environments) 1. Review the Bing Chat Enterprise [privacy statement](https://learn.microsoft.com/bing-chat-enterprise/privacy-and-protections). 1. By default, Bing Chat Enterprise is enabled for users that are assigned one of the following licenses: @@ -79,6 +79,8 @@ Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails https://learn.microsoft.com/graph/api/resources/licensedetails ``` +## Ensure the Copilot in Windows user experience is enabled + ### Enable Copilot in Windows for Windows 11, version 22H2 clients Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. From 5c6f760b8dbd4a81ac7e626af9ea51798194706d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 12:58:40 -0700 Subject: [PATCH 013/114] edits --- windows/client-management/copilot-overview.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 7478d3f8a9..966866d506 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -65,6 +65,10 @@ The Bing Chat is a consumer experience and doesn't offer commercial data protect 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Bing Chat Enterprise** is enabled for the user. +> [!Note] +> If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. + + ```http *would be nice to have a Graph query that lists users that do/do not have BCE app enabled* *licensedetails does output BCE, so its a matter of just getting the query right* From 7a8592d9273ef4e04c35151c8c347c96de3a8eca Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 13:37:13 -0700 Subject: [PATCH 014/114] edits --- windows/client-management/copilot-overview.md | 31 +++++++++---------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 966866d506..f2ac9a9385 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -11,29 +11,28 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar on the Windows desktop, docked to the right. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. + +At a high level, configuring Copilot in Windows for your organization involves the following steps: + +1. Configure the chat provider platform that Copilot in Windows uses: + - Bing Chat Enterprise (highly recommended for commercial environments) + - Bing Chat (default, intended for consumer environments) +1. Ensure the Copilot in Windows user experience is enabled: + - Windows 11, version 22H2 clients + - Windows 11 clients with the 2023 annual update installed (coming soon) +1. Verify other settings that may impact Copilot in Windows and its underlying chat provider ## Chat provider platforms for Copilot in Windows -Copilot in Windows uses one of the following chat provider platforms, dependant on your organization's configuration: +Copilot in Windows uses one of the following chat provider platforms, dependent on your organization's configuration: - **[Bing Chat Enterprise](/bing-chat-enterprise/overview)**: intended for commercial use scenarios - With Bing Chat Enterprise, user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. - Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. - **[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it)**: intended for consumer use scenarios -## How to enable Copilot in Windows - -1. [Configure the chat provider](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) platform that Copilot in Windows uses: - - [Bing Chat Enterprise](/bing-chat-enterprise/overview) (highly recommended for commercial environments) - - Bing Chat (default, intended for consumer environments) - -1. Ensure the Copilot in Windows user experience is enabled: - - Windows 11, version 22H2 clients - - Windows 11 clients with the 2023 annual update installed (coming soon) - - ## Configure the chat provider platform that Copilot in Windows uses Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. @@ -89,15 +88,15 @@ https://learn.microsoft.com/graph/api/resources/licensedetails Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. -To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you'll need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: +To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: -1. Verify that the users accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. +1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. 1. Apply a policy to disable temporary enterprise control. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. -1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you may also need to also [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: +1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. From 6550e91928b62f5d72082dd3a5c937739ca0ce9d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 14:55:00 -0700 Subject: [PATCH 015/114] edits --- windows/client-management/copilot-overview.md | 62 ++++++++++--------- 1 file changed, 32 insertions(+), 30 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index f2ac9a9385..0a759a25d9 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -15,23 +15,34 @@ Copilot in Windows provides centralized generative AI assistance to your users r At a high level, configuring Copilot in Windows for your organization involves the following steps: -1. Configure the chat provider platform that Copilot in Windows uses: - - Bing Chat Enterprise (highly recommended for commercial environments) - - Bing Chat (default, intended for consumer environments) -1. Ensure the Copilot in Windows user experience is enabled: - - Windows 11, version 22H2 clients - - Windows 11 clients with the 2023 annual update installed (coming soon) +1. Understand the available chat provider platforms for Copilot in Windows +1. Configure the chat provider platform that Copilot in Windows uses +1. Ensure the Copilot in Windows user experience is enabled 1. Verify other settings that may impact Copilot in Windows and its underlying chat provider +Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: + +- **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) +- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** ## Chat provider platforms for Copilot in Windows -Copilot in Windows uses one of the following chat provider platforms, dependent on your organization's configuration: +Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. -- **[Bing Chat Enterprise](/bing-chat-enterprise/overview)**: intended for commercial use scenarios - - With Bing Chat Enterprise, user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. - - Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. -- **[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it)**: intended for consumer use scenarios +**Bing Chat**: + +[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and doesn't offer commercial data protection. Users in your organization get consumer Bing Chat without extra commercial protections. The following privacy and security protections apply for Bing Chat: + - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) + - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. + +**Bing Chat Enterprise**: + +[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios. The following privacy and security protections apply for Bing Chat Enterprise: + +- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). +- Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. + > [!Note] + > Bing Chat Enterprise doesn't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise can't access Microsoft 365 Apps data, such as email, calendar, or files. ## Configure the chat provider platform that Copilot in Windows uses @@ -42,24 +53,20 @@ Configuring the correct chat provider platform for Copilot in Windows is importa Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: - Bing Chat Enterprise isn't configured for the user +- T user isn't assigned a license that includes Bing Chat Enterprise - Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage) - The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise -The Bing Chat is a consumer experience and doesn't offer commercial data protection. Users in your organization get consumer Bing Chat without these extra protections. The following privacy and security protections apply for Bing Chat: +### Bing Chat Enterprise as the chat provider platform -- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) -- The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. +Bing Chat Enterprise (recommended for commercial environments), is used as the chat provider platform for Copilot in Windows when all of the following conditions occur: -### Bing Chat Enterprise as the chat provider platform (recommended for commercial environments) - -1. Review the Bing Chat Enterprise [privacy statement](https://learn.microsoft.com/bing-chat-enterprise/privacy-and-protections). -1. By default, Bing Chat Enterprise is enabled for users that are assigned one of the following licenses: - - Microsoft 365 E3 or E5 +1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/). +1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses: + - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty - Business Standard - Business Premium -1. Verify that users have the license by signing into the [Microsoft 365 admin center](https://admin.microsoft.com/). -1. In the admin center, select **Users** > **Active users** and verify that users have one of the licenses listed above. 1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Bing Chat Enterprise** is enabled for the user. @@ -101,15 +108,10 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. - > [!Note] - > These optional updates policies apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs: - > - Automatically receive optional updates (including CFRs) - > - Users can select which optional updates to receive - - - - - + > [!Note] + > The optional updates policies apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs: + > - Automatically receive optional updates (including CFRs) + > - Users can select which optional updates to receive ### Windows 11 clients with the 2023 annual update installed (coming soon) From 73ff492e2cd88befe6173faeb09dc4dca067a469 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:07:08 -0700 Subject: [PATCH 016/114] edits --- windows/client-management/copilot-overview.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 0a759a25d9..8602118750 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -53,7 +53,7 @@ Configuring the correct chat provider platform for Copilot in Windows is importa Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: - Bing Chat Enterprise isn't configured for the user -- T user isn't assigned a license that includes Bing Chat Enterprise +- The user isn't assigned a license that includes Bing Chat Enterprise - Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage) - The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise @@ -107,11 +107,10 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. - - > [!Note] - > The optional updates policies apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs: - > - Automatically receive optional updates (including CFRs) - > - Users can select which optional updates to receive + + The optional updates policies apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs: + - Automatically receive optional updates (including CFRs) + - Users can select which optional updates to receive ### Windows 11 clients with the 2023 annual update installed (coming soon) From 8ffd65adea35060daaa8b7cd0fe5142da97c664a Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:40:57 -0700 Subject: [PATCH 017/114] edits --- windows/client-management/copilot-overview.md | 32 +++++++++++++------ 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 8602118750..47c930532a 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -18,12 +18,15 @@ At a high level, configuring Copilot in Windows for your organization involves t 1. Understand the available chat provider platforms for Copilot in Windows 1. Configure the chat provider platform that Copilot in Windows uses 1. Ensure the Copilot in Windows user experience is enabled -1. Verify other settings that may impact Copilot in Windows and its underlying chat provider +1. Verify other settings that might impact Copilot in Windows and its underlying chat provider -Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: +Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot when it's available to them. + +|   | Setting | +|---|---| +| **CSP** | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | +| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** | -- **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) -- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** ## Chat provider platforms for Copilot in Windows @@ -71,8 +74,8 @@ Bing Chat Enterprise (recommended for commercial environments), is used as the c 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Bing Chat Enterprise** is enabled for the user. -> [!Note] -> If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. + > [!Note] + > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. ```http @@ -91,7 +94,8 @@ https://learn.microsoft.com/graph/api/resources/licensedetails ## Ensure the Copilot in Windows user experience is enabled -### Enable Copilot in Windows for Windows 11, version 22H2 clients +Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. The Copilot in Windows user experience is enabled by default for managed Windows 11, version 22H2 devices. +### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. @@ -108,14 +112,22 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. - The optional updates policies apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for optional updates, ensure you select one of the following options that includes CFRs: + These policies of optional updates apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs: - Automatically receive optional updates (including CFRs) + - This selection places devices into an early CFR phase - Users can select which optional updates to receive -### Windows 11 clients with the 2023 annual update installed (coming soon) +1. Managed Windows 11, version 22H2 devices will display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. -One a managed device installs the 2023 annual update, likely to be called 23H2, the Copilot in Windows user experience is enabled by default. Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: +### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update installed (coming soon) + +One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. + +While the user experience for Copilot in Windows is enabled by default, you still need to verify that the the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. + +Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: - **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) - **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** +## Other settings that might impact Copilot in Windows and its underlying chat provider \ No newline at end of file From fea2a184bae412598ce9a7a852bf10272a33de59 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:50:26 -0700 Subject: [PATCH 018/114] edits --- windows/client-management/copilot-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 47c930532a..8184f69213 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -123,7 +123,7 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. -While the user experience for Copilot in Windows is enabled by default, you still need to verify that the the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. +While the user experience for Copilot in Windows is enabled by default, you still need to verify that the the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: From 5ff994f00243acd5bbb150166272b8db51ab670c Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:52:25 -0700 Subject: [PATCH 019/114] edits --- windows/client-management/copilot-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 8184f69213..282c68eeb5 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -119,7 +119,7 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n 1. Managed Windows 11, version 22H2 devices will display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. -### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update installed (coming soon) +### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update (coming soon) One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. @@ -130,4 +130,4 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t - **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) - **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** -## Other settings that might impact Copilot in Windows and its underlying chat provider \ No newline at end of file +## Other settings that might impact Copilot in Windows and its underlying chat provider From 6ab5523eb5bd0b3ccdcce738fea65001de8cb3b4 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:59:22 -0700 Subject: [PATCH 020/114] edits --- windows/client-management/copilot-overview.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 282c68eeb5..0da24c3e3d 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -15,10 +15,10 @@ Copilot in Windows provides centralized generative AI assistance to your users r At a high level, configuring Copilot in Windows for your organization involves the following steps: -1. Understand the available chat provider platforms for Copilot in Windows -1. Configure the chat provider platform that Copilot in Windows uses -1. Ensure the Copilot in Windows user experience is enabled -1. Verify other settings that might impact Copilot in Windows and its underlying chat provider +1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows) +1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows +1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled +1. Verify [other settings that might impact Copilot in Windows](#other-settings-that-might-impact-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot when it's available to them. @@ -123,7 +123,9 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. -While the user experience for Copilot in Windows is enabled by default, you still need to verify that the the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. +While the user experience for Copilot in Windows is enabled by default, you still need to verify that the the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings impact Copilot in Windows. For more information, see: +- [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) +- [Other settings that might impact Copilot in Windows and its underlying chat provider](#other-settings-that-might-impact-copilot-in-windows-and-its-underlying-chat-provider) Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: @@ -131,3 +133,5 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t - **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** ## Other settings that might impact Copilot in Windows and its underlying chat provider + + Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. \ No newline at end of file From 7f802f70bbee2638588bead40073a565dbd66169 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 16 Oct 2023 16:33:49 -0700 Subject: [PATCH 021/114] edits --- windows/client-management/copilot-overview.md | 9 +++++++-- .../bing-chat-enterprise-chat-provider.png | Bin 0 -> 105734 bytes 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 windows/client-management/images/bing-chat-enterprise-chat-provider.png diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 0da24c3e3d..62dbaa8c80 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -77,7 +77,6 @@ Bing Chat Enterprise (recommended for commercial environments), is used as the c > [!Note] > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. - ```http *would be nice to have a Graph query that lists users that do/do not have BCE app enabled* *licensedetails does output BCE, so its a matter of just getting the query right* @@ -92,6 +91,10 @@ Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails https://learn.microsoft.com/graph/api/resources/licensedetails ``` +When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There is also a shield emblem labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: + +:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png"::: + ## Ensure the Copilot in Windows user experience is enabled Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. The Copilot in Windows user experience is enabled by default for managed Windows 11, version 22H2 devices. @@ -134,4 +137,6 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t ## Other settings that might impact Copilot in Windows and its underlying chat provider - Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. \ No newline at end of file +Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some setting which affect Bing Chat, Bing Chat Enterprise, and the Microsoft Edge sidebar can also affect Copilot in Windows. + +The following settings might impact Copilot in Windows and its underlying chat provider: \ No newline at end of file diff --git a/windows/client-management/images/bing-chat-enterprise-chat-provider.png b/windows/client-management/images/bing-chat-enterprise-chat-provider.png new file mode 100644 index 0000000000000000000000000000000000000000..6213a99d1602f414ae39b545e7fe52b7bec0e395 GIT binary patch literal 105734 zcmeF3RZv`AwC5ub8gD{ym*7rt3zm=sClK7--L-KG5Ik5QArRcU8+UJ<;O+^~IE^$i z&G+3qQ&Us(HdA*V=7DO?sbhQZwb%Zy-&*HHt17?6#UjUg^ym@pI|VuQM~|KmKYD~7 z3wVaw<3xJjj{14*rv6suQN;-5U(^Pgm9&!dqes;V*f%EVsBKJV1s%6XkEkLZ{vI0? z5QaQ@bYJ*RPWq#_;eHNAFqP(9MB4)7C$syL{0lZJIo9`TANPZa{H}T;K!5^(XLZ3V zY|sla008ttI%(Mt8>kR`W)3UA_Zb;#5c6~Ms(oiETZ5DwnB#Yw&(3V{YV~S$vvjna zud@Mv#Z_kd91fHL&^=?I=tKR40omii{@I}}+xgG-FFF&{UYV%hiB%8B$=NDsKO9Cc zz{r8x4M-w?PW*730xl-@!*M?%{%@Qfr_PtD*qlQB3pj&iM;eg%>3Uv1Q8Z2-Cjb=hi5q)r3{ow`Oi>? zeNQd)VI-HAH>S-WQ&h$ID9D*zrOyz&oD)qULb+mY2WWMW`Be3J2fNBQndT;6!hRr%E&e4ma7Ta8h;o6!J zU)=iCifN()*+2K5-?2YjiU1I~ylhCrz|z>%wD;txOCoH`pO!l~k(L{fsQ$~`tnc%= z&yTHB9~$Ox1y>Ozbs8+`kLEcBWg=>7F8QL0G1hYQE_B_+7BdE3;7b23cEn8E-PA$L zg(1z|QKZ!DMeBuxA53pqUFgXteV1@5-#__*I&q3Xf*#ZH-gpWt3WvHRFa$E)@*?V~ z43K!uO`00^gMqJDDzOS+Qm-&)w&vN`s_zj5b2PaWZMzOuhA)0 zIz_6i_V}+4N4E4CsIx~03aaWCHsM_qt7`sO>o;3%rEi^ngAnuFymncC{}O=1ib?l| zeZc{mbNg2%sK#Sjr%&=~KxH0JY~T1TrAt@<+|H=h$$x_aad*+SQbgr8#0#0$wVPYH zLqO}d|Cnfk>1@XB?~g?5>gq1n65U2b`V8-{XBJSM>%sl}(eW6|3qV3%^hS4rf` z{oRG#^MP zCXrOz63>U*Y4v^o7B1HheHCC=HV9bd`Z^YuD5NSG)^uVFkky&iaU3$r!R(_ay|c>o z=?y$d&hwUz?!Va zqT#bc-9kRZZl}d_SRw$!+TzPE39I{t8x=%ko1xhSXB1&1wwFmiu`b8Te8-$e->=Q* z8w~S@uy$8~OjHt10m$VL+I9;^oWQvIe%0{0@Y77o#xqrN&X+TS!XvYXL&i@)87f$i7qOxMgDwC0!ddobwv z&j}#B%jeSG;E}QG3g}hE5S8h&>Xh$?$zSqZ;>)30I^HggL1j*JJr=o-ZFC8eIBI|D zvioJfc2v@HkhN$w*YCi_Z@)T{gorfibX01E8nsdXyF>~21Q=%wkY;%WV?YDtk-5hn@ z>Qjjmc{kGfCMc88wqioE9@T1D``es(aQe%rZsDxM*84iQcfL+n4F=b$ zb0y^z^A(j&l;os7<|pHXd@Y3~se|60B?mm`N{zqvV(6&6>AH7EC{`}tIK8N!BabVs zXdF~I*c=E3YVQmrPGuTz(vr3^ZVF*1a?niB>R5Wb+$UMbbb7j)pCRf|62!NOGC)Y4 zdb?`hTd8X`J*Sp)f3j^2N{`=affL+aFNcN!hFDJ+<>fbym9riPyd73nX<>ICBykS< zQ+#Mo|JzznciV~o?&=Ju?Yr4bl%^&^0eL4+GW)V9u-!I`+Lrm|&y%1>qu2Wfk~E@F zpX7jJ46E70prHKGrc2Pu{6*`T)=MTArC%LW%-j-`wdzdmfT|F_Xs0W5Q;<%560U4f9 zbGEESP^^QKl)Q%sqI8U!y{q&1JG;B_1CK%>ch`H!CdW7y)$K%Cyy^$%j(|X0hKpX} zauVt!h@U8kA@^(HN>0AXL0_0yg(DW6@klz3gs>Q!@o}P83r$VAJ>xK29?okiT3+^pd(QK%p8iHC(FaVz`^oX0Va$j?O8M87t9jwW&ahx;%c^k ze|IPWS(+cmhh1VEPTP|KWHC@jKEp+kwIqZ%c)@>;Jw>f+n(ES@x zx_{h51aqh_ZvhW~Dow6_3UB8W<(N4yUb;yLgMJH9v?N5fNB1p=A+$$JY7d}xl?~H( z7w!C7+Flrbhv~{S-v!;6%dV@IjuoMrB^0wiD?eY8d7nCJEMX4MW}HK7In6pw7Qc=z zkYlt>)m%~g{fWpEGa0wc1Q8Nfu&oG<)N+$iL87)Jl>od?GI&fngHPEaIzNjYSTpCi zt2aYzCl$3<2c_V3ll$#Y@z0WR$=2Ut#VQFc{cbuXzG^R8Ovg7xrib3tY#}m?izC3_pSEJnuzsGLPPie$l8spu9yY|n1|4q&LOJqD#G>y z{T6!RWLXzudGPsODut>IW+|sgJe)zu2WNQ|+)UuJrI8WAzH?QG3Re3dUP#w>g;3CNvkE5P0o>ACWg^+ymCg%xO zlw*__!v5xe@)x69?u2M23XmJTDnSEy9)YC=Io8jta*}qhK8#ZTOw#8#l)<~a%`>we zPGb0nnZ=Mb?MR!$&dcA&lm6qGSa)MGu_R-hcg2$6{5h^?r;wDzLL6*1+m9QH-6Yc! zvMSsplR8k#IV#gNEBC_JZ5H9E~MyaxP zim8bjKlP7yl=*k-1^4*`GI2o5k?g-K2Gz~ZJECU2ao!G7Kh?CIKizI7tIUrEBKVyc zA5_(BIdpmVuz#S>anYrZ>aP5I^KA4$)WwpQk(7xGO8(7FeKLYCY;Bp;k<4Yi9O43Ha}cXw8V2*LMnmpuQaa#a*X9xiXD#~%7JOn#zYpeTqr z;L4J#_$&J-H{yEnInT?Xm*e{3*nti!*PVV2Spxis6N8;O{J^ukdS{vj^wHVj3xtzX zEqvO!;F~Q4wWn6Vh%A64=zL0$HOqyj9k-zK!qC`j)ODAOmlDKma;PL)Cc5D%)|L-v zoN|CxfkjKSmNt!%@I&qcXwHYgpc*(hf_+2s&*b8rrQN4_gHeRG}tU$o`pLmD}LONaONRbVkwZ#mAQCSAAf zkOOpSJMT=JnupTwumvjATZ-Mm6Va}L*R13^n8JGJGCz>ajHG)W$KB9kc ztoMk@zbfLU_sBkZM68*VZQk7o5kl@{ASz@2!{`F%)E!*K5q^g8cTTJVQ7Pm=eCIML z(Q5xwbn?#q5c@Vl_5=fNn*~mVhhtP$>EJpr4}9LMQl8n#wK}wI#HG1&NnWBlyay*p zI;9SgL+0!jN$8sj;X)409#ZEtP4sTzBvfz>FNj2q0Q7Yh6+FD8&^a<}6MPi2PCYI>VTQfEa*9-KB^Xn`-eoGIZ?1ave0|ewvGAm=V!u zh1j19WQltF#fOgAhdI}~fQH=m1#y@&UPP7!39-_3-4EPuQPJ^4R^-tTO`Clml~;Da zRaoWR-?ppLTfg3d`o%HhoA{@u{G(vEQ3vWkk1Ycin_8>N)=|Tft-UTfr+GJi7(&tk zY9w60mx%Ao`l;sgdfCqf+U(P;wguU0mfWCQcPSixkDbt=>A4k1=Epj#!{)&qgY%&e zTI98@Ew+1cR8^DPf_GO<`y)Z4f>}F|B!_A&?&llEjmblFO3wh*K-0|*F~E_qv(RT3 zDz+h|%Zc>X&Aro!A5-W!3=tLMs;&lot0w!MJPH|pogPwva8*17?DMCa48qMh+DaxX zq2pFkfU??3aoa)jrK2}W)M83l7-1x`GB>R_vW!vKyKb^70fVM1Upm?C?Sx5>I5=2| zuW^h3PYJdzFk^|fAbp0O7(XrTl*Aa7$+8#YV)rYGzON;A>ET0{1X;9?2Po1qM#mKp zh`0Maju&)BR%T+PCUvh2FViK&#Wo}ek*$s;O8pW}`1&+d4HfqiYjS;Z3(g5M^Gt*b zWmX+ap0X}w=boOrA~U9%C@l+Y7~9XlTh>DfKOFw+%;0`AQ2kB%v%{)YUfF}iUrmib z9Bm-+yMAm_TGByUj?P7#-9&2rtKs?lc+?g`i}_1{WhM}f1R0azzk*!e3A##K!Rc7& za(RUCTknn*^g7T-?tW^sZM)gx4$xU{9HG`>LhstMQ; zS!3KR)2`61057@D5d}Tgf=6WCW{0OaESnky!ZU;gKwirJH??_HpN>mLNtrwh{SUuu z+03;=u1}O9%6d=(V&)2IZih6wQ&@*2P2%!hi-V#f|m&)(2x%`ZEstVk~LNt|-(9aQ7UzP@|iV?jvw zZle)p7{SPUi9?@+yl$U4i}Wj~3tqR_%9S$mH1B?YX_+)W-O!hHgiHrbR!IMuljcj- z6m2}y;L&FZNqpvrJ)`@1KejI*1~fDxP#hiOcE!;G{b9hN-z`IvIIoO$CUuT9w8p)Q z_y;;h7wZU?SoBc8ZY2q^!vXD&BgSullhmN^{AdcNy2D<6KHcmuyFwSVI@)!VYW;fWY+ zwKBT-9SQI1%eF4MU!U=u*n?CbbKWKlGAQ#Lq4i(yZSEIZRX~=#@h}ovml5`J^Fp)z zg4T!CMUH;+H7%!{8V7G88eWU3DL`h^*}_QwieIjV-U$rd0Li?*daVRNFN}FG@k2YE zB#-3Ko`F7zY9OMSbEE7k4HcCiVY=Uo3ej+n@Jgh>&3_0Aq7El&;Wcft5fj9W$SC)>` z%#%G%gwQ1nwy{HHm3Q-30I}E{6Q2k9PUXD%7_z6er{~hU)Z865s(6mobo?%G zA78-b#h=RQw(vKyzANeTR97bR{bpw-b+nVx$+D-fFHi6F7m`{lzH z)~Q`ezoYG)jo(qF2maHAGi7dTicNPNeM9rTSzCG=1DQ!P1@}^P-PTX@+hf0ZJK-B* zE`MlWVDfde`~n3o;FtnK#R#XDW+AFAUN=jF?ZpsR3TGFDMkt&h_$SqmDxp4!>0~zsFbj=2L< z)-y=!!lg4LtVYm7CwGq`rE$tU*YWvDmejHNW3vaUdz{?QiP=K~^TM}2Wj*jsWBF#1 zuIT@TrdF$u^F%#7#X}E0mZnof-O6;6;r}e8HUFuU_0vlUn>Ws!FVp)Ss%HdmQkwq9 zvqYIZL+3^{@v(Rv3jgBplVhPIEpZwtRzqo>Wiw-Uzj0A#?C}KqTftJ12^0X42J5C) z0U5G1rL|Mu7yf%e6iVe2J8X6{(AF1Yr{Tur-4OCpgm&becBh{oR?ducjz*`C>yK(5k;z~{YqWuWA*Y?%d`Y^ zA@^qM^f|d{W)dn15cTOZ5jECdZRiw}qu7Y(jDr&!TUzR3Mz%-Uj7c&y$G)5b()$b5 zwlHlf?PC#Q6uD27oZEjNU@iY+h^uMe^pl}a;SwsIK}1U3&?yt4#`R0mmZ$&C1`QMy zdbceW*g=vooy-0VHze-cbsLg4aJj^l49Gm4Yeuafk&U*@Dkb4&30-_me(ffajvi+l4?R{L@z}^I?IRItj#V*R+lm z75BG?l*p^ZD$?MhT;IVF;SC%l>PgKD)dzI-^jcQ`8QJ!-`l{loJT0Z1c^-(w$6WuD zcZUPP;Avf0-+%}i4hmAel{(p*F$!v-@;~Zm#i0)QhfY@p-NGE(Zat0C_(%-glUlBZ zoe&nmCJ7Wy&Ev}_Y0%4a6yOuvO40E52~#ru9xr&Z(12n{{(fN(6i)K~YLt6z%Q(k} zZV2BbS0RHNq%e<)f&!WzBAP>n{Z`~bE6%L~Ue^O{yPdxr4Z7Qiv_mYqjn>Q290uJZ zZ+VpeP{6$99$XZcmbP|E6Z^6H_3uU_ACsgXP^ggMZs;0zoX3X`u|YB6?V?>QPTpM< z_BWTuTIE`|NMV-RIm@iM^wzVN$ZlrIwY}u!r6mUxlMSTeotm1mh$Z2!a7sV~UUt#U zmm1yL+BrF0Yz<`bS;Vv;mkuG^L07O=N?NuI{LW_Jb|lYGNME>6c13kBd8^cK3yReD z?gv0+`vlJ}KiSsnsY+iL8HyijxscfvLKX4x3s&co0piu#KWi`#beXA;Yk`l^rv)$jnmSfwq;{q<0X8brm zOI};+c`bRgbZmdVk9YF_eu1^hs*M8DU@&+tYx#`nUU(Z7d^=!JxhJ-DVc=XsThBRH zrgtPSMDikbf(O!SEr)B&5+tUv<7Qe8JeHG#6Z7qlQv8o&jp~*>7lyev989Q2J20d! zrJJ_W^qLjE8FcQ?)dn;)9W=tA(o%o$my@63i;u-7u~*c0I>kB!?ue}%-}bqke)eka znhChwGdkR(7d7<#`|_}`c8U}49uH-FLeoxIRBPWgcS z;dp*9GCy+Tv)Blp$R^OKIkP)D*m`r$D(_rHlZW{!p783U1@}p%TfS#Vlm=~Vxm=G8 zq~dz2%I(z&WMA`x4u^b{jd^hX6SKgv64HUn> zIbH5ILUmm04XPt|Bwp54zcNJ5&&mSlsA&(rawoe(bE8 zn~#1?{Nz-O^!oKBPlG!u2`XsPiDq;df9ZYaib?&D3* z5^EK)hL46O!-nZ52>K+4^4oumd&0xb4qE=Mq>i-uxuDjqkVoyW^L%%IA!3bg=#}9r z^;!6ex#Dx!*zNqhq(ffXiMi%01m5Zc|IPuUbKvk z@{_U+NdpLJj~Q{^kkXUIjTw?+iL6I4e2w5SC+HqJxucW_z)F6T$$y-WA5i=kkx_QF z8j3HNGe-XU$Lc!*)ZFk@kk|hBLBQ`CpS#6dCYz9)H>X17uXEB8M?c$&kDMTfu6p1x!Ouc7SS0O<#?W) z(sm;0>ybMH*f=5upy=$!5d=Vup(0~?%U~}fw2k59mne|?C2!$T9V~3Yn795&oL0J-Hy!jY@A3BgqkfiTJ|C+-JHykj!hQB_w}{hZ z)y&u@LmTaOAyyy}*8G6o)j2@G!;&PbprqZt(H1yDEHy(_$tiZ4m+O>pdpGCpa2~c6 zWpsCvemAb#j3cf!c<6Fu&C-P-?!X&#=P!nu0DCH5+EG(~d&iwt6i@2LnVZF1oCv=Y zf`3B=5vbEG&9|l)sCDv9LsP}%i=C4HXXJu zNS!~nt89U+5UV5}fy#_-cRzXVd?nUp!7laA39AFwZG-_p;Cc^#8Peh>!uxN=!jYT-0~Iq%8^C?)8V^9 zO;S^)*Yw0Z-5h4_D#B}M_kS#(=Zdbm3?F$jZFSwC4^ju+9D5$NTwK3GdzSksLg7gD zNZaaBwd)XXpZ6%{o1Be-Fy#n^;!(7*M}+E`%puS)IKjriYs%w0Y_wq*ciTR!Mq=J1 zBMfqnqGw3=!4nY2c2E`NHv_p5V>h0M2`~PSAYA%lBv$HVe;*7kz>I>)RtVT-1-X|f zEqZ1fRZcy-Pb$@c4%HNmW;OgSVhKZ~l>;6s7&yd!`Eop2b~~Odf+xAN_qbhrkEwD^iQb>>9dk4+vZoI{g$==)P!_96GULV!5*sqw{qkSovhD^g-=)# zlM~9X0lz11{(yyap3weJkxK-o)XpjqPG~g;b+pB?`Mo;d#ts)|B<%=4eJlqj{qiHHxt7hA4#*f^^aMAF)?o_B}; z8^2tKIMZ&P`q()*oaYx7_F!Y9$*HJ}1{cU3R{uL-{ixUi)&Bp|f|vh)_y78-^IuWu z^#8!Pn_8$d)JsWz4rM01hcza~ZXAuO9e{O5pTIu)a;C$y3$>~%OcONUTd=1LpAgmR zPX*)~_@z{0K+9js@U_vM?WJQ^c;5r>8i-{2`#1IT^mIA$?DC1|x>=a`9p+zoSpa2l z#O|^pbUq(Nh~L>|YRiPprgvJ4fmhex7n-Kp_SA4Xq`A@Qc}{%)Qf&%>#WZk{f3t0g zH$IY}!%JKV<|c@lx&O@&sW(_Po&KD&w`JITsf18=s|4H-gwnmSs9D|>C)9kWM;tH( z$~m-J&M_G=KB{%uM?+sm=U*=&vLj>HpobppF^rSz#(4_*p1?m3thtz9na=jd1y6--}6w_RQv^JMTon`n8sa4p@E8w^Tsys67_4nuM9Ak1ZPJx&SQ*FK(#<3ln z2Fyi=H+FS$>U9iYl9X7?%%~5aXy}#+PullRjn0D>@(OytnU~5_Ox_A*)&F@vqyG{W zU&o=LoFb`Z8jzURP`mrdcTCQ8&QF{op$73X9fc$((|1WLv$}pQ)9*(b(`#C$ zH3xN}*c&I78(5YWMObWHDR!DO#1t`5!oC1KhjuI4SH&9|1;s9Nb9ah8=XI#Ab$L6@ zN2Ppprd2kf;Yn{5H{5V!n8j}fv9P;T`Wh<4L{>9J;&8G*$+3b|*OviQH=>ADH&3WD zz=&^O{7v>a-b82>i^hg~(n+UL z{e}M^EUiq(PH^Mk+6GMA;~_8xU1|;A?!IQ=+Oc?JL`8!1mpYSnhM|A@sR~YeU+U4a z=-}q)w@ln<{E|6gK0Ukrue==TcJvIkqf`_O($6$3uC^`{MF9H8c$$Rpf6m`;*WNAM-ToB?AlT2a3ZW(LHfu=@~hS~99 zoRn6txli%v>u8WS=ZMj0K z#p%&|4O=Yr@XObFY9iDD!^Hg4^LkZ-r?JDidiGQfW@VhoVEgjj9yGeXCeCbYV=``Z zx=n#?!jcWoD)pU@LGCCL#@&EP$dpaVjZGKvxcOO9hO^hs9d}T+bPv$)`&YL;5q8a5 z&r#4j$TqK)wr41uqpAK6vkadTh?)6jBU>N>mru(Bl&>2v^YSwiqm+9FP=QO+*HOeg zah+-*CV7_nt1;l{R4BW+xKVY8sO-iR%GqcYG1Zu@;CySP!mjhFm$Symn;EMi4putV zBde|$RzJTkn3fQsP$M`}gYCEmz@*dCc=dw5o2N^IJn7qOMKqI;+C(Cm>G#SkFJO)? z_xQ-fN()Y-VI5u#h@sWDT4hDl?9LSS++MiHP8Lj-vkPSZFmdTXV=rO&v+ye+hQP9k zTKVPJl*q`*#VEKZsBLAww`>hfVUEbl2mO=i;kBa$H$5#YeW$O85rTJ1M$`hxSAIeH zH#`Msdj23}arjBM`#-JW)bUTx?%9Ivr(7#F*(}&Um8NCgW=x6p&P`Va)V7FwRdfDf z({U0o+lt|bBym>yv66lP6WA0Nn=ovKT-rTPy!5v>!vvt)a$18hy7T-T!r~dI)O38uFYPC zX-lBwvuOrq0e$d&!FGxaSlzud-~OdleV?*U7gNiIp6BHHdAZxo3mDi_m%yYWQBLGJ zk%zRjL0l^dhOz>!FgYlwA#F54mgD*E`SZPV*XTMRkjNh2VlC3q)Fq^7x>=mKRX#pxrcEvgZZ$bCfrD$O&{QPLrv|u^4l=47-Cmb>}&g`>LkP{KS|! z=CiAc&vhZcscygiA|zH!*(W5bo}m}KP7`zq zqD*>6OOK$dfj~yAEovBI2&`XjEg?o_u|%aYG%s3~X2)BEe)B^SRC{*&bkwSTR;s+C zt!jUxDjU$Mc)xmg>FHlwsWCBi@i*WqQ&?EjB-M4`y#=#-ZsuY4vvVMhHwzG5S$wPD zkqMXl3Blx#;$raBE_KY0en7R-+$5ACO#AkqrM1KSDHD{7gKa4do^u!`U+HmpM!n}~ z)WuhxqpbY`)s$U2H2(mjAOJbM%;0ymr ze`M@MS!0^nUwM|+snnrYURO2MI#t`3ThATLS#DJ*XxH=Isi|8vw-i0;qT$9+8-prR z%B0M^>b}?SX`j&LRm$$xv#~gzVlH7qJ?80&^&8Xk>ik8tY5u5!w&FK^Sc$N4t&lO0+(CHqT%CW zbxM=f9^%w_3z@3%VWzy%pap=m^)JWtKYpxLj_ck7ioY0er90rPuR2&p(MHpAnFo7# z78-AYFcP%N@zM0En6T(kLU+| z(2>Xp5;P^o%hnm%Qd{Zo%Pi|F_P^j%F&rt}`hH^%wg)p4XL+oqeXBiaiygz1{5``E zqDq2!Jcbe0{03hhNZ6B>jbD~NGdDa#AX8>o4+{pG3a>5GWZ$~4)T7D)9n#9(^=y(q zWq~0L-7&DZZj8<+9l$VIMviM41(gVWK`b2_)1efrx;62f9@MNLEcX|H!A##=#Ug5=7MB*_JBM}l-6Lsh`%E{!&zv1+ zxLc=iGRRtBYb$Dmq#s5o;tD6@ zlf6A;!j6oY!?&eswiEl2)QfdA^za%(ZM0*cALos4kn~!*nHoWKw6?K#elP|D^&Q|z zSM0MBKvaZx0~b&KA$WK~=i;H^pxJGv9RU$|zeuI}At5|$Y#_cXYHdi@ccdAUEEn{`d zZ>B25#8~FWyirTik9-d?-cnrd`{4ygsXI?agpW*=Ce5vVBg&!oL}OWnE-keYlJ?-S zx14^TZdsB{oGs)X0SRxB1VQ)0W9IPdwhw+lmtS!cYYPud~r6s@AH?E6bs zUKtqo!BU}j^un05NDF*5*{6FEl+81^ofF*uw#|CCJ1oJVxSCLMM4OcudnonKVM7#} z93U#DYF|El4`3LZ`0U*KSdqf*3OVe%eeFTlUGgA1alKf%v<3FmuW)hgJr#j;`G#B~I&?(BeCoqk>*Q(IG zi&)^K<#KI^A;cr{yB=gs^MP1vS@YW2RHNQNQO19vuOBOq?vnXdjjC|ERpdo{E|xf% zp`viqaXin>V-Mc7_0{9xeb8UQt3w*F?TmdJSD3Z{N+A@4)P>8Js~^8fR$bf|NDG1? z%hz$7(arYcwJwRCQ-t8jjxGu~t!l3Kwu(Rmtx~w_2 zxc7QUonIwfisqN*J#b+7g5tn6dhHbWyefPpHi3c;x z?di~f^$%^1>oHAuP3EcPd;q^w?LuDbP_EIX94egTMU`m)#@l01wIk$aY-E0OWM?Ds zf>rC0pP{T7aNVhxsS*;RtJzs0JSVv?^!^gxg#n-+QBk{ce=9Zu%eiT;XQDlSRa3(P zz&8m64P%pP)nsk+9egc&I!yO*MB6t5;ZnNOy83^KKRxG`?wN8E__Z%HHM&We5ilJ9 zZgH9!oh3J$sZ!@4?>uJWvckHZj%LL$k-#LBdx!rDLb6_D=sn2QjC|#1Is$ijN7s!i zg`tysN}6w+NFG0{>a5A|9exK)w;MUqBw5%LYMb))nj6)vK`;HtuH~}+M6HA6-HPR` z;|nA=Q@s2KE(w241F{0|rA#H78Q4{u(!}moeh>w99YarT z~bX@DEUNw$JCIzm14f=-<7 z%L|Nn>X_cMDr#%}$gI5PMXvh8FmEM5k|4@oz6z$JH%+D4I)4_B!iJ5$%|4_a!|5>~$ooq0-Nbu|KRBUI(1Wif(m^0!d2MBm(tu zWsuO(`reVY3wB9VE4aQkvvxl+4hALZ5(9}lK*;N@5)Vhw;d#%6sU>)mSb*1Cnij(> z5@q>hcK$%umv2&{QwH9p#uIWFWM@QW#@QsyguK0S`I_*3i-p>Fsck*0(E_$TSg{wY zpW(pIool*ungCY(iwT<&9jf7Uq^M`)IodD6F6-?$bdstjJnqR!06Q=r^yeROV|BHs zvk7pcX>-r;N#gCLcKc?Ml6Btd%x+Jf^I+C9EcOa2d*xz}ZDgSitWo!1-@VUQ6y6mqQgs36ZD4Qw^?=4UI!i726o(EVY%Q7Smom#vz7T_Y; zx>!?mY~D=EAzj0G?Y}QmSkyJxLWP)Rm4Y7kaIuSZsJTA2l3ON28a!Z8j^%X4xLe&*6(xV^zm2)WQY z`tSquu;V#(Y-{~-wHi&|-YpHU!HL>L>kW(C6<7BHtUmBk)eWY6S?6wUzr0ji?tc&0 z>Z)Dct<|u8Arl`^O7qn^zjeO7PY{`*G@@8#->@rzm8t&ngxYv9r?}HCq{AzE*-hH_ zNIUFoQ*?{2%*xjw$92Sy8x#r3I0tt6@<|z$>-gm_QD^(rI;jAX@Pv87fvoD#2GX9d z{1Z7;(=}JRX?q6t4et}=+l~p)@5QJjs}}32d+vn9JAH4E)VI@DO86v^jkgOHIl`H} zuG$ILNgn67AF4}U)~e6Vi+-5C{expy$yxVh0pq8JTxSQF3keTA$tPiAk9FS-#M$R$ zqj9QHuFvJuVT_8uPPpRUS8my&h)S4dvvOeX783RD0N?NNjd{;bx)lwG{y;PabXnaU zUN2nscFV81|CjA}L zw-9kZk0PUHtv?f#a_TH>x@olP1j|xRB-4Z3m%GX2WLaiNg|?v$L0QVPf(PX&b3w&D z3S?4Yolkm4IIW=iEAu%7FbL{RAW+pG{$08=p*yuj=GXe<1$0R}W_i87fPlXrwtG5a zi3ZOd(uGg7>+AH#u{a$A3}fTXW!ws-p*9J*eaYxORqs&N zp7>$P0T%uE$z|V1s%7LVtyFi)+ea_5Nu?iEDNCe96R>U)MxLwY<@sQ2s~j;Z@G)_3 zGVeL5&Mp^W(oH<5@07LAlIa6Fc0Y%04=Q}&!_(Di)gmyG?5h4$&QQ99cpuqMlwUo!y{Rtm_xn{*&{EBj7CKL4$&PY**tC)Bj-o1W{vZaBr zIjDqnEPIRAdi89h)@w=Hug!7A%#nSjEtgR>;u?L5;CGx<%fSqgFT5$Ig)b)v2mpYz zmSSfYNn(Z{;f*QSTXZ^7-BA%^hORBu%fAuBw>3a|s)xR%GW1P_5~H93G{aWn%5blQ zqs~8;-_eK3uD76*%oFX+rVUC&9*G+7rysq36;V&wfgK%T!Oh4~t@!$5y{{xf2-oBP4P?3Tv$8@9hb6E z1SG-Zk+e@}qaLA>)oH>xb&1q+3Vdj@hBYnbD>6C|v0rBD*=%77Pf>VgqIa$`2HEFF z((5GBBZ{SIC%}xyCXrU&0K|^&Hl>?y=LetV?so8BJKg_nywj=v=L2{yvzv-^7(z4?u2Fc+rc z{dhK?M#sL-A58{!zcv%eQzj#k5gTxQJS_{jil=)W`1U7*A)(BV5R`mo4b6`alOOMO z;++#c5%7Y-fbK(l2V+^ab!RN%i*0M7g6d z3cW)Kncg3q)Aea;y9MKBp=CfUF$vUiaC#SqoEoQ%a>CzQA8#+lTY8h0=7b zW6O$QfjEtfl>TC-P}W%PMKY_AzddoAoo#BaVQE^n8s3|>HKRwY9i=bdk9eQ{K;IV= z{0bzC6QZY$dN%RZk84niH6=h%q+443BcnWK2ei+XgYQe%%aji?w{Jif-;-D52~b}X zXjPN>p)?gxEqVgkPP3c4)ZZ+pMf<*-rj6Gtkx7G|*5$i#^12#ZS;4z{eIr5~x(|gz zGXY#qigeG3!%c?`ef`tUg&R~4ICa5s;|Yaf{F~#h-dtfmMB|HChGvE(sL(n-_hiuR^Xm0WC zw3OtI0s;Ma31YD)ZW?2gw>n)j{6a87>uA}cLW=?Gv{9c`D|o3n+M1@}3#hL!gg)4w zhFfQWD#vV!66rIOT-l&d8qApf{)?V~D~?FM+wQkDiX4mz*s`<(H$0T;+$;8TWSTOu zLN&4F+hIL%3r3!u^mZsfs;jHZkq&!f3c5XU;ot&f_Um=TVFyMs=$4oNllPh>) zhDYkujmi6%H@NQ+Xgm`5bc_B-PL7^|m5u)JozX2Y5+CT&`UEa&vPx!@hXiWOj3?I&KmE{PhiV)@f7?8Ow*9_ z-kaVG|G`ntmeoD1f8BSTOGH%{W~@MV73o6m2hy868Iu9w=NL)tw0J(h6J)GmeJ+7{ ziBWrzucT(^*)&%0-Vmvo$fs|I$wRCit_o5~5c3)rLv=c%Bh~uL2E>a&%b&?^2nmuB zqbkU&i;seG0IX@{^Ggos%p7>6O<)zf7bL;F7;%0;k|7_!7N{D(S1LuRqRIa4<^Z4| zG=uLqzKeCjdB=$nTifP;AMxbMEr*+ka?8{nLt5|0tLu{aJgRZDQPasX-&A-Ki8%C?CJ^6hWLu!TImOHGm57c_;s;pnX1tJ8R=`}g@hDuE5y48Hw2fqhT?^GZ4E}-Ky z)^3yDS!cGy*Vu9DlzI}|@4VB<$zbzNc!K5{4%|AAM(>t)HMRO)9Q;E#xV1`2Hfmo#$<+?-?^2&F~zpRN3f$63XGcLIv*h7C>S`L2EEhX8|#Vhf_bph9L== zq~{f#a$0OC366`Q5sJfeC1@Y*xf~hB0Izqi1aBdxAsv2Pi@y0<)zuD5h?}P^(+{3d zz19_Md$V`?shbT1_)b;%%oaUNe%Uj(IYj8LBSZG**v7=QI6-%Z8?YP1eK_$~<;XaZ zdXSJoFp6$7Ty;<${h>j$f)!wB%rlgA9yJs!M3ifaYNZeG*xxyzqMxs!KrtbgO#s4b}JyZERXH-y(y7gM0` zPHN4*>4?sinIhYM-}6&y(N2?@r#VFBCN^qg)@2Q=A*IZsW<=F0=i6)GNB(J@q1h2C zyJ`8ymkq$1<_3nFN2CQ$2p&bD4`Pf1CqnCke*iG)8Nwc&%QgTbfzzA`?K*t7zYdDl zwZecl4dWHVjn{08a9vCF%)&?A*!1UxTR ze22tu1Rp5g5(R(H3RouBP5=API-7*OM9-DOsy%!eM^QQiru;!3i^hR(WG)=Iq(FKC z|DH!Xv2^l^@2p`+Sr5lXt=oy%`>Sy)fFnr0n^^j0ID&1=&TQDXHlFjM;uK(@`ZpqBG)Aj7-a%Z6L z@h=kci9e?41wCDDMi3xya;mF;)M78kdy?s;?hUMZu=GsgPhBX%di=^Ge{7~JLEJl) zu!Pb^;KaSfU714kl}jLK`@a?U?+cmh)FD2UoQa&0*SC8=(z6nHI5wH$n;mh=uNSC< zjO$9HF(ib`LfLq@-_FhiZM#;6$gg?pB-r?&1fq(`Rnsjn-8eaSVr8QtSjm#vdiR ziyk0}``UWvmAq-cye*vF$m0OKth0XEkTX=|;5_$?Pci0`yYU%tSmGT$vph!s5Ixpg zP$CmVI~vV&^(0$2ebQHoGZ<`4i;GXUQjItjqo#&++TdmU;N9g)Vl@1=?932H$Tt*K zq3O&w)_NnPi`LGn53P)^_KUY)|6{`2>s4wfgdS8SC22mS z(Z#|-Lg2)2Uvn{VGxBQ|e=Pj_t}S^JgB!Qsc?=}svQ@!@NV`<<7U@TvM$$f)%( zI)E#CvB*Z#lTWkW?g5R$hy>=!h(nWdJrW$cswQoK;{C>8pLSK{FXyk-3T=#=|GtSF z#l~Lr`9pBuF6TpIcJ34Ykm=}h%`#ZoeAzGlvVa>N=4%J*cU7cgB5)({Z!!2Bm*ej& z5A!`#*lS&CB*lqXYJJp)`4(i50g|NX0Lj0mFJxP7pa70(1Iv*S^=Mgh#MF@-=Jc2o z#6eq`F0D}8ll6TG>g!@`Ne=G|TI!US%1Sw}-LF-%$ZevjQK8KIu<#NjliS$%@8bIQbT$SiM`0Oo9M13|8MF6>wn&p*J)26Gb%HI`T9#oAxQf;yq2A! zZ!|i7)V0PN=Y~igd;1?=4t=T`P0%ZxWhrn1;S~cxW_Z^%gJ2R{lj}ilQxu3%@4sx& zN7(CF7lyfd_mKz7Ut^1e;MGge&l^+ovpAqw;I+cee41Om0*}!gj$Ua(>e=Vy2n7?B z$hWPyzybvhifP)~!f|-08Ree6{2oumO<31@m{C5YJ&6~7Zlh|&@M055!T0SO8~2rn z?n%O{t_!9w&30}W%H7lNS>0&agA0y~n0yEonW?Vjv2IlB*fWev^W4DfK6NMMQi$9| z93mr8)IDSRBC)(tv~efGyhLE*c=(s6oH`8<$yV-R1`4>vE*XgN`^Apf_a}s(#$COg zXOB9`73I9ZjVK_9PTqLIvTOZ!#((DHu2#CUf6fx~%LUHO4w%5$+Ync*$KSv>Ic=S~ zf+??Kf1iBW`?C*m|APqXAFh9Gvf+7K{n+8#1tWfRrODrgT6FIxXiU!urfD4o`o)A&kj9 z(-kacdZDeN)`OuQ6rLKt+!-8@va0tG87Hb1l(s3o)eppVN~mqA*F>e-pm@d~Q)*K4 z@3n}Yhw&l4$=TRncKHQt^DVf6J!9LjFYrfq?ADRp#@8U;Fgd-csBoq-qAHRgIk+o& zHc@!wQGul=m$7kQ(d2T3k50A;&tT#7vzqz_A9*FN!%p<*NJcKuQwHAp$6CpmPQG|U zoHcdLqHHhf!k#sCiEBFAtQ1)|eEY16-GPZkn;Q)_kizItsG1nwu=fs^5BU76+2KdJ zy3>`uWbJugkFp2%b)rg0q(<>u*jcUb#X#1M^E_$>pOg!9sNwvR z)paN%A>_7YaY<^JpWm#R^w9Gd4R(QrkdWAvX~@V_Hrx`7rI%Uf7u)d=Q;mXxNkF!g zt23Dn`+WGTJC*+!OBB;|=;9T&&Y)IR7SY24)85gdk4H3x^YJ;~54x54l@^E+y>s?Q z8>hQ#vdrVnxgz^W=XRFxI9Q~l@uz8OMXc*j9Y;;BT5?C*)K}^H8MUji99om1T&$sH zsR1t~ij@a(H8^_IHKiZqO(-zAIQx*)wwN%Ca8@s0?eqF7Aw*KRd}4W{s~Xe%ITlRv_Q@ zJdRw=sMBGw9Aq@}-+2bN<)7a(oUIyN=OLWa0Y-R#lbx1e2jmXPql{K;tM@HB3b6=HTb`oaj!zxK$9*72Y`&gs`oB9obv zoB>)8UI)Wvxx*aKe0L?$$~}Y1jaZEyg`1YeByQ@O$Iv>-N%6cto}?OL71mjFn%_{1 zc$JXT@8pkh9G^gBn^;Ffg+*j^<*;Y~^j92L)MxkWAIx^pvPa`vJfMoq^yG0l^pwFs zXWC)RX_V7!NMRv$tiPDfTqzT-Irn!xw}Qny|7)>Ld`4Mj=@7=>^@iJV+Ls1yKzJ@- z*dC6@hHrGd)QQ>efMdi&jOSfOL_zHClL{BTbRhz9N@y+pIm5-LSb?uq7cC^1H?wxXrh(o;*YkdYX7rOJht<8oz_KJR zv!XHm(hTHc@1}z5Wz@TdXnVAOx+1TNC(<2CPUNv455KHTH$<{ctgMf~vdDH;o7M}8 zCD?l3;$^ARa#WIK2tgv=bCp@2kdrMyvwYW(Jj;&Q80 zU7M2g==wt@|L6-#?7@>OM}7Ot2zHkTcYZbxnMq7G8va%7z0?_jJ!e<_y>bL6a7qXW zh{{Q%$R7TF5hSL2 zleap5N(&OhDguP;>~XJh1j4|JIUFSU?uY&y$@|W(hZ8vsyCvFPKZ%09R&+1Y#<8YTI!h6bXRQ6%{)e5PKg`h??FpArJPxgu#)u8sRYGtDn^-(wE7Y(E z)%3z*Ssh!ZVc`I(S{Sd?M?Li1j;|v3%Ys>FQZFE;5A}A1Tt4m*Z?vqkzjxff{H>-`+ZKf)YlIT$=cz&=1=YLZR$tdI+sDl zz&M>udCG3FuK;^!-lp!$Uk)Z$?;%PKs%sdZ1~FZ+=EF#|G1**4Sey`h`BQ8ApD1jN z)IU-{b%I0^>K(axV=J^BWd8!$m0%^+sGS1NXv7>0mqaZJh%<3Dg$$2dBDinPBP(on zrZo{?GK9@<7&)k68r3VG(#fI*p8GSbCNaE^I@LY0#?6HHV|wT#0ke~e&!D{Qa*dY z0?wD>HMw`0um70D!zdTW$aAwdg!}DE&JVx zcciBw?9qW(xrd(1_1b@HCsbPtc?l9%iMN{Zw1U*XXhtc-`*!>j>d+sR2UFoHLWpV9 zM3iSgj2z_;Ir9Tr^4!)ejhO*|C|uHDj3ur;XIpd zTV@OolA-@WrOjyAI)_8(tmhND$j;PDc6_eovMp2z>NnK+7PFy%kJ}Ox{a3YMt#I17 z+CFy1lW@PvraIHkSUlbDH>31c6A6pM)>JX@EgcDw$rc6;q)!?9Hd$pJR|eOFgkVuH zy(m{5iRhGX0(bh%&o>2sU74$-xOJ?rMH1nIeJChW;Js^4YNGgtRoS6t@bHYNp1Kr` z0cS*8=Wsol`EdqcesEK=ZSo1u6U{KS=U?m1($%&dEU$ViSD!>UxN|qsc8T-7bHH=2 z8Ce!?+n7gIxaS+(rbkm9F7ea0an(ZXqz$UWRg(HmjOSP70|^I@?}%mbLo%Nbb9%pJK$$HC%nM-8c`HF3^+u`u24F_&sCZdse5OheF}s9JV(0 zz+n1bU2@sUV5(%3wT@jBkt>IqJa0y8^Ye;{iDm4TbiL+dR&zx6rXJ)uNQ}&FRlZKU zB2H(~GL0Z@WM=&t-p478BsK|MkLs{bzdA$1Y(3A8(+54ujGpatsmUbh8Z7F`ar2%n zKV$t#j<5*NDQd1Jp=iX@^Y3R1FkT~14Q^9>5m+vDt(@Pud>L8DHf4$_k1fY5*iEY2ANoX%4E7ek`vRb~K#&m&Y)R1RjVEUd;*IL~o>)?a7I$xPMi?&Y>%3GXAmhU@UVj+`#*Nd*<{e7E7aUvY`rK4EI%IduyzsI(( z7qqLZ;Up|qVWxPt4|q-(T`RsU8>4 zm~0R=#(a`XGClu;BE-A-^7lnL9o6q7fzgi9qYq&`q%Y2hkS~E?<7pty=%cPF>eUGo zc8q(cGsS8b9i6O#tw?z}w{f#0?aSq8H!$pc?#A|PJxF#{qh|nOYCU*jMYEV>eCe0-Md{wHmmxX1byxta@fy4KLwzQlA5{Tq4l0w5zuEgNlFE`g&Xn z_{qbBt+=J1CT9*JvYPcPMfMMe9z((p;{Hs)pWRoL>v>mcmBrKu;bD3rd06_ZGba~fRcTH=YYMBNS$=JS8&R2??ImXZ)ErfHwQ zo}Zf5WPDGYpNKetMUaq)SvlL(-f=a&CZm|Uzu9l7_9new%9fEgt7y_64DSV9Z#A>R zz&OByQG6sKSup~+izRHv^(Qjz$$k0ZpA=Qd6N(a?%JH6GyJEOYHjd!}dn7hPdr8xb z4Upnm-}xGyBL(8NocfWU-28|yUl#tj`&hx~q?Dkwak@WsVZ6t7dtdd;ugx2D4!KPA z-1Di4bK0WMj@pV;gDJ>O^PO((B5OT-vSviXeJ1WA$3f&c_{}fjG;euUn`J|?+iH|> z%Dy|zJ4p@siR0}=Fy|QYsw)(eH(#{r%&zCp@Q$tuywE&4jOx+S5jMB_O3v6VbN5c} z*%aYLO}g_+4i+b^vb1R*cpKZJ9xreY>insIR~WNj%~j()(^sU%?8dcxUpt5yjj6NIs9(zk zA~(M;YOfYAA3S)W?)vm=${UL+S9rrba-lcTDbV|qUQZV-9!$ZmdSV*}e>3-YiuGXB zhQ#Ht>^8HwcSD|8P{SWE`@zDkviE3q)A&v=;4R8-FKX`&i%jnND>PxQ=?2K}4;+ZM`P$9-3Lf=O zkXJkdeT>B)}v5nT@eWNXk#kaNd&e=1r5aHJHXT=XZ z$CDaUK_o9Hv=^$#o_~AtJ>)mIsj=VWsqewn`O5T&LR}oS|16H!`wF8gRP2Gs`h@&=SK?!+A|GIA$U{2>;hk9Or&`wcROa>NkTaj$=#W*y&+lejw+Hp!YfdC&@t$#KdbvWH@0^lMf!+@Pe%( z6LjaEj-Y*mD1t?`R1aV+OY)R(E`)TxijTO zsK{!^s!DZ#Jy21U7z(AWsJQ2wFK#maW6Jtf{(Hf@D%CoRD#vJF7R*_OZuKG^yR+Iq zIz|LR@c~KZ{;bqJ6%G`)^7zSJ0>AZnYacPV>~ub~ORRK|%%Az*0x`Ch!y+(~r=0!w zL)B@f&RQpiVw{qC<3&!*M0W`8N+!PoZ+E|XE;dt)F}Hjm#rxx+VW@_|$tu`^2o_j# zP)u!w{O)~RaXO$4Zd(2wO(3xx%%kJ1pM2qRS>tsoSoEF@|MyySw>Ykxv_H1j)I5KN<4W#^_*-XcBV6^5g18@Mf%VzyyAN;( zg6X8{M-I|-T(D|avTj@61ILz+fFT7#hFwmGx-YNcxSk>W$B}J#L}H)X%YS|M8Dyi% z5hRp2e!a$fk)9>Sp4MCPu>#kPlcpEaQ#OnDMI56GUuO6Q{(aT{#z1aIZ%TL!Siy!8ytDR~(5BJaTj_sG1IA$G*h^KYq0qfxAwEZQ#RzUL)B6!=S z5G6`1%gKcL*?H^xg*-33c@XG$bMvn1UBme}0A!iFEjspR6bU&ctFE|QW~+s9c1GLM zGotA$_)U0n_D%+xsD;aF^DV}-7oqqC{Tw*szxP$~ACG%nJT0Ve|>iCe@75Bh*-k69m z(2b9@?+HT^E^61K#}B1(c(87;ayU~|gUOG*Z(S{rvTdyXaX%;j1xBHLCF5VQ*ceU@ zE&FR^oWaZ90OLCt8$bBhI_J*Pukp?G%ZDezKbg$w=1S(f)Le2}W~~j22AkYp4Veu( zn6g&Q=3Kd_X*likHn%maRdl{i-6~3hE6)8UO-`yYvPvdnBi~;S#C%W-$62ISpTv!X z|J8RgTB+OAF4EqvL{5g0o!|#|v=W}5O%TcAKfSB}4PpXsJfRW(IWAqP*zjiQO`@8H z0WWaS>$vhl+JFl&6sbZuv@Vh|e~+_DPSoAhU=43G zU(H8t>%UxKEDFqju)P?c-}v+$kN}8BR4Cm(x@P(P;+aZN&myKBJ4X4 z8KCtj9Q4rkxD^cZM-bn%1#;pykTzIVAAEPeSwnPdjc#;|bLsw~LmG6>zZZM_?tp8y z$Th0wBBQ$4SuN#I{!>@I-qFLCw{taYz&-^uvpd*-3{qZr1GWB}YIu>2O|>n9@%yed zo5+C7s!-22(JDXD)ol!x0$w4znto0M&+z=SKKVYcsijeBWK~k7{?(mF37y%ez*v@o zgmdp|#%y<`(g2Dv%4gZsc$q%)eK*zF+4L?tDbg}GGXNR?iLXXK(>$qPw3n}{^93G- z(tF7j>*f~up)iD*(x?wIS?%UZ!Aj>jV$g~&=blLpUMdsy&*}+7kROo4pR^Tddo7wobpaLVNF5zwvbB)PHuAsLnk2dIt6+N(s*!gL>&pMCi_#fb z%iugZObLl-y1-pxp%*2J{Vn=ZqX@bXiu38;6R0!m>x2~d9b&JKtXkJ?n$Fotk^a6^ zoq<&GLV7oF-O80DD@il$FAlhG>B^12_z-ka`nq;6rHW1JaA`?HW*lb-c(`-uRKh=o zKTfUfW z(YnxP5kBD_T%QQ@ZbLizaQVeSM&k0*#}S%VoAzN`(^P*2Nm{k2TIb!qnOuQ^q09d3 z;yt%rFv9Rkmy>hnVT;d~=^8*42ehKzHf;HLoF~1)1)hXeCVpfa1Oj0QJ^V9wWB8>K zGS-+wKdQhj-;68Ugl;uduCm(r>6lYB>!3o{8BSFvPtUdaeL&)wEPHLt`rGlSoa69< zx+}4?Pes$NzW=_Qehw4q<7wvS%N<*t-M^U%=?Da=nE!U-{C=k|dj?Jd88OGYc3n8x zWtr1SSU0Wn9x#FQ`<#*MtNYl=s-^t41Pt;!_*zh9;3~zZz3y@v&4O(amKFMRlbNt? z!*kP(^z`|2=->G}x4(M6t_@Pxy4QyXAlb9*d|7};0+@FCSvXfdjb56Hkpx1Wmu|p; zO^4=}{v-myqn>oR5BJeoknMoK3epg@4Oy=EiZ85mHESn#@x&Yk-yB?vk zr!_s=<+@+@w?F-%%R5c66p|~rPT3|C+Zm)?g|L`u= zZDwW`z{>eNQ!86x^*RGeEL16Vq+xxApnWw0(SJeDy&`2$UO=JNaBmYcjw6T5;dtTXDk2Hz<&xs4><~p!rq&} z>=5qa;M(BhuIfXHv|A)HRWl?B``U%@DvnPyJGH}%_e!N&x&=wxd-tUdnIlvqgRo_p zmFHx~vf$=shCyE@xkm*yD_`*#T>g2&p!p`J#3idZgrY4*#+#k~UccMnD}{Py_+9_s zou{=4_h`&E*BjcRw?SA7`X9#Dg-JuMpK&RCL%VAv-i!Op_S{`kSNRDaLq~c0Uo)(q zixhe|e2ln@CoIhe;F%^+>fF8MZ@^x`cQ6XE=wX9-k?XzYkFF!T-A&%O=kAT05)K6} zA^qnQJYX{TO%~LEp-CcIYb-)|BZ%10y_brp_jaA|rN)^$p9}TAed*p?)||R1sl*P_SIK6VQFm!@6Rc zW7beDuU#PvL??!+fq@&k0RMrn$JIp!?@fl;IrueYldm^oA5Z1hsrQ~=UU_9IH^QeO z5xSkMCgA`a;~)gak-%i~ST#JHuiCzLKaaZR@;wzV!OwVw`;&uCGU%RvET8en6He}&(s9_@eDsQ%?$ft1cC-p zUwGc@F`VFa#m8mhqpAQz3ri88NtF#SH{vlcw}RQ)HE{O@tJz>s@BiAPt;%KwA zL6i~i1PqBHwq=5zr$V50>kO8h@%{a>1yj&0Zv_nyHXwQ8d=e}&b`|8O4>c$rk4{c*jI*hwZ|%yRT>gAnzKBlL$J}48 z3W;ODyQ}P$@v@aRRh91`I6XF#^WHaf1D9%&k9IfUkdj`x8$8xMI0a z`BOLnHjTaCGuJtX>Mkm)%M*O>JpfYY(uT`+S#FrZi~++cjV=u4&sOIYIe5?jTV%<8 zj=xjmhx(j&!5(Gn8UtKkVBL2(mLg}Z5Z%&9zMECL2Mgfkf}8s{q9ia5#_SsQg>Uxl ze0LA$l&DemhBqm^4Eo_MkL;SRHmWx>J-eO*cWwx7z_B=$|3FFSemK0jP1H#7N8 z{M9#&XMJ{io3D<02oa~ zD>j|={{Fth&e*azbVmq|GNh;gI&-6awF`T z8@*91PZWI6wsslI6M&EJyEfnGrE|c*_^1aK+T!(O%^rY!hey&uq}8-sKwyc3+T6P( zY)I)8d_%}#rw7CMHka2%XJ>#?f&IfWq+N!i4vcx#_czDVee6JV^oy?2!)}oUhvrM zwDOh&d{y_}_;Sv>?+J!G@p#}%Q$(x+W&@=vJdOXR%qz>#X)T+3>#bIUR=8*hY4&W+hIw?L|fBNk0oL>LcO+N7o7X_)k^}?KNAHlcF z>o9Ih<0z?JdGfH>Xrpv?K1)^><(+VJ%=Bm@-AY(;ruu@t=u{Y1g)uZ1tx}9zSbkbuVCn#X@ z;`0QS7+uLzHBn(;8CFG73jA6im|}^-^pENe@I6giyzI>zv~W=kLfhy2?dt3{rVx_& z-wfY!Rf)IFT~X}gg*G<;Jv;^J z$W-9!uryj2)=JRb)h6V@5&#|`P!h?(7lnYA1&zA>hsNaI$=vQLCQFTEi@6| zONJ6=H$Ei74kED{ArNGJ=B|!T@+zL>W4lXzef@U=*D;YGP!oWD?tadJUEQtH_g(5Y zNl?(1$ekTb`mnT}02!Zko0nDlgY)K<6k2o3ERLKQ0|aA75D^8+r37vOsurm5{Sanh zp)0R}=(b#Lf!jgd<}I^^etG8zc60?lhCKjKoM{WhTYX3LZ=DY+Nh|l5&p#MAYUh_j zXefcOu87P!Y`GC@iw?vr=3KCJht`m@pYFDKj7T6yGToa^+3sQiLB-6b_G^6-Lahv*-9en zR4P^qerkFp*x+Qt-f8I@Huv$YJqCJ7H|>CN8|bMzOtAjQ{ZF7_K(?O}tR{lsYz>3g z@D#vGhfgscJvx%_vJd!_=TN?Ndv&@G;7rSPZ0lImw1}gq?`&`Pi8peO*24eitR_^U zrJ^PJGfS`xNC4pM&d1Q2n<%fL>GTG~PiyKxFHkL4dsIJ1%SiShY z1k(5FcZ)UINmr_He9G@pw=P_mS904C0HbzU5zSan4%Yxt#eejIqvD`03Ev>a?}H7> zB$@J-b67#?hB4VPTKWqU$`zpnkzZY15mFa(BqdJ?+Mh&r2fxaRjNbf(>u*(5H5oR= z2+pMXlJzY)R%nRG5RBc*2n3_3HDe(>p4ET=6q9WF)U>s`c3vH1Wu=@>5^lNX6}U+% z0as*l-u2(^?IYrrOeyuD?KD7jzur*R@yN&HinS3L9JM&nWKrorh;0NRd^I;WC7BmYXj zOYmQ4Out-(>$`|&5-!u5+?*V$Kh{j&bC5*6S#1#9YUjAxP-l>LLai*c=HOA$Xg>)v zSm#NTCGoeG266yTdnEc3QhQFVcW&(jcvy~S$CjVRbS;x^MC1XiW2zdyxdrr~&tUS` z{;uZ0b0}geiJ*ktZck(rs!zx;rT{D#)+0~aVaS6Qd=i@{Tsu?b4WlATym{SC?QS{# z@spnEq5H7s${Y?p4VF0Wxf{{A#*e)u9b3v01^eX1%RFTPw^^eC*9W-YpHUfsuY&1v z!WRpkhs0>1Z2C#-e4qM+k!fPj)uqlqz*+xi;P1O%8RgcScsrldw7c-+pq;uOb0W=G zgVzW_T=*5yx3)Avbnpg%J7)#rhNV-+{OsH6PJoar4IyO4jpw9Zlo-X25JYIrN*{BF zc6EOu;)w=e-*90`7@K}vI|Gf<0=IZVvhHzCDInPp(+_7)d@UyqU=d7FQw)!nI#nch zW<;x_@$N_D2&;e%(+jsmjtOk!ql(WrcKHv3HVj3gKi2L5NYc$6X&&Z!CI_Tv6mfSa2@gt5u=-+CWpC(5_-UYEO161J1sUX7Y(XFZ_q7Ob3&b-SC z3qUv$%0j!o9%$fuJ)X59#2~Nz-w~8Kmer3INL!qPB#}9LITR26)+@pnVCdgFBk-M$ zl2jwani*bF$zdm``+r+gYNHA!9FjPc^jwQo0`8j~Ko`64CJ?`!;n_9p6U- z+w{o8AFFp>Ww(H^Yz`Gs-SEEx*;R^+AXLR5k z^m1-fdJ|K|@xC2}WIqcY zY{=aU#1-(KrQZo@c1<%E-UTafLPq_7#EuhF-_ZMPROx1M6}+R8hvmO`CwkmLf=vo+ zwBTz4BSQh+7O>DkPg>{`7#@UtQuPBqh9cw&?{^5f&+CkReC8Ltr6_2#=8mWE5iiP3 z>JySb^Yp2#zck7B&?m_FWx}XK16}v^#5Zit{ORSLb9l&TZ-2ufudOeuPvzlb!djPIAhp(Fl}k_kK#=u6~=<4nG(zD9JDlVEv!^ zD4S^+P~$K2;yPKM1x-K!@bb&!QZ^#;^?6b zkMe^b(`{V4{%VWT;@GrStgAgnJm3x}SBR&^E!p3u~l7~OISKiNk z7qtjzcyCLp2r#^}nwgSOcAf$;tYIn;#z=eDLx$l>unW@> zX`5i557*PHI2E&Y-a213uy{=cXB|0{O~GSdHFi01|P zb5u(HFXn$s$^Uo4utiiS&U*3K_v1K_Y+?Q02RA-_VkS%=iTJPV2mI7PBCq`PX<&p# zoE(Fr5K!=8`RYwI^Z!^b_&+~I$Xnc!Y&uTh-JsHEIt)ytjp4qps37^&`wxazT6WkR z5qj-^CjQK{r3yc61H*!Yo1H9-ml3D|uc>^LkOoKL^PF^C)^Kmy!55M!(ay}zo;Dns z6`DOCILE1RgS}jP9e<`*aXGGgWR-0`T$82U%mqjjGV{WevGuYP0l)|oskZ}Do4LTE z@T9Ql!8=cn`B$3HKUjaUTM+JFx9P?e@@)TbA?ET>?ES}#5Du-#-$<1j|9Iwa{N=(4 z*)kKX^HUqSuME_eR<^DM%VSHy*<0ZVwim26<>Ai0_cUn&O<&@}#Uy+yG!bTlg&a%# z@!||+_dSI<&pb^_2DQ`6qKrn#Z`T`9fQ z!SN}lWS~4G+_7%2kp^()l+P4qvA-Vh;7&eu$0O%F>d&iCGpOT(!9hvEUBa?pYtO{j zogSW^-ZWzdfKYQ1uy1g2aa9A6IiT8zW^EIXJC}1;rj;0rUq_>tGZ%!>fwQM1|?k*PmSK!_2T*x3COtw_l8;ex&mcKD`K4(eC9_5O9mMcdhlt@Bf!e0dZ&adrexe z9+6x8%&_$Rxx}gqy9MI>H0KMG{X#Y?WPA4)WRJ?R!pKA9i8qac&)riAQtK&a$7-N= zb}Hi2yhvfeZcmi2_WOf&8!zC6nFb;S8@4R3a+~TIGkt?c>+I@cJ3)^kcl%#g)E64V zW^AGA`kemRIfo3=JtCw1mPVX>PuK=oWVx(HhCZr-=as!){Ovd z%kG`{W+>dmV$XQB%qH*nvVCkPWE7x|gM}A>Qow&E@6`Z8X;HOjDf`ukp&{uTYdWYt zZJR<-m6QLQMQh+aP4?pEXE|5%WV_ahJ~@$ba19|;PM;vdu`7g2{?76=Yu(PfR%$C1 zo1IS1F8<_7n_`?Z#g^+*0Oumc$Bltdxwvst>aZ-sWwuxPdNkUDPf_b6p!Ct0ER-se z;_jPrwLB`-4sUjG1R>NAmA378j!cefG_uosTg}!E<+B;(LDM z+=@vt{X9S22vx;n*>55t%j!s8?3D%_Wj#NBM^K)P1kx z4|jo(LWk}%U~fkP`|r3K5Xd3`^NckRY@d5S!42b=x{IWz1t z=>ycHrU5<8FHsh6k6#CSi|-v;>PPk1n0anL!buw`clZ0We@}`GNkid>ibH;rCzHa? zzRgX7yhG}cJD@|;f{qd~+R^h(9s>D0+_0T1^6fpKYp}aHXeh}55}pOnBMNVPDGHzJ ztUVP+?*hR|%fiLlM%3ze0RkcfAT!@Sg?dhT`0i{56$mnQgQ~)lI0u% z#q{brgkp^MhCtSFm*iPl*?dg(kofN9s+zZa7ph{(({z~=P3L{~7D5Pf;seTWFK?!5 zBk66qn=XxRxFd1vn9*af-8f|F>JY3_I4K6CzuS-T zoS)O}j1YFTS54{fZWen1E~V;dAoNH6285wL$cn5Pz=pJZxL_H7oj};lwkLO#GQzt3 zQZ(@1p1Vy$WtwfLlx7y!CZ4>H8P}UNCTmVa)Ox$=zRuaqz_0-p7;1Y*Wutwqy87HXm|{P$NJ z3{osda}=aAs{KoUNSeyt$asiCvN_k|+Wgn^N^xug?^wCqb)kgb_=11CJ(TlHFmSqg z5?=Y}`w3cDvn9OxHO_h-+RK)KjNfEW#pXo6GQ2TNlVu*oD_3NY?PvG4qZEHCoG{Jd!$ax%T16F z0MxOkkU=8w)@XBMQeNvhh6kXITWD88=|zsq#kOFAQ0JV!3g+C_GtlphrT7P*Li4#y zDlA&XXvd~yhnD4T6%PP&IM539lKF$vc(0wBd6ye}^HQIS7Y{Rp6!Xl65IV1;m%iQj zx_*4q17%AqckOidBmarXa?EKTQQQIRxwp7(gUVNO0Wh%LWaoGu)O7<*hJ$FXZ^o}g z@6N{ef9GeO&<4MGf-1=avfp2|okGuDQ3f;v%UqUPIKoGSp6r%Px>UmI{7#Th) zBYimPruxQbJ6BsjY6$T+WYpLs$-0E?1GPsN!0bB>q-17F&zuuP#4|E7e5|wXR-q$o zbI16(^ajXjV?y6sFu4ctK;O#_rv0zp*faqA*G@E(dqOIp4WsKafNqCz6d%c14NKn? zia4He>=EwbuUZ3+I3HWgwvb__?N$R~5Up2~7%h&pB-kyHJ^ax!lrN#%1;muj6Ggqg zr4mw7zw<)kbU?s6i|x(#wP=BM?PYk(P?>xlUs)o*s@Vqk4oFDPQ$WVsKbN}(3IH}J)obI$3mO6G3OE00@=Xyh?j*8C zdaE^1)BE1tY)Nt>nc8UwzSZ79W*wWVL=ohi^CA3n$l=e7BDKvLk1!Y)Uz@4+2k_uk z1b)2DTXBkJU_V|!y@`i0r9m1vQD_p{4ro$^A+1EYe#a}aBBbS=g^BfP!x;u@3O2ZcluZTI+e z!FW*&H$(DjO$h_0KOhOK{*kewOMd9^Y}EVO0@WdS^Agh|Q9>|91VhdWkj_<#$W{hF z?izWY)a_m8)D3lr0=b+$Z*dXJQvKCQZ~Q^@Q#!UJS1Uc66vkShbet06Ebz3w$zkY{ z#-4z$8f@A}Pr5B}1M_RsFe=zW$2vk)dF|+;dw>j=&Q7#<)ydC+Ib)cmJM^pzbS*m| z?u~Ih$cJ&Q=6&7o&^kiv*u$V-OFWIm7~>=Go7@gl@%!-e%~(TnYryb&TQ4!!R31_=d_N+B4DfzUJQM()Uz@{zQU6n0?TkTN=*q21K%ZYi zphi?*TbTESt^uz+&LeKs5Pa?+-E=<1xlzYh%!8z3djkw*W7^ig`sXj~3TjDK4ifR0 zDU|SODfGMGp>-f5-QLyWC>K;Q_y$kh)lnDhK8)__UHRs!72L4vd1*iU7Qwac-16Sx zcu-1n@3*##!z96ikd@U}GwU?IkBH9DsC+wplcIRX>i%hR>T%wk<6Nt`XPG3l;Rj-_ zE#d4G77@}EXQ*Bma>%u5-19LnGnkyUIIcT`0V{@o?*^rTlOokEtvg~O=fwwCmUyjm z+}Ex&woKc9+XOr8@yY|%2JEm{@r@MYy`8@$)u<{AwG=*E_fun!_NOA3(&c*i#0W-v zZm}sK98=K4pkMcoRf{W(uEkdmIl{notw3qP;G;&6%YjlGWaR$Q%+*x${rce#qVHg? z2nIxcmNmtynmcTQT*rDjauJBnoOt>!X$<#>o?1iBf**n9qMmiTp(JpwcW%DCA#O4j z6fa@j7(AdXJIN<*nznW8&LXR<-|1`jD0GCGKF(&uof1xrI^Ct(^71!8T3MwJ zDyQ2_cLL(j%6{Y}CvXGoiS&oCUk{S-d(|9$m;)r0_otm@`6X`5+idEB-WLsv=Q;j& z%aX^G%M!02KxXOTYsYk9ZHfz-tF5oRt^KFh{fwv=z#!H7VwRW!gN)bhmmW2_Iw?t5k ztQYX(Bf$@(_sb7G?%jwRN_|tAYrPO|<5J@zW37aCXsrKiZ7vfSJhA7BGi&%_RqGhY zveBdV9d*n0=CkNu1JhE-5>!0msz_4}zV>5#KUo3o3^i**rs*5BoM{anfRHY?QFh+E zaF%(jpIx#?2-=3VH9lA=%2JNrJySy!w&vDHAr!gxojhLJ>2BIuzk&B3!jKt?yfR_f zl?WKIs_#z?)fu;3&NfmmVi;oxQK&lWA6^FZKbBI#@TzDyaxoLDgMRGDs85g+{)Qd1 z%2?XtrZMfdI*hR*oY6Mhtm5fAtmn2k39p_VLNycR)c^M_?LsYj>b9(rs`88%_$OV2TPX=hZ}SLv1_F?<}-E*#wPS0%|; z^|yDL%0XLGu&eX9)6ayoJh}n*uxv4MBW!=tt@c{>o=A2qtH(hFud7mrw*aMjd;>|V z*cJTLZ_!Cfxrecg$I~BPZ0DDAlOY=%N=Do+M8e_>n5xSSQi*q832rh3+X`b#EctRH9-mF-rW3EzHbT7^6UW5m3i7!ee zo>JrpLLi@lqvsjl^Y7HS8)5xZ{BJyTP`KS!H!OWEU(IcTH93jDJbl?|{OwM8Au28M zY(AZVZ?Z*ZjH)9p9nWr$0Pdyks9eVc&o;iL5Pxeu`i*W2vjLEx$|^`w&Ja?NFMhn8 zv*uQRX!=9s1?_H*XZAHK*_6v**Ie zTt%exGg%sZDIV;TTJ|vB{MoD$szFZ2xJ19j(Dq15p9E zeSBRfRnKY~RpafRmnX+k$`l+U!!pP;(|+-2e(Co3skPUcJQH#;-|vuq&gnHxc@>^r zcJ0e#?18E)Qr)vizTp?f@3wE_voP~V3R9!o>*=N!Dmj?@c4;&0rc2}BJrbutgV_}p ztnxq*{|_`j2OUvJNQ~58ZLZ)(5SjwP9A;q`x_0-|tI{AiF|n2D*b`SsX-wIv465Im=PvH1civ{}z{&HFn-l4+G?l8=OJEDvv4rwsTQa6b0&0)&7Z zV{EN^GtPUaS5ejVj-?fs2v)=bmRLk3lzEi?QrpHvT=WJ}-0bY;nz7SYuOh7cYYqK4 zS4&5?{Mpiw((7RQ|rTYR~0M~tGGws_IP(RotIniwDJo(L)y-|77BcFwt=#8zQ$ zm_ZGST&l!$8qK41MT3hhyvj}xK~H2ATJIX!6`mubmB(DA(j#3En9{M<%Rx5U#H8no zNbe_)WnB26!FGm~enl%3Nl;0gg2fOd8`0DEe6oBcO=f;Pkak)|aiX4cg&TIwDe~#^ z^%ch)e}{21snpKhejxl7j_0&NrXUsFeUWkHVK4MJVNayUXC_z?&e_hECB*u%o2hrR z#}zGjx_)ceCHrgcUv~@@k0(F5#bwXo5#eQoTjq;Zex%HYjC-mwmZ`s3xOty`=Sq5V zGm1jxNe`)2w&pT%2(?o4IjWJ=GPWbKR)3XlHY`A~u=Q!io?5I(sg;=FQY{?7G*eC+I($2&bTCVYGZo%pp;&YQB9#-BJF&3>J` z7!P7Te;qlXbE=?QpRh`nIgX_{U1{JtIU#;jrDu{LzjZLT!ty7NLFC-jo7Jm>v(K%q z#^SV+_DIJQldx}P` zT=a=G-&!|G_z(E53MKt+x)F?t@U-gsuJFfdJbhX7WR=+CQpmS_E*pC0wxY zqGbOTUnY#l&n3Asr#`yY%X#?u@Ht*}NkGqSTP6}EVc{D;7$+1;`w{^tjCUH9*~@H&D5ONDFbFkZ>Q~pcDDs zIK>?Mgay|C``1rm?`;mc%GI2_lM5DnZkJQud5lnuyP+CFN0 zE#*v2?x1e54MGs(e;5K^q|omjW37I)T|4q~QvC+Y8rw$v2?}e3Hk1^)qj_?(;Djj% zx0p%aQKbVWP%4FoE&*Zrz{=Adm#O+SwL z+MvfyWKp$4wkUZs0!GGSZrZ1#XPv~$D8>3ion+I9@2nMZvkq0!hZc-;qDL_+8HF{F zSvDU^vINvK+h)2&OmT@g2rMDzTka9TN42Z8eJxJ_At5`5v1Q`srvu#Egzn5B>P!~f znHwGbWoH)rDi_MHn@hv}6>o1oY%yt`kV@#^{>OE+?U2lpew5c@S&CMUwE0971NyuU zaxc)d@HR;Vi68fElxKR+Mh8fRG3G2?fp0+LprO#aHBXvU4g>;rs zTwioR!J5n7b5iU@kB}=%omaNY*!Y~jHmtaSx|MfCcs)SfZ$+!|poJJBJP%7eGKaal zw%n_sTKxHrnmPPcCF^ld6{WIJb!k7j-EL4vh^*rDY;stgvq52 zyKRKb9)1FuO;g{7KqH!S_ zIl?2KN-}M^kJ^QNCk%7STJ>L9CVVxmitFerPZO2@#@zed?58T?+Kk&hf%@%vm}@ic z#q6`i8aHIekEV7GZ1l(1m>D;MHj^NyNEV41PUYp9h^5(hcvFyN4O+8aEVNwCxyu)Y zaHcq;1Aq?Pj@V5jN9sMoE#jKg`&DwM?*h0mCo!Ki%NvX1{oMP6&EF=3`XzoNbYWN3 zSyUn^TCTU)Qk4b4XFZy#zNx@nJ9OCm7wqZx;{wp!p;|5DXFE06Wd)J~^(oZ4V+>^n zN1&V#1xxA(%O7n2Rh2-Wj0mij39_Hrf2O{)r)rs)i1ZWigW~IDSAJEg#f@&_aHtBl z!vJzseHxWMxmD&fZ$kJp4u|8etpfje#wDI8!oEOnzAMSs(5F!#DxCmA944u1FuDimWe4blFbVY5fuAQ*)?`H0?kl#axcpr+=q8#7j*7gi|EK)tK zDGNn7r`e`!<-@YMw9=S=`fQVqB(^RV)fY zGMaCW%#l;xHVRvCeMGRItmwZV{w1u`9AU5@S7k(Z_LwsiF{q-@>O*s)%SqIoLVcvj zQN=P!eZmwk_9Uv4+W&Icap&1v5&K=fpEP50hh-P5EFIS?xx11zxRE|REdk-;qsVF9 zX7-@(w4bUYZ)0|4R}BkU27VL!=S{%By%$3IO)7tVq327oFHNCCWV5W$A@K9Pj-BLg z0juRyMxNob1dbLj@FGPOq?KxUb4!fVO7st>V%DjulEAMc*|ppL`#rz7KR>*X8C{%k z4SRBNA}p~`o9tAPdNIn(m|f9}tLt}C>OkwBI`^?1;hLc zIGij}qU_V;Mhm!wRK6AH@$B-AH1mtPms+KTt+O(fd_`c>vY(OY zn6O5;l1KBWtkE%a*E$z=b}PHPl)EkN2r2(CM~b7d6yLe?^3B5x#G`Lmv@&ZiR}5Tq z%|m9G6!lYU@X;jRw=iwhq+&n$=!KAqG4|{Q{+ag|UejHbhXI0NL;iEei+7Yv$2(oFE1JLsz*4xawp(wjAa2c=CMw)EiE~oEQT#9kX6N0(BWd77sIsRn^OY-1cnG@$fPn|ZMLigL-6 z3sCFDl2}$Z-#(r-^F}l4n}ogBYWV?|yODl6D>!HE+b`sVV(XS*OSiFnSS^2P!1+_6 z^~sDMKWi7}4*B;EA7z4w4%4*AJVysq>VbFo8B8hG3~=9!dNtW1aMa#&YFRexL6k_* z`ABac8Y2s}6*|e*iAM2Jx~1rDO5B|14kcRrBH1LKdi)D06zchRW)%LH7lztO7 z6TWByq$_|p(MCbYcWK?*?IZDu5HJ-}r?C3Pllk5?AZbOp$Qj~kXCz;uMC7XjvBCWT zS5kfv1I`v{YVi_4n}Jx*|L9fJjXn-Rrf8?S7#P-o?%e42oNlJs@D}8rEUaPls~~v%u6Nh z-!eBJ#soL~Jo)myk|wghc;?8Wet=vR3>%@xwq`08j500iak|XPZ27%LY^Et<7l=#d zay?th!Q((D8I81r?5k+r7$4IuzbnVwNgPv1p#tA@nu&!!?n`bMzoZwLv??^gs` z;z7T3?&`|Q!zS8_x$F0IDZ%Tm6R&cRyhb=qyEZ=s&CILo+P;4M8c=)30`|U_li8A< zmIs|>yVSK%u8=#2i>uh*e@Y3xjgM>9oFVq4i$pfIhNnLbc*U!!TSz%>mC7+Ogpro= zS=!>_Ij<{$S6cmiQ5h*D7nzOTOU67`3k!B zaT5mn{`JTP)8!`#q*+vdzhwAF0VSh1NP#3+Oeujt1oZH&e(?|g{-tj8AOE&}$;eFn zM04jlxOCKmwBXg<=TtO**;P?@daf<~T{K}7VAX3-M_t)}a?^^eF+d_T2FR@T2UCHK{(zyGa1UtIq7s`68JHoES#mi{ z;dF*>@cVcArN0k>Mm?@{7!b%Ef9Oia4fPB@@_OXE=3vhL2^tFT-{1NlOgOcKQ5py_ z`y(WsGuO&GxZFyhuV}#HK4lD0X5r-zGJDg}t&IVm@3Wqk(@2h^M8LZNrOM_$MT`oa z{7+Eqmj7t*5l9xQM?i_i=Cg6{ps|DSn8T;9vv>W&Y7y1r?lE71-laN5lk-!rD^E1NqbZk)-Qd$ zTmY3PtAUzmNKbA{6_D=F7rSXMm3-Yd1|K~!J9_8rW675;09kV7;LjmZMfszrBbWb< z_Dx42oEheW+AVXPQLdYdm#w!jDzyk^A@2=S%YFN{9Ro1oF~DZF2dmcL!~LR)iXXJn z^Y9a(eqm3$0kIWkNJ%`T4$-Mf&ULqlGu>owds+~UBjt`H4 zz@~VEn+LOe0QfgEV{|ju&5xdMFzV!BCiE1}JRALf-q9FYF~4}$ICTNYBTiHP2gTG> zs!Wp^t+cW|X-v?Vt)MY8Aie`$TO>M2)~lZRO>r5HZE{(H7>h@J1B#oap+Hd87y)JC zm9&m{&J`L3l+IR(*Vk^K`x1YB(;-zKdl)hU*GzRH^Y=MgNc&2mI8QXHV7Gw#$UlNwq^2p`dzP|MSPl(Fq?!@yZ5dq0 zO)Lu-CtpelQngyImjOlvd?x7+Dhu>zi+xj%>AXu8i za*{lojG~nXkfW0(yyxOD!kum%oVHMbHb=HaE-ps2VfcMTqeDsUJ98Y?0}S@ybtHX+ z$>t0GB`mb!u6IQ-GmoD|dKsbuXVMx^Z6<2Ub=WNY46PfQXCk@R4`sJ?mq z_wO+WN>t+bpIf&^xJ; z*!u>T&wS!L!VUFJYv@DmQTgGdDjcvULUCHj0yI(_<>H&PC?&?k8y<@~vQT}Sk>yjs z-p4ht=v++y`5orNt#hslN52n6(k^1LP`~$pfplTVsF_= zKyDr#o7}IuOay`kC^~u54(<@|y0ndFy(w@zv5OC{z zCDtLzr?(q%2YQw<^w)(@?|!_~-RT~0o};%5s{~>IoapnCW=7{?k}Hs5Y*i)Q@lMyqct9@?RLwY9Xx!E7f(>dEqEUsMNo;JALhHHLhW zSirdf6!$+W49MKKTLE9{z6-?y`ay(r5~ChHJIsLxSaEaFM<{KkgavtpY8cSd%DqyS zCTU}}&72vtG79%H*{p5J zlK0F@u<0jC^oY&>R(94*cHQ|>AG_T7`Xe7ilVhSHy(qlacmf8kT%@OIRHTdw4Dm9Y zCY=p`7`O5FxG;FaFJwU20MTTk)67q2S2; ze*hk+-xf4^ioV|E&LSgw&zs;KUq(sE!cdfZ;ue zt(v4P6Qfx`2Ezv_$0ppnh4-r)&xG}~(xBqdKG2FzVZdQORyVmkNv>GT79z7IMtyHBj+2%HnRwtrnIo6Q$G-^xn6JziFzQ0-^J_%_}||% z`TVd$VKh;Li#5$}Avb~DrQWT+>W>@52!zg;av0mtOJ^@FPgNskM$?Q*xs^+R;fu(p%{~&ZU;DtLx z;UXp4)P9c-S7RRo1+BfjygZQV%K85J@P78^_ug$k7Q?-bjV|>L?0kM6oZQP2?3ra> z*PL8-xcAe{14h7JNbd`%OU3uEjevpu1K5{ZrpGU5Ky*;`2y8^>eQpotfr$DuP`cs< z&3v7Fp)F|37o4oc#l^i(N9_e)OE_grfUsg8=(>(8i>pSjm5gu?>>SnWW{7tVIaq_} z;`7#A#~4s2td`WRKfl+DIjF^t0InWZRAh8)Z0+~^oPGak(*fqC{c#WcXaD_?jO8;RMQ%NjPV~;mjo5e>0T3vZ7DsddXH7%BJg*gS~z9 zkby9*{O)ZiwsQbl;;J8dvb|9F5_lQ~kxB#oAOhN9Ii39Oi_@2_BhrMAA8xuaDu`MSMj*_`H(6f;-7jF#D=y=Ex%se zGT^4SGPgCs+kvFlaeKbgES7%+u%7ChT0aIK+AaPX2GZ_gBcW$5M5y|Z7fs#G(yCJ8 z*&iW_3A7oF0ScuhyHjPNKfrWiJfH)tH)`K#dOcvZtYh_Un%VZcprH1KS1(kMIN__rJ7PIf#*NZzX@`zvzi!%+w{J3+x26nHLnqXlOm z?YfI((js|Sz%xjiy2m`1W_zo_4}?K$lAkPiWMpJk!I8e_L9gt8 z+~yZn~&%d}OBltnsJ`r#d1-A_RR*>M@L`Z%p z-gjMvlQ=kX4lJxXmdjv^o?{p@18uifTgKr;9x5VVmh+F7LOt3u6L46`6ugF51JD8; z;^!e*6wnF2;Y(%35RDd0%-b%-iuDx+nvrK%)KoqrF00R}o=Z?@zywA-^P7Cl8S{8; zhw~V)3oRgKFp$m?ud$0S((KixTR;4>T0IpIfMLm@-cR&byCR8IYuM1Ti}d)mPhpBr zU-}uF=bVgzh&v_K(WMuI)eQ^X!g%zhkKDDcx;|W^IM%l1;BcCS*A4AA^V80eGHlh zHEsEU?eGjE5&G0@?_a|akTm>0U=dZBhRBeTR6SnJO|HlmvF31cTFjvZlmyjB9fIpG z{g8_6nVJqce6MiU`JRTvjOI9+z>1q2ENZFu8}&CbL%(xhQ;~nVQe2(QojN18U5h*i zM5Z}G)e^AU1BS`V+DTa>j*o(H4Ri8V?3Iz}>Qdyx7m%*5%A%Rb<=bz@9K&1%4wpW{ zj+C8m=i;&wyDs*7WL6I`E-uf0yguEUkyV}Al0hoh;9P}J>Y0WEL3o-R8qD=Pe~bdh zMz6$JPhfylyeXqa>CR-jWXgsWpZ3RA+e|0dV*baCHC!`mHjUC;LV`<-#mfhrgsn?7 ziM>7+hY5I=oM;+};U>J(Y+Wph8usM%-{W7^D<0hvwIVX9g}E?2Ijk35L0@Xs_VTK( z#)k1+{&zfC)?3kB!kS_6mrHkgwi8>7h7@M-MCt!dmfr2z}q&C53YmSh{IuAD>s ze^IeC0?XD3w)KGZ0WT05y~TVFnVuC%?F3BdGpp^(D&(g9i=T$18Xgc)L^FX*SK?ls;}E$4tj@&PHqqta+@$ zuW;zY(Kgf)aAF~LnmXqpClv3Xx00gW2(l-MNU2{ODab-|G~kG7P_IlfJgsi?mt-Gy`Oo_|12!o-l*H+r2r?0Yr z=rpv?gF?vVYg0LgSiEk5CIN+KmNgkem*~L?DIp5VS*Y8F*F?u|N1{7Ts0xJ+B5MEg{8V(Sj`NlgeJtH#q>Mt z`m8dqb-7_lk)H088~m|NfD(E0B38yreEe6#42?^a2j8ZQ>v!uy;<=73#Ui&dqIlsB zzVUXx+o*bqq}yZ&1H>Qc`4Z-Wo~?f#7p6vnwdRM(c+?Y2?YWs>yu1`Dt4*TgE)`bi zv!8=yAMb-bbW7{XQaFQrOX`)H3YxaKq85tDyPx$OX2L4*o$vclb_m5qRgwf-+nuSXyCAcoa~r`7m+N~E#WhM3dqbAogVUr4z4CPy=XozKRtBbS$*Kk=s|SG{YuCIdR3Vgzu3^C78xE>~aB0i{7>J$=iZ@-g#1lS!=P z+1Y&ydEfn5WwGfeO}QvdSOUoeZ)Sp0I$<06krrut7+Ujb==4qAwHhb(FOd|~rj=2N z)+??`c765Q1%A_CXkD5uR_U3&gIfr`6GQ}U(MA#DTrE@)KeaBr{e`{-*e|gzkj*Hu z&OMy2iB;;{8>GvQI}W?0ZEKlxfD1Z6W^3rm3(mT~cB-#23I7|i6ecchW*q%WVHl4O-b!POIC&1|=?t7#-k zUFiZ{6h3WZqTa}@7Z8ATr^r}}%%`a)ygyEhYl(rc&84fN=8DnqlDuBkN!v|PfN2K6 z9&YjoFH8I2=wC(Y?Ypejpv&ef?o(4!okRXRY4$g5d<9=qC7_Afoog&FC9%g6FtM-u z2b5l=?Z|8Ah-8)$Stp>A3GFI>@K|mfZn{87rhS*PU!hlXTgp_s3U6f_x*q1O7D}B= z^$xumAUk&@iHT`tcV*`(d2yChCCY8cqZrmd&z3YvvCTN6VJ^x=XFS%~;9yuT97SfsgrE#xILjtZpPe;6U_?X&8@OSZa`Ush}@?9A2 zVgDJCZm$>_9M|!CQ*LIV39B@sEQECR<{HLTz!fk&a?<2v$! zw*nIbGorcTL!K==xf;c|9aVNc&$r;}(iyeEGV0^&q1MAM{GWc^dAQvqhDsV_{p5wrFQ-?Z z`|(S0beT8TDtAHo!bgR;xlprk(?|EkP}in155Xp^zc;v05!U}cn*`Z>KxSuo_dEYr zdW5=he%|LUcL{xB|1(cF*R?m{*rcc1QOv?)sDaA6N4NFIiAzyJj?km*)(}B#YI%`z zag&KeD7_}^f)NvUGIm|#B_WJODyGa^DIJ)+kW&$NzmO8dU$siUp>O&{-+SSvqO^*l zyWf|8P|v-;z)!q=H&Y-S?xs%^0+|4EDsBa-M7eh`55Ic5dEX>c@Q4pC4`Fm|z$%k! zQ`4MA&u5n^;L&q@@Tr-H4y)3&>Nq1;ShmybG&27r28-)%51G$1a<}`%{p}yvuHlc% zA?ZyNGw<3jYhQomkehq2^T)M!Z&kwEiBs1?WfU7FI^N{B@$_G_Ad%UUrYo3!xVU!@ zc8v*xdnJXiAZz-5Lz64VnJ8ZEvJM+66>-aS%x{<4t?j5#?t|(F&-Xg7W*a3sPtI$P z7w8EQ!SzrrsT%9*elE>GK?ot zRw*{?+y_bJO&*G7NUB5Ed!|BLgK!%{eKI^xhi$%FP*AQ=Qnee!l5rG%r}ZYXMM{wD z=BrP8@-emFKGO{)u1wM=ILXy*-Kap}Wy9#Kx3t^j*u|eMlUe18+bb7}r3&g{`=WW~ zxb8C7G`7w7@S8gW=@OeLy^to?^F>0-C|BF(6{x4OE{YfDn!$EAS!i;2D5zirjN!Bg ztkF)LptLy%!zD4x@Wv#-zfS?lIbj=emTQK~)^c_Kt~{{58>GcDZca}Bp`D8kgXc>_ zzDrE4xw_+Pu(o>_pW#+_px&|9LjxQdgqz5#4)sX8`v2#U*Azg1eS2oFKo;7?%rD<2*cqkGeWtw%ol_w=MMQ$5_4nt!3P z3LMt5I01hGfe*Xl@x z)BLx@JIk|?o+4MdQg}4s89^wYwa-J2b8(XUE5ND|vYXdk1cjJtfU9&vNR~R1)y#W_ z6m*Lyc7n{#1hc()sUG>gNHsL`X@^7~7j>*L)EGDXl3UF4=ck!ZFi*_y-knt_=yvz< zsb#T7Vj4BsFo|@Iwt=$-4;~y{^-~7}G-hC6&hPYG8SEXca$+z3Y%1fm?g(6aVh5SI zqbS1^)zpB<$da=x$kjsGV)_A+V+*cINb@nh8-0C=}s5LLsgeW(EcZ zjLc!ARz%<7VWehpr3x!;FAL$ymDa{zOLNOH2jd=V0G%%dsBaft=_$adRsr?@uc^&* zo57EUq9?$n%yOgQq~zj*{j5I-wErS`7qGpMa==L+0r~to`D6DU(Z z5IY_~2mSL+sCeV$u-Rsevotf zSpbs|wcf+9{)@(o^OKW3UCD``ImxK1c6=fSV}Hsi4YB1>?S{3P98efm0rXD|?a?|+ z(l?Z+LLTVc*NUDCb$I;@U-9zt_8Gt!Kio@AnwEYAz&DmlrgSHbz%FPXXo-dac4H4@ zi;ezfv(1WjFix4D5inLO5Y<#BD4Y)`7%EwixPWO|X-)Oz>2G(fN>jQx7v!BI^qstW zS_5BAu9H;w1V4vpj0F6J)tVA#GcswDtFAG1!@bp*=w$=i3! zynYX~8$7gO0w!R+j)$8w63=$+0!?9KK&!NV(2km?l08|iSOXa1-nw@z#gd>487+q$ zWay_b8AZ?MHx3mPo*k?^IgM6sVJ}6{urJ1OY#AC^lDZVy|6*XS*=(UcTgiHpyyJfQ zu;TI2A%sWmtqkE~VAIb4o}@9Q-w2EpeX$)!BTE3%EQ7$S9Ae_b?;6}ko?AZ-+8zZQ zEv!LC2ljk4^W0W)`HWzwe;Plhte!%CZ`KUEIgsybSHJ=XI|%xQDF z8H4Gth$UY-2jJ35U3>tjvyKvyb4+hswLb(vr{gP|)G|V1vSCn>Tq7kt;LMBKoR*uP z15l?uwj;jSC%#4Ovs8{SQgy{*eZ02ed+Q}z%Ri|GYh_Zv`K`X}4Uxjpe6s&_F05Z0 zy~c3Wn6pEI{C;|Z7r<~$F3!&!j3-w$x;=CJ_qQw&S7*hU$WR0BxLjAgKL36ta-V|l zpB)URZpEnt%8;!BjcOs|1(a^8`-0-xPCnu0eV+7N+S+Sf*FP0S2LdGS_z8?n{d_u< zZhwmyp=bK%uNaFAw+-qKyY^qVaO_T?s=YmgS9Rbjr~@GUQF8*q!}t`TkS=bYq#$VN z2#(T4mmG}$Dv-o)4XOH>S#sX|Cq)v6SUXm{-EjQpJJR(|otI>@Hw zonF>Ip=31w4ozgy7}rD2Pku}9K0lWvr%xmqlEI17PB1YF=xmZbIolgLu&jK6Hi)_u z`

pvSWDWEGpFP*;YHt*AoTW^$YNY${TkpUJryUH{~k-WeE%KG~X7je@a<2_ev?~ zyKZSNxVx0gayn5pkcsAdKH8%Q4Z?&Uw6d%4@WGJMX;TVvvIci^NNFs8BT6ic%_`wW zuqzLyEu3VhG&>XA(dF;pj!Nw6iSAD~%V*KV$}-85iF;bMAz^7U6W2z<6je&Og@1s# zI#zwlEiVTow>JyU<}8eo)Tv!-u{F!Mrq6T;S=D=+T>N=9_x`#t*zDJho8TNz>{1m^F3ODq2Sr*Y!Hrt`0`=Yk|uU3fNv|sE) zB-aGeQ}U7LceTmTuotPamykw7EXMD;?hD1R6egrbbRIRPZ5cV2k;Mb z-X1%TLV28S4M58MS$ah3R%cBn=gC7NnD<&rQAe*YF}WoT{koKq@eY@Ad0hogpjGo} zoLWvFqIxLMPEvjOfcWM!Vv}~X9b8Hv$F5|gC?&$!4bGAz`@LT7Yn#WI_)9Rq_j*~U za_lt|AC_0dJV&H<`&G`GG%y_PhZLrp09no5XiZ>`#|2T#XOkHNb*SkhB5(1{=kpBL z+@1oh>&AA+BfQ2Z#7T1vF^&Pn<7R2sclzjdMuxyPo28-o!xk~sQ^zA+@8zl*0L=MG zTUdxgQ`-r}}UYh=ZVH$@YWKuS&Y7Tsp=Xokgo)&QDywl40QI3C31F|EYjScBKMACzy{4=0KLTjl%P9y z)V7FhN?McF+YyEU8c~CxYZCDa=5k1duVS7W<}-6?>34)ZkW0^1FA@7_d@=6U<|lqjB-WDAm7GUJWdZXOp@daYf_sS^bW;oKFtO{~XEJyfQg8vH2^ z&V8qVX#oX0<}QY#wzCLR{%pF(s6tbiS?rIzt)cUVH2FU_)=-s5(YC+rrl*P`8~w1k!*`fG8H#GmmpE+;_G8)St+WBzu06xqSDo6 z?2clr0*V$TrD|rE{!Bn;*qO*7H~`&NvXMq`>s9^98R=T^Szn`&_)y!+h6j-#K=Irr z+uhLLaH-6Qi7?U6qk9$XtaHDnezY)g)yh6{Dacu%Ueo(BoK=pmhn_(vit1hI-)PGax!DJ%g&+UDM^>t4LJ`CFn}; z&|FkL=rDLO`moCXCu6k#O-^1}e@lq@V_0J!;=(_4d)xi`l`H)&Tu|nrO%Kei|CbB|%2YJt z9y2mqj{i+wjJbMk-tUm@n&;6+_Q?~7y(;bMy7jTJuvFyHm&4}Q%0g?J*3@OY14-r< zO=kMQ^@WO>dZ}WFI(hx4JTnp<^_LJ^sS}c=XL9-<1J_3SF%ucrmj<1lo@S6hzt3L? z&cd0!*ZqSP;)$(T9xf|jVqww9gN9;9nUb113JeF!<39zp%iws&I`1fk;j`sUh=-tu z#7y#+PuaIvW;9%q7`|_$cvr5pFYGnw9+pjwOf_KMM}p^ETiJ%&1MygKQBlwH=gK!H6kguu`20tD&|#*Py;!tUdST{`=`0mKYpyX5G92m)BeLk zaA#ng*EX^Kphb;elt1j|0V$MT^VSJF(=z|2{#+|^YZh8C4%Tj?)fOJDm4!z9kC1U{ zSRqvh)rkNw?6Bj;xAC9tXpK`!DJrX;8$oG!+kkS+rN7>RMmHW-atpISm-q;|>w|0m zmkeFXGB5ZQ^eatrL80CFuTVNap!5j&_eV7Uo4gt}VWGpTJBQHXrbtu;q<-*^|5H@) zR?3)qyRv}o?d?B0e{Tf{G@!w%{_~%^MXLMH;s*+yB2A9Ta9-Jw?6i4)V{Qg!-Q1g} z)_&VcgZk4$`ZY^izB$4=6p2~$J4u#%$%HT!O;E$RF}TQQ8%x(AasW)5xqi>C213xG*)oZ+q~!doONA z9EPU*UHSO$zeV}^E%+6_RhFs1J8%58LQV@s_1W$r7oQi@JDat9?S6@;SqQ9J!fNpc zaQ>u>t1UUKa@RgX{?49||C{$5b2(~#qHYY`!GQ(c2oxcq!efv@mxa>G ze2bUc)@&4Nn^kSGqMQY$z;OWQF$-t_QRi_fun5FK=}+BE1pDb1c*`o}-y6vtFf39# zpLFHTlL`PaA3w7MhA&mbbaE)FN1laT3~u~FYy^9Ohcl65086ohm@x9d={4XP@cZ{4 z27FBBcEvPO*hoOMNsyx!^m{(E3};IH!i?uW-z0}fMr-l1>!skB7p2PLj=hAV zD)?mt>i^Ok_6+&bAl5W@oUHeeuFl>r>E>2{ERw!0~eX&^2KIG?Hsb9|N4m@#1U?ipv(Aw!*-}USZR?EJ~T420~!7+T|hNXefXFaLg)&L z!RpU=-hfRcg>^$75g&_+Dgi~g7Xy-GJMC7BLWoe|arDQ8ux6N*u^GMG`kq_7Nh%t0 zNi_3WU}9GYsE7FLgT*G2jbJ9(?*nG~udOJQ;-4@^z0#}q-VNKo&q@^&>L0E|P5*1& z7!V*$`}_Ey@q)AX*V~4j#Zg?-Jra{Nkw>TGzRP;YV3M8IgmVX;qMzFYSX}dIJ|u|^ zu($u<56IN}O~iCRqXBr+apW<>8U$dSk)@nKXMoiuD0rz9eI7K%_-BU7SrCi^J11-4 z>=X}}_n$#g34tvGn868J;>~52w(iBFLog}+A!8hPuUkC`QAtc<=gH@6p@_A^w;q6O z7&HH{?H%wU<2!c}6`0K}Y~T}sdp9@t=4INJ@2wF_NBV{5Sa)u6Iph`rICJ-0wh0`4azw- zt=8h|N#o?Ht-0H&_V8vlhoYG}%~bOMpX(wb`wOA|05_2i22_=TeX?}UzS_3cSl z+5x5Ph$Z3yzj)OMqJwE6&enIYn}8YiDzzN;YR15?GJt_TQyQqS)mI3jQfUc=uu&76 zmk<0JPrzE3rxvzoBcoxP9|B}y5A#GnfQK~Peea%EK5rz~)(hb(uDww{AHqS^r#&~^k59B# zFP7`5Sz?=wxP7ZeZ@(i~v4(5l8^%+KS8+Li&WC5hlzah!;($c(3J0GW&;R`B6Kg|% z(}*P@&Ytqy(dBL|6R#?g*z>`Yxk-*#GY0x?$Jj>rsTq~VVO_I+YNXKj>DK1MzU#6B zI}BP^y>(VMs3?%*yq)M9ot{hI?9*_%t?k0E#Xb3OozyDH?>*P7&tGu#>vXpJMZo!y zZD3<9%Xl&!=CCP8Y)nj_%jyN-5Pd`Khps5Ox=vkjm}j?1@N_G=z0ZCt@UAs(hAZ21 zKnqj+=GDp!$2{wjBHT?!b48lr^Cfi;`p}k+(B9BNqbo)C`{W7>ona4x$SEJ_gYLQL*cP$p|-Sz+T zP|e)!W|YMh34koi{C1?8mmVtr^Y6#wL6PDi3xc3jR79lb4XOV@-CKr5)&6h4ASsOq z3^{~^bV*2uASz%WC>>HaEj4s^sR$^YHr+6EjDob%J@n8uz`(Gtxqr|9Ii4NQj^o(- z#eV65Ff(h`y4JPM?|FVsS+fB(a$L^l2%RU+eeuceCjajf>i2l!<{*U zA>0fc$_?`~$_MYNpR&IM3OcIr1(R9urI&dWAbJk-7oA){#$Y*Js?|twwdyy~ATjZ@ zn#W_FMho0PwgSA^r}x+Y4BiPhkh|NZTOb`QEa{tkYNQ~O^}LOtMkeG%fH zh`1|&D6VBJ@rKVmeBiFlM=4@a8U#YHUHlz_PZ4rc0~t0nQJJwSsd*0eS1605=y(?n zxCkKjMNyM0t|(Cj;;0GIUmMzmj@Jomo$cJw<5CFA!R5}M$f4QiB)(Ox3LV}Qq+TV z$9{t|oA6WZK}~Qfc5oS!(-S<5WJ~(hTwI)p|9h-}H^JIc?A;2-^dXJWm-?;zeB>yP zT5&6f)TbYxE)y292ped$gxcN8S@Y7&Lyrp+j#8QdsYmutkUUdh++A3b2viUeVYoid zg^mVMXl|8;CFi>uOlILl>mBm(k5w$d!qe~7%VTzZN7N?l^?Puvc})WLyS>3UZvyP4 zTtTK~H?ZMXPlu9L0mJopp$Mg=b0Y$62&=}u9)es-fx80Kd1^5!eI;7Ol^jBkj55fH zZ$14rG?Mpp5-h!NT6r)K_{WI58m28%s(0R9rBl7R0Ia^rKIzDUt{0b}>(^jxm8sgiJ<=Q^jJ%hm&=yX0rcX`R z#MLt(Zn1a+|NS@&y(`+Y^t7LpCT2gfcvIPqr%fia&%6nx$eW8zo`&C+(lQ#sL*9e( zr4j_zRj+>$f_PCCkreh3=$gCM-k!Twu;K}(CsV*7y@?Qi3|uMGLx@hdzfbXRv^QmH#mjZN!X#g9zK4D*Q!9cik!)W#0S)A zBE3z6{iB!8v4bye%p8NwQVS#LjBDfMdYna@i@Htbj#>}%@DN#!5V5obmLulVEtsiT z$DeEp_#;1QwFZk`1Ky8&B7~w#VV|ISM1zcTd@b@3GD)E=@U!9f#KzBZx!C{SG#U(LzDE1X!YM4&z8@Nq57 zW8_AA_I*c=qbKiN*k8>g>xi!(^-I8#gX{Mv-*d#O0(1x1=-zj9*8a%z@Nk=#F$Gk@iEk z*^#F<|HN2uFxhvbjPNyX_`VB(UH@GCmXh5h??#^aN3vKMvZcMp2+TJ*18G$TLOqfC zT-My)#6uebWbg4}&`Mtx`8Df1Vj0z04*P^+5)?Emeh|4_c$C}x*Wd0{BK-ZS>5$i& ze-VN&OTz<}0^pN)0sf(6*{2s`1`0}j)%@ZjpoDz)lbVv1#U8~T?*rD6DzR`^mS+Zx ztG?#?w{|_=4ZXHwC77!)8B|2X&MR*=pZCza%`?S^LR2Caj;~`5?+TU#?I93xPWG6I>dWBorf*sfzhArmr(j&iLq%DTD4OhzVG6&>VssGy2Yq{|&kN#4 zA9~+D8PG3)&+En~q(MrbvNJ4=sIAs(f8n@YouHz5pF;{pDmDYK)>dOm+vhLdRPX7^ zT>e#1iDrEr6a1V4d3td;s3pFs)}2I~|89|9{2F_kkJCB^Xd>IW1l3qNY%331Q=tM@VgZ}NSFpt>LPp@6M)Jyd~3i`6~CXEMbH zECCvRKmFkj?x*bd9f>m1_k%^4|JygPXR;JZPT=y(e@D?bLX6BhfTrU8onHA_su;ex z3Qq{Sv!npGePF0rX|k}Qs_zjD;h&l~ zvJ3b7h*3F1_^SqX9k!ii9+=!Yk&A296?_E!`HfoOxu#EHsrxh+uYG=1f=qaFy+ziS zA+-Q@*%^fXAB8Up{Q5ohPm#M$>ZfAl9T8;N*M6%fWYWsW_V8fC)gWA5B*KegVgkkx zu&q<5uEvv9)=UnRwLQhtm6jzzg1LG8Te+q9U5mY;?$HQH=LZ_m9EQ0;K1F;Z7%+Uj z^%js=WsO&Ts=rzdgO$q>1MSYuRZJREbxzp%M2l?&DUp=dqH4I@eU2*I-IWo3Ch)B% zh(l22VYK5)#;<4R%Nu2DF#QCGjew$n{tkDk$HDvd_ea7q8vM%dTlZ*dWF1y*`0d`` z?tu*YIh+?D};`FGWl3U%0y*$RwmL z8r4fjNJJ40vo9T{kwj5+GASj!PwYwi`$@@qk|XG#(*VDVGK@EfGW6BU-`=bVw>4#F z{10**?c~jgidpfZ-pRroes;QDiGO?lcVXCyMU%;r^&mr{2m6B$#kr}w6z!Mj;pVb5 z`n*Gtdv>euFjRI$u2ATSH*+S|Y475(D+&IfIL*L&--A0j15!DK=OdL;1$us>nx|rv z1k3y%8kDkyH6C(|^JS*rv^SOXCPYT2+p8)(R*UJ$7iUn5F`#xm9SZBt7Jb60afq8! z*dH&nP?dWB_kaCcAjooafAAqWX9mfCX_o)-DskQU-^+ym%9H;$h!zZFL0OwPeWleK zmoo&|F`}qkHKnccPA6PK06nB)}I+Wc0J^JbEU?mN(Z81QCZofW1+Aw(X#8Ua{!sDhu z+RdQW@%&okdFJF7ZRFP5IEUypj=})dqO2e>LZPa~bDQu@C$I zrK$jy{vwHHBj#0PWF)S4fJFgT4%{WCK?&+vxcM7Sw}I9b6?J|4{@ocM;7>qm_8d9n zMf(DHu(rS~x$3W>`78p=I*!)-fgRyeMQlMQ8JE}lFB!r5w(J_PE!hDN)VJi$1(Bq7 zC2A0j&MpU?AtS(r<%o;1d2LM$fBW|BLM|up9mXD9;;8 zns67LcINik7BMSsI=TLgZ#p<9xJVZsUOU;JG91^M383WmB#p+4bX`L1H%UmH-h-G9PGJr;IM|&yt)*Tz7(RPATc7ZI6wT z9UNYsFe>>@?*tw*r7P1v`9aaev)ycJqQIN-Nv8s19z5VZXW@Ywuc|ZMn|E|NJr!3H z374reawKTlsc8D4KJD#w5T$UnOP+j=qFQbUZgPgFZnqwb)ILhz*e-6kUi0pg zq@I9Rj_}(O?+oWpZ@V-(Rj2MUb14>G&blfeqN{#7w;r5&1k4;_4@EQYdNi8P1=}IkxDlCH_pb^o7}?^{BA^h@9bYz)6ftf^&gbunk=x3Ag=0qsjhKP%AySq zr2GGF0n62X2mT2NOM)axkR8r!hO6NO)uSuW1G8qoNrCS_mgW~u*9(&`I)8Fh0*P~4 z`AeZzaxD-_rhwMt3`#nG(9_dTg1@v8i2!MRo51s<{nQ!oXk)iB5c1@S)r>Os)H-+$ zr}*R^0>OIEAt9Rc#h7_;V6ICorzg%qh9e6wUe6z)81Hj8hjCg@EZ~x>pxAJ97lGy0 zOehE2zcZAjm`Q!ky<;qI^$jvXWkJ|bN$F9i$GIz)(>EcvKnp0cOe^=FX*mKZ z+XF&>WM8t=kIb?^K15ehoy!i-oVy}^TNqMY_z9M-q9<*$6Sw>F=coD9TWSWj<)?c4 zj_dv!Kwh~99akue9Boc@mY&W|)(*5i&tCXoUlwrEa(U6GF>O(NXQslS`i9|RQikk6 ze29s~2Lx84y|^J=rgkvkv{5E0_pW8w{>)f0GE7~s`owu^QVV!ePiGB90=sL61so^8 z^-=$5(3N$o!Q zJsmE3@7C;E$d}fA^m5AF5P@ySQ*VvGl)N}tb^Ku`c(jQ;v|XdDtKQY5tg350`=iK6 zU%T{La3amo#RB>H(Mh--?e*Zh7q>9|Y4VfsgQxx|l-`!0kIw8}uL>`cl7AFUGnO0{ zKcut!H*S|>ZLt~ir<>du?=HQajOnSkouJpy)%OE6*;xyrhRVV7tBr7@+1X^t6Xl-x zG~?_SXA77qYu=5ql1v;lMVb8lww}^iR}?jLr|kS6P7l)5zH8bq2 zKp)HgAQf?|60Y)>Mauq7Fau6o#bslIZ8yRe&!Dnyd6%ci>G=9(1d@J$HI^ zw{@pm9r8Vd(W>cKx&krpJ6RgApnTFjvsak?=umOtT5; zTs5E>l+dlCH@B7?8ftS@MI}4Nv?d{cbyZr+s0^HzYl68gu7Q3+)+{BBY5iI92=l&g zm&8;1{;caGCso=0nCE705!GdPENqMs#U9m?=P?3MA2h+`ovY)V%&l0o*)byUY!voJ?Z7@8akbc*}^G*?Kr^F`r_mACH=LQ$bm|)%LwF z4QF-KDZ2*i5;r7-f#&h#aDht9<5)so(5KGV_BY13*0jmn%PghP>xQ0Qpv6&&$P)pj z6U1TII1eL8)YdBR0s&#i*cg96&qn?H%M1faOh_r4{5?lon}ILls@hK~oExX^&I#^s zk+>SwU>Hxmm-PmQlIn6y8z)0-(&N=6E&hmoz*o3lT`$LOMy4`hQO<`wkDtX%NqQye zOpp)o8yMIqTqh^fgncZXZFYVV)5HMFQ% zAvqIU^4=KwWp;kVw(A>nctld>zyCHKO%lAQNb0`#Cn0OE>Uevu?;O2}>WoTYv!rg> zH^~m*G$sA&y^~Wy)6K0+%hUS%^e;lsd;C?Q`t*se8=G}=lPGdN$G7`>VkG|HHDX9I zF|pE|&Myf|c(2aGz{7sYrB9qNY0ytyVJ}>zo85Le;6aha=n4(XZseizB3dgFX&0QJ zAwLX|NtN2AArmH9#DTyJ17GynD2cQ`qFrltH@DK%wc?%hciOps!Fjj?WP*MPUMe}YgT2ES2* zhAPnisM25L^fSn81{nD-2+Sqw<_2Y1A~m%h*8I+p=QHXJ`CM4#D6IFofQa+$t8b1r z(IRm~k)>2U`m7D3N{7YSrNmv=973L-Qab}hB%cH|D_9YBSk!vxBqSGY?tdiK}7&i3D>^+}cpJGMtUx_Ubb(9LZ|8k<+3oZE4k4QSNyRyt;JG+Iy7k1V+NM1}fP3q+PUdQJgf=Pi3=wmq zPJHhXf`}|4EdVyQ&d@GxCEfE-!VS0Qk9FbLmZ5Qg-;7&3hu z5uJhk4eCESz7$o813bgLD;X(`0Cc8U-%KB`{-Jx{L5m{6ZG6#oFu-14(+^ST3aDDb zxdV4bqBsI$a-GC}e&@W;he2+>`mI$P+e@5oU+YXR`FFheH8KV5hYWi=v-n82t-;WXES9k_v+oxF$TN@+iN*@Czj2*nB zZgGbVJ3-7NT%LjP_Hjk|pwF|H;EpC_bW12r1!5k`(MFE1@KYZGm&~O+mv<GMZ zE38r{p^3wEvR3%FMzDv7Tju=P2%Y!B{6P6LSNI1kgkn#_wW#`;lVdB$@r|&v@_*-VxR5Oq z5L1P!&OvKNTS{m2CnK+#d#D1vM0 zE!zI2b__5V7C+sL2eP8iYAXjlf#UsVBgjc0(YJ*$V)a|H#`*mh)fSM1d%5;EG}T7e zAV&0-10g+5L+KAMaChOBQhGQej$~yDTa0XpkMtO+xe=}O8|U1vqgv1G)|nbIB=l{% zH4PyxjlTTqNh8znujie3eCkI2-@BeO_DxHnS1@Elg5=%$-e9ki<&7%4^E%pd;b$^X zMg|I#uXHK1@?OUxSGTIaF{M<9aqx#YI*>MUturseDaC^}MX`ygD}Ev@k$=?2Z)nQ1 zm{6OlXhZl^eMXNas{&+hAd06~5Ea~;aO^K^Ujxh?vKGb|aoKsA8m00Aezv03@_qe6 zU2ku^S?uwN@5%ZAQaJIJ0-r*>0w2YMZoHe>T&dBA(ul~w7X1CUC8`nkEwZ#k7>bl` z#Dh5i14VD{KB4=a0r^c&(>*_C?xIi;O5#v)3E(B5MqAObkymCVO16XAEutTHyNCq$K1#_OF-fxl~Q;LVKC zagI7;pG8d8nFygNDg0{(nt5sOfnC7R21$5pxg0PdB%xe)2BFc830HZOpPGM?L&Wa#A7;& z<$o2NLZwVD%YC@(qflTipJy@4i3IVLrhzI*4qbwB z4gvA=PekGQwA-wiYXUDx_DuEz?nFiUws1A+ zo%7J&AjpFq$EiMq2mK2F{ejGkj~tq`sOU5I((aZFHMH<&Y%9*X^B_Kr`tlR79)C_A z6xWqoxp|dHy5u3ElooFMwlo^&L8i`Fu8|UeE)6v}ge zYe1^2P_P$vx65^4&L+)dY_bSSXw2e~&J0FsN5xOw_uIwH6s^nuQQtlNd>zS;ef#f<{`E^AOyfu5(@^ zx*u4Usdn)ELCY}SsBQld@f*W?GNys1!9fY*x;zhe{pV`aWPvAeeX#^lf}f)1@P(fYU3u?tSjGFbT0!_MEbVlM9cx#Q08 zSI2Bu>sJKr$>nP-;t;)F@u+lHaWTkSyLh`WJ6;7l_+4GdAlK}B)hkZHn(9M>+A4Xf6uoL!T>Mp;UdgUGdyA}==U zao76p(C7UU zL>#?8v|rqdM}Lj_mit#yS*R%wOa;e%G{3$-^vpLx76LPhph#O5%*nr!0#7FpQ=$61 zw4|)z?wkRz=xP#I@>g^WD)A(=_r@v4yTtF)jd#gkEt+EPb^l=+Z6*&aUOD&g>_FdI zcMV?4)Z4ymx3H=aP9g3I;Wc|$9ND@Wk{S>&R|`XZPu{MzgC0Q5!##|2|Q87tYfD9 z(Z8rmXXH4=+KQt^XqQHWrH3)f?w@r#3vJ`?OavTT;&Gn3F71-qI`PHdxV!CQ*)P!_5 zF*oaI@_;^!^RE8SjH>y-zy0se|F@;u|0NRtU*}f=0EUq@S#A{~4~p#yKr#4>%Avte z&0`w^m)wGqg8>j}6J2^7okLMu? z9KiwhfDbqMf1RAoFQwr$q5-~-L>!?*8i2awx2s22$^C)u1cz>phYYP&1&DgwwRq>-gwxqm#XmudlF`R_D z76i@u03#TM>;&qy)%UWNMnw=Qlg0^Kpd>kP#@MBy8#w6H9Y;SUD(?b|nM1a`Pc6ux zDQmt0D9{t2D@=p%^lq{TP)w%`jGb*jzN|*smNm&8yj7zzv*xXK5@lI0aq>6-l^HOGTRE+H%%I z%^r!<%=}KaHtu!isfJ%Hj65mS{8wn}#FZ~kTg40Ge6!H_x)=BP*39g(y_^QJAS*n1Vrj4jH>P*NNNbnU7l2e6{%Fp`5DR1~AY%F4=I6&`8)T(iG_*}wKWa9ARh zl@Rg=Ke?Sj8(#Hrp%%s(NPZqlfkpD9IZA=&6F3=?2*I1_wA2X_UYp%&c!OPSp#;r% ze!#?r3ousV9B1(#z_&l;FIGPXMwA^uWD*W$E7}L&ZE_MvguS+X0I(3?cnx^=ESv@7qr|Ev}^=7|I+Mr$Tlu(dvJK@T%2kUrzXkq6i8SuIGEf` zE9?i)w-yU>25<}^j#Zi|>t2BNUSI<^7S0H~4iwFTYz$e;Wawu?9BohZ)q3yZ-D_D$ zoZvZ^ynN?6rx6v%qYH8V&baek_aPJ)7F^Tr#De*!uXPgbr@mWM9bD7Vbu`oo{p%ye z4{ttwcyJ1%+>3hiiNj?nfkkG(pH)_womvIXk#v5tjZ&lziOFM$LL#r@H+n+Q?JwSe zly|{EHOM>p=XWZp#iW7OVDP~cWJn3bS;AmlgT&TCVi($wsyEJ1_zhe*xH>KW%a<>< zLwv})mF==*8hCVKd+!bOas1_e z$eur+rzs%~4e52l>qx;pdk*O(v7dCR9kLWjY$TjGQ<|pZYVeP3fYvH;ZaG_h5<_F< z4l3`vo)Qx%i4VYgfBEo>0FT$dI9VTI*h)&B0y6=0)oOuvKDGYhpl`c_T(nwpK(;gZ zy(4%IJIRR!Cth$1xZ%c-L-2a>2J83mlzwyzek+Rh+>b+nAn}fQRWZwQmd8K^ZbpPq z1YCd%w8-i62@_KZkXQjd3E<BIOf0tlgXR(L$n$|Y1rOju7xCM#*&o;1m<{OCdxD@=b5n6NY2b6PJB z;-Q|s-%EbU7)H><7y?xThoj=<%}Zo%4E(=MW$v8 zZ!&jl@L61GOFlj~G@OQilysVCDx1!fxf-?A&7g7qHLw%hGO~82=i2&@UKSd|Uu{#> zC^FLE0zhN}JxwLe_RkuUx^ z+bA*I%3Nbdk0!geIMEjuOWQ1$XO!=n1@!V>>^a|T@~Rj!BdOm|$vi~e^xx=Jo<^WA z=K~7VUPZrF^UY7NFv)J*>+wl$HL>a5p3UX{Ec*IVX9<)(%iix6gBSV!8?)6 zVI_B-{He`O9r)2#yhF5Oirwb#@z^m zCsW=hDY@!+k#91Cgw?^+?*wdA6f$MXerpEpMJf7kyu9PSK04UfS5;A(THhmrIVCxX z>>I43q?Q|NL_=ShD_@qER1LO|YcZzo6Xh=- z0RWQU>CkD+Rr7EVb~XM{)~T=bTt}m@a$6AWSkC{T<5|hB5vpO^?xphQKjaS|T=;4R zfB;s&-)_niIhn}SbxG=F=7&Qc91G{OF*3`?jF;|YWbs@5nPt`9rcI)Mnq!kg^AvvP zoW}=x?gnqAV6ISgcGhQ<(lx@#%CqM`T9PEmoJ+n{j@Uk8bv0KA$_<2#mniAhR`8fB z9X}ouzdtf>Cj-$nV>-@SAT7DYiGvl;-IZsKM7OTg8noEC^ z9%BQC>Y01`dEPn{Mi*ky^{Jj)uLjKm(w@H`sOk^)|JGNQSW*<|uUu+5cFFc5@NQZsGamo@(p{GN>=5TLzLW)(ib9uGUOD9FJxmu#*XVo5 z;)-h20C-CDWjq$u#@RDG-hEg@|`n*F2x86V3D zHghbvv)}1Eoo<~R9q;64YS2j#yv^h|UXfW+zMp0=B1cCuro4CGoL^pebh^bC>y8hhgIp^vE)L4!T^`L7uC4l*!Z)@o6aJUk!`X3Xp9QsP^ev`j zakqIxu#^_sfP{_}uvx)tqQuav)9nCxIoADr}WtkGx`-gE^e$e~*y~sf9PsJ85bMuc2*ksHJ zIm^k8W6=D`tl#-s(9V$q7Un1q`pZt5rcc|=&lS4xo+SmrwtdZI9;u%#KfIZ9Myt?5NmfIW#IW zsAyYe?$c2AN1dFbwS34QFXs{^cc&!UK{>f%r!?fyZA=TK>B=;6&PN?uS{1gYdum`U zuLUx_jP8T;Fa3F1x^Y>mAsSQC(l=K-GA4hQTWp419<4DyVs(YlQ|PKIc)a1bUD29M z4zw7|umsQC>26CcCACtIUwv;vZ@4uLb~*C%1fih=$0LK8f1>Sod6GYw7{C2qB+fdc z+@)r}EwtX8KSH2@zlCT%YgPB&KQwW28+y`m?@>3p>x>WcT0_o%BTjizf$x^VWRQ&O zx>%eCSLfrqc4@9p+(k$8@;&RK4#H@=?6-Y?{RMY0^mNNr{V$fC+^olKDnzeSWAWxx zdWjPg@k>Rnzsf=X!?L+UCnkdYG%Is#6X}1?5sRoZ-(TCRo9j`c3MZBuKlYc7&>7l^wOkezf!*gt!UK0h-Q2w@ z!=8knrPMR8Q%s2HHOMdnSyFRl$?=U67IAbmHUn>#>2IET8C8<9nfNOFcDHZup)?Ii z^O;F)OnA1>e{jm7H6ZVMnmh+PF|tYI_xx3Odt9?GX-xYaQL_v@F$@Lko6mOfzc|Zn zxn~3=jdJOuu6|j%qVZjrD$1reCih49_aTSuJA9PIO?TcinykWqm8UuWvf^;aZwW;G zJ@n#P5ukIAYGM#O`x}fDzP#(IxxiF(PjQ0jGv4fNl6klE%f(6b_EsG+ru3nPAiJ0X zbzfsZpZ6{SD{8!gyJRizdB8&!u`JI(V*C{H1f(Qmu8qug#m8o^zQ1PgOKV4S=H$nQ zLi)}}Orbir`5JPHU#9S#RzfX8guR%@DRlf>7~w%?%x}xTMAtU^8>?#jqgtGx^5>;| z+k?=AFCU4W;9s9F)4vQAEb0?#joS{M4R&sBrmj=_>=Ye%l!JEqopt`uv&aZEdPBqT zkixclA6ZN8B!259%R~`A%o4C0>V3G@@L+eGzl%xk^TKuNygAMWQMX4%I_*RF)GHKr zH<4}$wb@M*L54F&$LCs+yn?wh#e(0*1Ntv$@xEtOAsB>&H)!rb0ooAaJX$N^gjpsd_cVVYQjFmv|%I8yHCmZZ-RMj z%J)ZI?F)l$#BnZU8r@_p&Wnd6dL)`uwQ^^y)5l@0m?*q5^<=y>frHPmak!ie;@4>sx#g}Uf+0J|9dPd3kf|K5# zZLdh_ZO9mf*uOZ<6a4f+f7}iT&%gcqb?R-Kyu-@CX7LAMd7-dkWAjF14`1z(4-)Nx zo#B%$jy|FS=Os<~&;SUrlZU9`ybVq~Pm+EZmudTq(bh0Uyw3`6WB8h5_ztVQbOw1T=_P~d@*y}e8YJc~B zA7?sLF(kOecm!t~rO33PtpDD*lyKW+dYrvIhgkf;+JreExC}AL2_)toBeCI&LExb% zUj5MfBF#H{T*2QP+iP{mX}Oq(vHI)mQ`L-pZQ5Ur@lBr$`8($G?O1%Cq_Gn^P%(>z zeJ!a%1=ThiD`ByW&V$N!O2-MOdH3qu+qEWaNiN4~l`pxbPs zz04Y~?cUX`qGJ#2_m;bonAdAw1G_KXX20p*zv%v%)4bndtVmI6Lt}S;_r&hv7aQ_5 zGPOlC7nb*{9A@aS zDbAe#Xvjg|?LsJUFhk_Q5E$h;e!h0thQivJruV@cSx;9#YF#!b&in7+`!b`Y+?{%2 z+(de?3Fk-Q_I(!|tUg{gYh7CAb=EsUQ}es?7l#J&n@M~Zd5Bz-My6BJYHY(Ge6FEg zRSV-1(^JH<7c+dXbNu0Cx;RICL6#Ik?%mm&{=PaX4$DP;5s~WDy2)Q-v(C904mH{6 zI$gmZ3-f!hjm?Kn=kH@{cg&(E=NQecGg%M(1)WCQZ7HBj=wQ^GF?jH1uk{ATm?S&1 zS1eoZA(Vk=`b$=n5<;j z^^-mL?6dPBrmDI9qr~f91{d*%Q>zVe9~n4z`*)AW9WN~8j9$3T!S3C(4iei5VC2a$ z(`*@ZPhE2yH{H={7A4(6V5=9z_#L+zlY>puDu{RI&s_a?%GNZ*S#*6IMMTLv%h7X3 z^Yx3*7fwHrO&4C4BK_}7<`#K6*|C2>9F z<(R{@;UKuadbsp$y#REm$7ptUAR@dyT~;~x$jsb_kfx@{YqU_WQaHPQYpg7|aD?)G z*@g)FMmGoAI5_3rQ{4#qQdt=}U*pI(IuRV)u>L4V#Tp-xRdYiB73`-5}*ZgjSr zTR0^NCj%jFWMOsNG8H@z%~Fv|*guQu`4`et!rH>u!Kg4kbt%*0AC`P{eb@v?z|au1 zLsVg{j4w{~=ZOx+gs(#0>s z;gqogCT-@cB9ej%E>6R&SF(t*!9Gsv7<-rh{OlJGDF;)IpbIJaH1b)NQvoMCpHq50 zO+QX|Ruj7Rjw?^8GB&E5y|#NCDRqnamWYN2P*x*o`tOf~*wGPo{TduBvpzy%B9Fyr z>+MH403sLFprfP{AVH0B zT|3P{FUHNC{Aq_l11NtQO`Z{Z5t zyg@c#`k(J52A>~t%PoFfkQMUyv9x3bW#B#GPC(v>_LbG6p%ap%P1goGZaGbSHsF5@ z`QQ4o3}|~2fF!ZKRg|LpuXUSBb^&i1hvWeBuvjbdVKE$l_7e2+RkQ?RG&yad0ehj& z72OQA!Ydq2p!1h0;U}2ZK1rPq9R-QXHV~UjZa1+ zUk8l69FV?VQ4ZoI-Be4VWXHgGTO+> zbeTYd7)?2_$~W4YA8;uVuK>39fy2_dHX6+O9C0Nv7axGTtLXqh?Iz9X&S;Y84~}sJ z{&5_p0dtI}iNbaDu;cfLY_;QTV0itQrnklP4f@7{><@CSct%X!%OPwHMm8*WBYf&&-ep1$J%-hTA< z8+ED*T-f&nOefAS*2l|oLGz9mHlra5%p1>kSSbQ&7)X-<2X|-?hiydx&`7^`#Jyy8 zMW=8|>2iROo829(sL#RSRSf|Cb$2l)o~(-)!`B_r75M@}mc`X_%ZS11Z70WFfxX?< ztGVO~dr}GnI5hU(e^kcxXUUBMX0$=3m}OW=!)it?Fx*aoG2FVK{!DMa1kT>Jg^MO9 zGD-FztXVpiLH-$yPyhkuEpXk{0Z^L%@>{Kd?nLo6nPI6{9rIg^QPA6V#lYo3YRpP3q+f?&f{j!;B$Oy9Xmf^ z5wi$s#p*~;cCommHSiiWK+Gu6;A$0>2P5+>9I+M$?8I?C<^?n<-kJkKz+0W{yMJ@z zQMd*!XV7GYD+m3%EJ(LR!Tn(Fcx!UhT+-Td0a(Fnag)p3L$KDIxR=&1k>$!{?P4*z zbznY<5h(?6hkxh1h#Td)9&J;~eSN%lC7~q7LE| zv{>KNs)iH$5+pHh0iWa^di^JN@{vOenA2XsE70r{KDhbwhA%h<+p&B(d#1vqQW}p+ zcj$Zc%0Pg8ZRxLdfO%0U4)N5rZJ z#JKdwz!Ww2U*PBq%jz!)i@3TXkW2C}468uc4_RSHbFs^mS75bTrIggPoDW1FN3G*1 z6YeqbYoQN5S`Qgg!wkfzKonH~!UHJnunXCuXxT>)f1}vr=13JmdiAJK+J) z;ahTI-crE#or8^@^N5Po;vkLYU_ojQ{GP@j5pJzbz1Ve+)e;80U{~w*AJgs-hMI&j+S77F=>WoC13Pa1SVi(At=a_C!8 z_x-#YBSs_s~mps4^`1v z&>@8b_=pmP=#$#&YjccnV^5i3o-lrO{)H6|R!cmHAFs-*H^H!E8sTM@xf?r-T&#<2 zmq@d>=Bxzm?SX1;9J;a$rtDdcz^O8q8Tu1{iF@ed!$<$Q8PW^Pj*L7t=ZwOlqw-Rt z9hDjD7sRFXryz;9^y~Fo^nd72=r2_}r9=eTFSUa(A+@p#-hM}YB&ZJ_OQz+RU6cg| zmK2#Z%L0~=qX_F);o=aPIancXSUiUZ2ab;x`aZ8Q5|;zt!&TqTG)e{8kkChA7409o zM*lu;xweEqNKhJ}K{QJQd2X}>X?TN%s2&L9Fm_R%v9}%GjAl3imh$CYws1d(6=h&x zxr2PcAoZUEV_|V?mP%(41QyD6YgH^pguCyC5iUkU$krAD+JB~qD2S3uMG$q|6xV9u zzDdhQN*=+pA6~Aa@CK1Z{p9Cib@7#Dfppq#0rllrj+!aq0D41dXaRH(4d?(>D%RYbM-S8+l?hL~b;Cw3#6#+-+ zE<4#0Z#zpUZ80V$O-2NS#g*q>jfdd9n$LDFJ31gx4ZdsFRpa;~91FHmh3}yM*Ti51swl1Y@TNFk%NwRa9D=;7AIq22{hqYF*rod=toyK9=GOtT7GIB zVAp_6VI97YT#4@7gSMah24p4omn7QW)?K%c9Er1A3V>P0=sD6BhWhZbKztKe_BVXi z{%Vheg|_3lD^4yjH@M90aOlbM`6BL&bgT3+sH(D-CT|yI;{S-bra(=h)^%@gB7mri z108#4^N;#%oP-uqMkl6i0~f*ZC+ES7ZZI=k@Pp9M;uE+S}nVStAY@C;1x3>&y>VM$= z4Um!&DQOT;hNRLkDFs20FF8^eFsV_}Fr>SsOG3J1)aY(Ox?zMk8p#p=!|(n-ydU2@ z@!76R*g5BO-tl@zeE|csXs%^y-m|OYgg7N(Cxs6_I zYqeFkuk`A7Jn-vlexFpq#K`>U%h4rQueG&dWwVtP;VQ0*58s*KA|=-?sKHf417q$A}1)F_^>08C*s}`jhs9Ur)=W0!{0{c$F+PhRWASI`I!kiV;LrzA7u__Fl&v9TsW`v~4k+(UD@{!I26 zdi*c9*w0?#>majG2Y(V9Ne6apbS`WnK&44dPbfOXGJDd+O_~7{Ar| z<OyO7se*10%`82=B6g?3;!n-5aE(P$&6hmq&Bht zzu=bt9|$mP<=(e9lVeq1EHoPQDE3qgce6LT;mJg!ifbcU6w&ypnREC~iB;)+0h2B_ z!3%0dj__h|^6ZG7@aL9cHN(vSiQ&O&OJV*qb>d{fpw>wQOZ6i+r#16Fs)R?wPWnIs zGQX&3V6+fV#(*rLSddbE81=KVi!dx9qtfEjr|5m2=m(SrAn#aYPx*Vd=r_Kd0k8q~ z00BYLE@|817Ud@8#p|i(f*ni(G0}5Y76@R}A%`7c;l2Yfh}6_sBxWX} z%4D0bBG~`aS>M{4PSypPZJ3Sy7dS@;vd*7;xtd>(UTwiAnebUO= zwb@?a7-dPStCSD~ZHczVx>^2SPmDcW5L?}F+dyy)fb7&;hF`v@18AO8WsRk^)j~WG zJlv6Ax|S!@-HqUKvUt~bvDmrM5O5LMfdA5Y`-u#9`buTj5`Q(V5|0fhX9eSbRp zvwfO6{+PgzrLIW6u|E6=OMu^GZEmnt|>=FjJySMeWR<%q!cmJ$Br>DS8$ z_#SnqdzzTB({Ei);%KLaQ%@EtHg2x;`aYL|c15OC%eckY{ZgqnImDxx>*F*Lr1rN* z*DA@^A~HHa?pvPVgp-1iDDR$e*5TX}h>1V0WyD^T0oIx>poZJ`KC!TPN$=L7>+Do# z8k}si8@G%(pa~tGO=QZF()3_s4Wpq#mrz+Wpbz=hC7`|Umu=U|7}n_?-zt=Un&Z~%%Z2%FWOnw^_4ksM z-~d6SrEoH3y~L}b!E({JoAs4`@^W1(1KeXGCwtSdcUfgS_ud9~+U;IhBp_1`>~PBSp6q+e$h8{^CqP zB1@mUIACg}x#i>L^Jmx_X9&Wh@=5DpL`$cJ;l6)|?iCJc#*nU?nj2=uB;ErU(;rb% z@^3$lGINMI@BHa4jZaMU$QpZMk?g>EpH{i&)N)yr&_Wa^hk{VrQxa}hRT|_L%p@lt z9E4${M$j;Qf(UBrm}#0P+el>?jVQ-!COa{0u1)&CrzkftKh455YNBr>5-_ekw90>> z!krOCH+4bXVWJ*Dbhfo+bfp8y8>%&*r&<=48fFrv_d5=B8uwSQ6Wu$SE~zP+%hOIe z;WAtzcwGGiR3YRhe^VOsfOFyxU;nY=8L#v5w-b4O0+s~Bs!80(e;yl#eU{Z_Rq_XD z-d%Oz`t8|GV~@0RcdtXMHBsmvtuzZq%$~QVW`$h*1q8uvrA}oi6P6xUyxQ%%;%XAcUhy+!wXM63uubxhM>2MGyd(*DX zOODB;^97B9KW}nmHiwUYJ&s)y8vFdhA5Z%0chjQ;Z(snWdlm7f7hrnZTVmD|hM%x= z>ps!AT3GpfZw+%um-(7(b`4$l;stL~dE0q?mm|fqhsLW@X$5w4vKrLvqc+9llp~*e zB5VU+5UVj)D~F#i+etm*HP1`&9z(pDK#8?Gy!Ih2C&EtO5c}88MW34(JUNs|{@UID zY;cP}l&XD0etUT6*ppgMll=n2annFdyZnfpzS56lKMGLGEenD=CjN`5(0N;5xI`wN z#5s-bnwB-jKP0E544~A4XoxN&-Y^nT>qi@X#tmQ}S)mpS@Sz)G=)HBJn~gFspm|RU zbfRY3xG5O(bR@<*L&3^D_@m3X(IE!nX6>0o4&D9!jzcLlwcY}b-Ys)48HJJB!$Z6i z+%Wvgzsfu|$*6lrl7d^4I+05BzDZ=1$tvmL^~^*0IUKxz4u4pYJ0T13$Dh;Oo~NZU zY?4i(P3L*T3-KAlM5HoO5489;#EsRSQc%(KD9hD7&9qcDtGd@1vEu6`u$ZarAb2?Y ztWl;zTkN`3IroBe>p(Gl)9CY-4cnGNM*4lQLVo9{D;DCl$00ggfRUAsyjn-^pN4ms<>uX+)MGFYlC>JtvR zPrmPoPg4oJ)q7Q0d}G7WdXY`|WFDWF=L^hDMOou1)eIoQl{oB~&L3VG?3PTA)^^%T z_G>MFCC1F;#0dv$syx-u5cpI%&UHMnm|j|Q)xibobJ=pdJy&8Pd{;Z(UH&z&y5l8z z%R7h~WDlt=y1IsJxXom)C1&a;W$Nz?J12H)hHYXy<)b{`x1MR}PJ6#kgs9WZzIed7Ul76?$d{;fVGav30 zd9?zv;~a-t*WmetgkXPpijc5CX0Ekt7Pn6HA= z>nZ#$xF_3zeGTBP`_$tHhXtQYyyRKSW(y8kPYUJBJjJ}mRGN_Lne{qdxyx%dXliQd zFseI=>%n{9l;(cSh);;uGn5agEp+bfG}?ED>B}KnD9E_AHB#cmw^!Eq_$mpdSJzf2 z3pTAX;#KN3HkuARdBr{uez@w*;u=hEv$GF94)dyy6WgoDRZH~gv~dg>b_FRoeurm% zdk*on?3@wS{W?L<@oCvTc*p!ryA$%gV=yn?8rG+kPevdsxhbBdI&GI(i3h+nSKLvY zfHn1HKp&g+I$N{>F4zj74Z}`Io^7mAmXev<{H6bnE5H8HjFFmn770sbT zWd7ZHD8#gaPSj2iXNe{!znB`i+^tWbtOK|ch(?rX{3C0vO%H-$?!rqa|-Cut~erOjQMuMLaYI=s}f07&ro13s#FP-LUwr&{K zdJRg#z&|xmYH7_iikDj%BpS8%JkD6hku9v{wT7}&vX4w{LF~6qwFC;fNUpK>oi`n+ zXCX{R@ZMI37zXUW24tt3hh7k>K}*!kw|0BB$GO=7EWTSBXM-6;R{Y)vPmZ`^BX}T+k6BgP7aN{A zY#IfTQMI0a85=#Pn16liZq2UyubM2a?{_11${=7!%zN=^Yl5}hnC`!6DfI`5lfx`aCyC}xpd_Y7Qx;aX0ov`--AGAGe zVY>cba|*j#xAf=E#Y4;kIAkb*J5E#WOyY-H1B-Lcfc>}rH7kt$VLXWZeMk2FwKbNZ zIN+bv=mlOLuC>G1@JqYzwLq2Yk&S3yQF=vRwE)PW!zAG2<^0#W{kr{|FPr}I^AD;` z{N>Fu;=fwhavHeDo-85rKcQP!6(j-|a?53M)i zoU5{1(pink5%@t?eGUx#4~Mc_uTmwXZ)5+iEH;uZKCdFa`xF3^0b2aE_BG(QoxI4U;<`+un?KH(ue&t1ymq*sl zM_x4%dmTN*ZtrRDpa=JB+>AymZs@pe{e*Nn#lBPNZTXT+wa9v4Zvs?z7p?Z|m<-)V zxy(nZHtGz=#QyDBFE5@2dVTFipH6x4&a2lg*{b&rRld>JO)#jvOc9 ztdv)5s=mHB!8u%cp&R&xol&cL_*GAWRi{DY+NzU6UW1UyqQQb>wG)#8T4k)%Am3GLIh<4pIhk+U;#&biJD257(`uRcW z5MbI@0sF&)8Hh`Z|8+9~>h)B!hf5RCEAtZR6}fZW?pzRTP)#s9MSQWmEDv@pHoBru z`e?I~k(%0P-JN+Sb67oQ0X$OQj<)`jFIx&7jYQ7nVRY5z_oiHqCrhBWJVK5KUEvjd zgPID`x+ht3JSVw3ttPlTSl3c<^jAeIV|gU+mT#oUe7J@r z{kUYeiXpAyMQzd1fU->7^pKfc;u`Fx(PWxRucUhC;Qa@Gx2gd7iL~Yn^i-Xn)(diGH0!njlgH`!>1yL6~dpw6(ru9gc_VyRL%>_{re zn~1bpZf`u>v0-TXT8)HX{PP$=sxM0|t01mr#JA&#O7|O^t>MPvpcj_5>0#nJsh*KL zK@PDxt@_k1HvLz@<>q?kiC_4uH8`1NJteJG{6l(<0c+@-Fnx+SUa)lNjvfaH{7l^i zN~acm``qjLg)khd2|NhCRr2{ScQIy7RGPiCug->+(#n0dJnW6 zZwqZ@u!wsXQMndrQ=0Cv6uOuW`uaD!s0ug*2{90s+C<5KcE9f%@t2ZQjU0>?4^<1e z?1gqn+!hy1s_1+lNi)NBo76JYG8Tk2;d#s{r;1!qH*IB$?_Ps4YR`DQ=az2f1y8$P z*3CCfOIcHZZ~Dckoes+LdT;}7^&AP{S$i832BS#&Va&RzfMLS5Wv^5{ZtGBHN}E`i z3E~T6Jb(B{BLIRJsS^O~Mz7oZIo1cop&BcIMH(SvnYFeVv{3NxVF_O6JsLX1W^%g| zFh$Vg`P*$PeQT6A!CIpXM?uGw1^&-3DL5?jtpkG$s>hY9YM0cX)Z4b6(g_Z`MjFf> znQP9Tt8zdT5qd72A4;-|`UZ-(bS)rRPQVio+VafSX4ARq4H7b$r@~-i0NR42q69Dt z)#*+X&gM|&#=His%RgCZ*`nWB&_UhZ>8>Dm>%nb#vr zsQri7zX43veTnKjIqzF*k-tN2hRV^_Jt&9@4vw+fdy;zp_s4HNC8r&TaT*I-T#Xms z7xQL+d0d}gh@!1k#rJUPOGCUbq*$hGjMqYw>d-BN3&o%MN!q}Th zmJ!!Yz4j6l>~`XQiA~gl;*3wmgD!ty^?c88Ts^`5Q z!QJYW>~-7q{`96+RkwTn17jL5inUsn05xZog0UiMdt=iRI|VB)rzX)`?zL{ByYjqPcn#jol{KG1tF zS~Zq#f%V6nqz1RUU{4)^tK$l=fpn5{3q0Fgt>%%X!aUhdKOESPF3knNf()B5f7h}8I3w;tfNc~vnZZkXzhd}oTLMWLCIF}D%|VZTDqD)DQM#1 ziyuk{3UQ=l4RoYgimM2x(sf?g_wqQXvjh#g$YlK(>MpLx4&?&bnY;oo@1jdg6`fkd zRWkV9vlkeGYGvw5>-%;wAA-f3l+=G}>LhD6xW$L5JH8ql`u$7b*i~eGhLe6ty?UtQ zDw~xMa7@M?=vW5G^FT)=QiJDwBPMQy)f0qapHUC(*_cR!*2Vl?KOSnle#)5X=y}^|Tmt>D$dON(Ha40x zsXX-gi(jD`V**PhBdvKyl38TTMQU<)LT7fWHk)-vrAbh+EH^@DWT;b=;(6y91}-|! z!}7fqF~Fz@7(pg-jA1hpJUkDKJ(y|1p5@suGeX}ANHk9 zD1RI3E5Uj#GJz}U^D4;LN~WwG;fea!$6Kfsr`0`@DE7(}309*m=$5e*_NM!^OQXrDbj+ zER3so|3=|PRc=TxCd;|?nF+=aCFjUQ9}v`Rm0*JHrE;WbdZ(I@{`XPk)Tdm4t_dhw z4hdq$F~jviPMbdUF+rwRz$0tT|GGnhj5G>Ras?BT%c38*Lsy+wR9_zo$3B&N+`%?P z5Xuo{)aO6l)?mdd0t_TlD-18}$0aN9DjsY-o|pxv$fj?chq6`96+nmHH`Cq4OidEF zjLE}Y7Ls}++>>BAE$0oVVL`BYrdZ7V4#8V`>oUOxFoKEWX39DF{AY>{x1i(J2~lJc z6}~A_&Yn%+2`diYsB&&?BUg$b`QID=q*|g#SLT?t=UQ8OXQssAxG-^r#R~fOK=O7> znfp!01GeBw68{tHRr?Ni352>Nr7`0vDdy1ahl*z_jz4=oUswWkp4D;x2DW)4!aef- z9lhzA88duwFcjHDAWfctQTCZJ88It>oWUG1PAWRLEpNJnDv|^<0Pjw||34P)*mnzb zyWH=j$c#wWSa`USdY2!BP=I;-PxMz6*H)KyF3p7bqf~jgIasbVf-0EQJ!e-{RucuS z;D(MvkK5H_MO#S+tfM#(lC>#PDI&E^TZVyoW#afn1gAt0R_R3rzz(H)SZb()lf#IQ zne9OPpPWks6P|WL$vO3|_@crB-jF3prg{E2juwx92N&`|jAH$ozme%)} z(Fta^b;!B)!z~^$06j8lUGdXRe$jQ+^6rglU`ho|{|URlGUH@A5J+YzP}h4_s;l!!6pt<4N>asBvWv)34)>uD8r!QF z$axm^``3*znEJ04ez5AEs;7f1#qdo`;pte1oCt+UR@Fk$xxP~j#LOumK0aRT@RQj^ zKtO_#RBz)(A|z1=7m+Gx1K(FZ>~sD2z~AlVs!6nYtPjgq={M>+cHU^SCEN?E=TgN| zA2hT^PziKxHu>nhwx$IMvrCK^TXnFz3mJI$m+E`(By{nbNU=Qxt zE;Q$Kszb{+(sDPtPQ3H}An}-JNbet*$+^y6l-@~GLyo-qBNSOYC4OLd#fmWhz~E*> zCo?ypbwh-9Wje3Og4VqK!#eikS-6qJRr^8}SoLcj%CjzooLc!NZ4AsrF3@DktShm= z#H;+K{YG`|Mdb$BlTIe#cf;-uvV%b$OqntbWHJ*0M!Xxn19!VjFXU=o>y}moYXi3- z_p0#`B;%$(>=<}0mX(m`8l(abq1Qu48|R;uVj<=%Lf^)BSE1+iQY}Qzf`MRH$rV3= z%5#>g4$l!aGqVj!A=@Q=kb^Jla=>bg$e-Bdxi+uqikqf#TM)^P?P8;|6E<)!W5`XQ z0>}m`1nM1apAvDy^4?nW%N2&GSMPD$m_C=6v*xe-k2;njPwT;19Cni48c;n?fo;I^ zkd3Jx(XBLSXCQGkklbY^BrgpChKPIb7&y1be;2IA1T1QSds=SwaObK1F*BEMK5N^} z{SI_5rp_Kbf0iP<;}27}WlV+5sb7s6VnbTLP%?F8Fr4@~(l=bMRS|1(rGhrKh zo|Rm}pkcFrU<=rWBSr+)p8Sekp1 zZ23MFVNg)b90~BYkSvmpJ;Nc9( z`O6aw%=-$>^nXs#uXN3aQ_MW}8uE$hMScOI(!vW3;EG7E2&UWSi=sPxJHr^Hjfocg(?jq3nKbH(m4b3@Jk%EqfrYOOuKaaij zKxJGN5}Y`jBWWg%?pnHAZ#*Do5IoRTZ68tC)qn}-C$17#=Z5$iTiB^pA*Dv0V|Mm9 zAy;}u#eX2QCm<8+g-}zO?YZJdIlFCWt#`>f8T!OGB{>!kG>}=LyB@cu{54W7Twm*0 z@354^J+7c}wPbC*d5s1#)`1p7cRR*jow zJin%90uD^E8=bzey5qGk0^5~$yA9$y6@I(GRHmA8Wxc`_^{W6acJ8%gdf{;v3DGEu za5pjvdsTS>gn(zfoEeMm#S@OzJY33eSEe)8)pOWmjG=~w9ip}MP_H8CK#>Zyv>(M z)t6XAlqSI!o17~PFXWNR@=PEGHFI``qEeG&lhl>d(iaXLKXTg$KZJTd+ln8pb(^d% zDN=Pw)kuN;+_;$P35oOlQyN=k#0iN){fGJG0>S<)=^8-1tlQg7d;2mSYA~m%rxwJT zx`Wd*MCeEvP4Nn$k4L@1+mCi+Cf_WCsKSH$o+(c&V|=lrpXaR?0DV&k=rn*I<^1@u z2O0%pL3c>AeJYFPmS*Z_*&F0Ly=%FX_+h5zRgB?Ie4AvXcjpKpRe9v~!;##R>=Zz#=@0&g6kvqmTH83k_fXYli{mZl)K0R7@Lb|lTl)0BgNjkeg z(tPaVJcXA(KWm#|yoGYe+x0qKLhd+tmB?<980ysQ&n^iqIthyJrR3~hosCpGE`bL} z&R1TGpU?T(oTN`z7m>ILL3>_{?&0~L$8hr3 zLgmvdTR~2h+EdU;6$7v69OAa)!nr-Vb(X1BWK_lb`sw_R3tbaKgIyvFF*4cP^_D~2 za;uhz_DQjmg;zFfw35zB;SVBzEvP<9VAHpf8ej}ZFom`M1LE{iJHpe?1TtZ*`fZNJPgX9%p=!`V)FbjlD~j0HqbrnL85G ze*0ZHz-Z}(?A?rIdR1rr<2~WC@AV64U>rddqmvalK={ycmWm10a5Mm#2dpCP{HrQe z2MGoBftgsD1xDQ1Q<&OsE`Rwl<>zV2s?ScyNQ@cJG?;mq8wYJTQZCe|Mlf`;_yunL(HzFgp%ZIiebMBn`pMP(SAlow|tH+jA zDhB#DkmDo8^N6h-TXZp?m|!Ku_jr5fNnpE{HtxSZu(e&(-h&^94%%o<(hq{TDtLD1bTcRMbmoO9g>J$sg*+!rF%2OUtlE1p%zkZN zd{l}h)QHBW6HE)+2-vm0R(GzBh+3Qz<5sthcYRN|Emr6dCvHqL14(62Vqe&IP5x$W z8^BCa)P{o#>^?O!FzcysiilpjSO#25`;xI{~K3AWJh@deS%u=o8wF=Lmptu zSOjpl<~@nN-*>;G@OfL|bhhJrB00B#CemF)p#`%KtO6hUeNbEmzD2g)=bcR1I<#bT zce|0qG<Fju4hqkH#9(#0DRa8T?!zb&xL)De)QiY)_bP zB!l=RcH}xm%BztH6hjZ1NUDnUzusnDf5qv~f%OE6PA%bZpvj_Ek{8ckX~%u2%1r6N zH%C_fBaW3>55*Vd!Ii|R*aI6moO`uA94bzUCG_e!P<%80aP~Cpw^e}Q>2C4zoHq$- zj8SR>PIu9*pl5X!;W<4J%saRn50*5uP4{SRM*Ouo?QgiPJW{MKnSZoslbCZ>G2nc0 z`s+5MibXZDYKzCUF9Uq)?s3(Zx^vTcW7D~W9kXt*#56cCfy%k7&X~Lg5uV=l!>@!v znQ^d8$(yWZ`)&%M^U2ZD@F=qe)3J9vaM>{4kJty7VJKhe`OybS-l_CREIcft5VnQQM0q%%Az)5yAZ`57pZ`udgSaT5mj%HVz9@ zQx?fjpd#-zeZG#;h}# z+C&jouKTs2)#D#PZqScz?bY&b8!c*iu6}4>rRDT29V?go7Kac1CkYyPh!sYbJf8(x zNY@Q+BqU;gm|IC7r13KY4i4gJv4xp3H+|^{H0CMA>?WDqyI{b#A?I{ksEE9e|L)s0 z`jFWzRG zAgK-J)vdH=x0=u8!}I!plr}Dya7nV*`lv)sf$mKVjcC;wg1BH497Yhf}7^ zx<`bzi~EKCMX*e{)Gi@A+(EM_e#hPUQA9-*(x#;At*r= zIs|Tb1#NEKwB!fCNAMDs4g$XCdU;4C+gIBzH((>YS=$%7)m8fxO(WH-X=Pp_4q}p0DCv?SA$EDD<5bEm^WFU40Z_OSwI@L>QrP zySuxWh#o||1kJux_z&+laiB0epXJ00u(bMsjurDvdUy8|5O-|+dmR|#=mcQTF@m=X zzq~+@5e(5?4oAOrko;D$;xuuu7b8{BBzSXyJW&MA+K}I=2fa&h9TY_h~Je znVmh?)H~ZqaOz+k6?6G(Ssiw4y^BUx8Qi!O0LK0P&cc~$UG1sCB;nxj+{s%V4PAT9 z1_~-O!?#bLYC!^&u-2ShLm{E3Wi)(&*}l};i$AHUHs*^Aw5!{V5W8AO))x_2apM?U zz!3bW4|7X}hzt^ig_8d?)X}M9wfbFNx_en}vs|{e2^_lj*zw^R5*dJga%& zFYnFCJ&<0p@+u|;9=+oh>*K+9>(v)cFk0)R7*zFSfGD2(l^jPGj-PO0fyD`XuOOew z10SCsZ4u#o1*)H(XASy&NKD}H`UM;W%trW$06b>#nGV1XVGg!)LyO)Ie`Fv~!{J!j z^UO*I@U>9ivRYGH_W2|)|Ku#;j=VX$Yxa?r4gju3_gN?BYP|jkCl#X{_eDfOH(Oh? z7jWUCX6k`5UbaqcID@!zi>*=xQy`PA^i_)h1JJ>2At5%PzxxaRKnZI3?!^Hp&yGZ6 z6sdj6e?46t)p8!(YdvD{o$3Hig4J0G%Kr1igY&~AwENFia#GnQv&IWMW<%!b!_Svp z+ix(^xfQlj}%>KvO1GGTg$)3z%mSvR{*HZI+@* zZENdQ;%Vse=17K`JU@8bg$GRV4Q*Y%CEq4pB(HJ5K4;VR*<$S?zDCb-jQ5_C`jbpY zR*(%7EipGzlGP6KwxUW~F8?llh9*@@Co6U|XFpyg9&|QJJ`j+G4tx+&*aD6R+s$0T zEIpbB5}rVZ_B3_*s;AfD11$y7=o3zE2U?3w#T=$gytP##bm6_tI4L?CLC(>Cq_{?t z;k~5C=k{@!whMAf7W$lyhoYBZW2Z-8#=0P0*FMAgD+>?ooc7M7m0`_RIbuW#@y8}r zThk(lu`aXL$h^$!WN6Fzgi(8*A!y;V>h&oVb~|KLe>aN7rNcL9fFNvunR@}u%S}eV zmv+U2-{GtOqHV>)n7{XtxH11`KCQXUkh|^Nyw;L6F=oZT``or?wyylhvZ>Y&`z&Q%W+3`+fUBr?okwb$BBST zwX(ArOQ^bFccL!u{@FXG-L0I5 z#UDh32Qj+8h@S#)@GeQl=4P|9?Yumrsj{Z<+OXFa<2kneR3<;@@an!OXDC1{A@Ro)~;a_L3e4>McRdiDQSC(577($CL|;(@hDfBs`PfDHZ-T4 zJT4hBhrDDesrryAUOqv19LC)m2T^ki`N(h)Hhkfh@-bsYw}3%E%>J{sV4aOhH$9A= ztHdTXQcHhgYz~>jx^@3J-=WvMVUBkJ%TTQN=vA~bvAM=zc#QbWjfsrcOS49BTbT- zt{DvpN=Wtl@M$km=<7|tN5n^7D?|@@EaimD{^e zaW=PPyo{L#qkEpCJyA5ayK{BbucDU6g@B69#p(WRd48$OFY}xBkbGgpLfh!_%}$dH zki4|P)GdXM93+Yv^G_>=&Q6sn>0y4iW>SjF{uixn?UsI=w(8vDsoQYEwP(3IkF2De z+Od@s{vmaVWua={@KDD%|}M?!&v?0TOzQg;SraJ;Q0DS>tfhlQ!n>3hj&F2 z44njFS06CqU)<;>T+A@PDyx;Q^+7JZuzN7ZvdDLR0SkJ%yx)WLnOd_?0z48O4%K$?=}=hG}*M2k!(Zd`!a+&xOYDIsEejbW$5{?;-2TqkNlCw|dg zy%XHzy~T-$-s$s*tSeQS8PJ;ZDosJZMgH?fOk;1LdXxrA)}6mkYai~3cb?vyDIzhH zy>qL=nO}mIUHyp{?4yTY@ziE9MOC@&9@})X)m2}Yi?&5x?b{;{<>w)4WBQ40T%24o zDIn{C2?8Ov102};{H$T`o;99PW0Xzpt@%j7QyqE37(pyxv^KVR@SeM!6rs3M&oKIQ z*RwA`dvl8b$Q9ZNzL@PHp@UBf4wl%sRZ=$Ac%S{N6Iz>JopKrmfJjVDb0l?4aE~SX zXoj!*w${sdB$W@#7DhP|N$Ns=H@r{YEA$o1X1!^A={1iEY5(J_>tcM5!GI=Q^aqjOZuk%oO`G<@T}-OPcjYSZ zyig!3m3(&v25{v|L^2>-=0B}f83@Lub_v_uurF_^m&yefm zQ=l(sAV95e=L2R$iz%>Sf8lmHIW*^<@p@l`F`*Q}&0lEkZfOsaQMU`~j||3%WkiYX z>9~M{+-HH7;H_`M0WU~h_YOP{((E$+&jmNe820(QUrb1xV0M)2-D6nc*em!qE~&D-B^x)pdK`V@I1e zmV@O>vs(Ht5IyMieXaj=KW9pb&IEc2E^I!HpA&XLndM~Cnd~-gLe6&Gbzwn_ccd80vC@_USwV761IIHU%7S%m%Kc!I6-2pif#D% zE=lzl&96mM&dmRphQ_R#VV@AT*BeUA=go-nDzqB2nQav zk0L!1sB7}2mcDmaG#@2ZnXRMtGj~NA#>v+-HC3vdcRh3=Zdn`JqB-ixw(RopLbg*H zsal5S2H1bd0sFX;kJHXtTEBWYhSOk@Vmwe>N_l{Bs$f;EPi^(P)K4=i)0$G{`S&f& zMw>ky{M6V7sY0;8SMxbR@jxg_6M!i@jp$?M$|5%6M;t@!wto(GghZbXI#;bxUe5DE z^8kx4|D$3?yapvi(J3ZgGZA9pR5+ZjXUyKsP+Ac|!F-$tNzFb*tWAG}&6I0NKr=L5 ztT7|$TjML?mZk-QU`z%ia`?Y26*!jCg{dP{oOduD$T!r+m7Sn9f#>ewZ`X3di9GgU zjY;+e3^R9<;HtDj0yR*FQ!Jo9S5XE=8c>O8aJIjXIld^KbOQ&kJ_!L4sUXul^Dt@& z+{5b!{RijnWd|ZB-9*O#MV~S3t$@_@Q1OqYjZbRu3*3=|`oaNP55#ay(GYEh1Lyb9 zFz)h#zN6vc(iyJe&H7zOuR-C~U%R7qjRrLmbw*MTInopQL2XLEdT39cxP0mPJX9$Z zpu$~WI5ew~SM-58h@j3Bk=5{BPtED4=F@uix{)>|gd1gCs!?~8xn{j%Vw1+x#=^E_ zn9F185Pr%4O`et}4vxopwz$e>_dVJ5sh0v)Uryb)ht zCz!ge-27a91(@C!{+Eu5+LD2A|Nq;)4y-l)$hy* zgDk8g58cf*TLk~X_qy&s@F|B<#edhy5`4R~zq+QSt#w}aijbx@H{MNg7Sp18La>Urksk7+BDe>x8Ah=~R+LBGhBZ>3FJAMJiGq z4O>+j2^S9apEbK@J>*y>)Yl0JQ{P@=gIy7Het$>}N=Z55Z7~wElofqr(PM{2MRw?u zG=NW@m(Z>vdO1S~0j&Q3@F**=vkHgHAy4>74-d&+n<>jD1zlH{;;qfc0nNNL;aoPl zL)Vq*^uselH(u_A$~5MK3_R*C;TNGF^g;8($BQqIUCnB;JB|!IIYm9G<$$+OQdb6% z5(+A>MB+|KjY?=!md)k;`b{^chzl68=b1{q37h^ofE%2-~e z6?={A`vZ7oMOmV~h+DoxAet7G@S?6S(5hoD1Btr$_866jip>2F(w{`aLezS#+RpFm zUu#~#TdxSIwTvlM_zy($EE`pP^&{pxGo`uYafZ%fnb$l%QscOlk`n&H($&N0=7b=g<3KSezQcm>Rjyn zh#@Q5UjH*{aXs9J5lC2!y_tR$- zLJna?$@U#Xt>@1&^LS2L2W2v*;Q@1IaMkO$`D&lSLhe2(Ah+>EhxL)INwljMJbzDo z_J@j>RYxq@yMS=i05LxM^2>eJb=iC@- zK=ITF%5)39jJqGP@=@aU+CJyt&%(%4^N#k>>K2w-BKbA2z@>pl72_H*bTPmca;mgw5-f z&Z{CpZ#BD~+zmcQp8q%uXLuvSC>cnhx=oVKC1hIFuUM&s9X%sA9zLmmOWodG#K!$& zPdCL>m3s@SY-uj?eA|gMM``{S%64b50X(}t(0>EWO!}TPnV=c#8_w*`K?OgBcDD`X z>$mJ*5Xl7pjQdQKL`J2YrNYep_#mM|N8wy?;q+p6_W*&#J|>}M+LYG7QI-C-yWsD7 zweIdoa(JE9;@W?Zo6pJ!L6^yKdLXBTrW-AwEH4JNW69E zBan+vtEgBT0_DTkXlRXN8WM&yJl6le_TDlq%P8y?q#Nn(?(XiE?vPGtq#ItkOS+Lz z0Vx%g?nXjMr9rw=V)pAdbLRVTX0Dm@U2~lubNI&_&-?6n_TKlp*S*%=M7rQb85$@~ zt$}A{z4@{Gd=B}%H9W0BIWH}qgN1LVsFe`oO=BFPGbhCX#3_x@nx$Z2`$u?Y*k})5OZ7<9}!JAw6#aO`Y98m}%xO=Su ze&|HcawW19X4^`{f0Th;K6CY2DE~Rd{%7v0?*xf~euH>u#8%x9JQG zqjS(DS+q@d*iQ4pMZ=ueXT3?cgukK>_D^B7*t-{Emxp5GU;Y5Dsn!vzy?W}j4kRu~ zYijrq$DF_fAA5sAzH||^N!dD)DnNlGZ2Zdd%(+9Xf|2BW@U*}h%if;lQAqBWL_w@p z9)FG{@Zt$3#YKZ&t7cmure6i(%aMRhg|6dJqSZp^gELA`TZ~@-fysfcMi=7cJZzluZf~6SfPC%lfji@8L6EnXUAGxP|Q}mc;lXq&Oaf!~(Y#WM8 z7?V2t8P+GpwKB;Upf9AmUq7z-%0XA{9W!vO$u|3qmfia)o0XlH1y>CQKY!jon%sbc za;(V$3q85Wgyh`9dfOr<>HE;8y9;6DOCsLUMi!`D*{lq66pMzLM~fb?2j}nhWFWIEEP(a=q)h73k7q#%G)>vVSnc%1uuWZD=HcP6aj;T%d z`KJZ!MAF(DbGSxw;w~@cu zeCmy(Q|M+Rbiw&QZ;-Ht?TsW+9P~vKs^lNAXa7^4btCqk@}TRZE8x^N4o%8KRY>tc z#RD*-EK*=)Pe@2``OtpV1ei7p1}07nrXYWNSXJQG1eHrfLr1SL0=FM!q%*v~(i!H{ zV#Z~W#f8U_S7*r2V)8N7}?dz99J%EwP2OJ_1y|Kbp2;G2Qx;{-4R1b~i4GqlRP z>Uo|usPnCba!mw-Z%!QD|1Fsar0?PL)s4&mV)zMY{3=Qlt1CHn%`wj3LPS|xt62OjK#z6*9a#wC&=2S?wIKM`33^DJgq zLERB6Qbb2UZL%w|+8#*#45=|`m z^eS;8%--$ttI12ZuTOtFpUxrDz4HlD54)O@6Qs_yYpE(vqDyRSY!6G!Nu$*55oQn0 z!zbKstAKZQ5i*2Q0Qjkc#URt)DWUO)X~PU23FE}QCk^QiU+VG3<{O}}Ie&dgEaU|; zkV`*J-CaRy`QnAV%|O!WgL7ZBhxh=>cPSN7pnED&vNA~FXEuI1Ix-SWxeQ7R1^rJf zJKc59*Fd)OVou3~m6i1XFc3b1db6V-QkOKQY4 z39XC^;~EmX+PNu1#IMh(7ay4$Aag&M)HgBNTd7Z2i5=LqU>2%<^Z9~D|9pp(ZPFWIvz$OfFE(s0z>JEqi zFM*xvZ18mf4?COj-QBs<#U4QBcsUYy z|J&oC*@Mr}?=;QRa}TVy-$30KLH`K$5i0-o&9FGe;5G?$-DR>f$~9w> zkfUk{cI<{nvbZkn2;3yhAf^wMQ+1N>(Xxp1ubkSs8dG5Io14Esc~xjnXBetm@B2Hz zA#9wh^S){Fo0*S-++>*C+%hp(snC|A`CroiP|-iEU}#=KvsY64vIh4ja`kcwF+w$N zP7lZ!Pcgp`y*iXs({TD3go5gA3bxTYVS%Iw3qZ0H_;xytf4`$;-b8 zkU=umlc&QXF0#LtB-yDYoHVQnztR;9=zyDhtHX?Rh_ zlyDg#Ln2C|DdYq|YYypfo3{qk%QU%J9j{tQa^uSc}2;kbv4Y^vVa87UH%Y}jT0(oiT(LwdW zt$`rN77R)Z%iUlztPk#OrvraJ%A_@pAXRXC|M@=OAR?5UrD)(Pp(RO4j3dhGGjcuc zfg@rj7856fE8_#!p8iQ4$-V7#CCc~@Z{Gu*^a0p#uPpe+UP}m$-Ku5Rx&Q^^3!&@R zpJXDrA`=7qjCf#X%m5gvnVDQ8uR5Uqr)7ifr4-uF7Fl-~pAQFtEtXPm`tn!72`CjC)VwR;=(_#3et~ukgWibqr!(^V*^+c`|pFy5Q)2rXq zDZsk;r_rO{PFE0i_65Tc=3%1fMsQN~*3obr4qerk>#YgRu#ulMbFnw85@zTt=~RBr z9_~6pRa6Fil(uEh0;nP*9))a&(u^jPGMCW@Bp09H(Alw5Gq06Os-EQ$e~+b+s^|Gq z$pIE(iBp+&&%^r?XEr69%W?m1ff={f>RAGx;yZSq^nrw`JE_C^M(6q{RUhg1hpGxP z+7{!{1Gk{_a?JISgrZ0&D3Zx~OLGn4q4g<^vOI6}93!ux1V7L4>Ql?U_ptD46(WBR zn$?s@V+wA8T5NxwrVe!4De`L(`;cP8109iC+|l$9DhLZ-`p2IpY=XF}!LvA?gL-Zl zn8`;^55kZ&BVN(??OAw=q5+J;f-x6SjuT1Visq9dW`9u$3UY`ks+khy9y}xlM|}=+ z%q7>Z$_9lNUus1uwyK!e?bmXUQGs|RsD8I1>s4!^Pk#TaL zid}%l6w}r~_Wdo-{H^HbGVvg=24?7Rd#0X@9MH;1=^uve5ghhzAE6i?;SZ+JGPXr^ zBi09Xk?EW9FB#SJVVdXMiv0R3(k1=A-+wlRWdBW>w=#2l_e8gz|8=|E@gq69y(C7; zcyu>nv_9rCxgI|Rj+2s<>w9Scx13t@5CXjDND7%WU2XQ}-a7Ew{|~Ebj`Q)7~uY?ZTVFSj}e15?AU$lB*sf)VuU7HNO$z3 zjOk7&6IeMGX$~3p@2VtmxW>3)D>OoQ9bpfVK9Kkf9<-CU#anWcRv-D~iyyjfb_){f_-XV#OhXM@)P7W?``g$40%V-p4p-iivL!~1XCdBM<-wff3sBB)xHZc;HdVH8>_SCILb_;k^ zqEqpZ#Ly)~aXm`J0=|^;mBMd|>~1K%tcb>BjY-ctm^TO;sAI zNIR|8n?JT@N}({S{Q5hy1pE#ST2?o$zB|t?P_gv?4TXD1_vRLzveDkht#*<*q-yy?TuZ8=2OHt|T!v=Onby@f~~I z_0^Bydb5@F;*G0;Uqy!nW^#|AIgpO5&W^S&watEao5MWdjM`))SM2SM;>^o8kxlhM zZ|~ZFS6K7oL)G-T&`)<0*-9G^0e*q2*YJ(1rUOSb`3uY$g`Z<;S~}Qvn|~yg)TzHm zMK=?{;HK9yKrf-mirjBSaiqprZyg*7U}$Yz7H%U)6@`V@h7&M%TUACX$Gs7^8~gu8yNManhfao;#iG7n z(FN(kLPvS3R#hpZmw+Se)>5Gd-^^s@I@TJeVn7oi$Jy7wWfm%5@?O2S6_@vFJpz>_lh>6PRiT`{`+OF{C?*!_Nj=Tc>zwlamb$MEJN7&yn8*d44)vuEH5{@7ACU3KEU z`f=!bbaTxKBMI3jFFJ5Ne>W#thLdohVA5d;R_pWfUl(R-EZ6)KG&?2iol#9(s!Lhn ztWe#fAkvEI^H)W)R$l^Fn-5XNw^_(bWRn8&O;-X;DxN+^89bM%&enaSy2uEbi_%gjgkc61CdOjb6gW5tEbI^C2^(!pj5n=s zQ^5IF7~9irLal;&82{rWM4oeblKoJQoEl>&pYc2|s(t{;4;Pta{+9em07+v+{XtIP zQVZ1^1A%%4k`6ziP*JZ)Y)!6x?TsKSG?p#m5V~#3;{UBi$v$e~j?ptd;sc8jkF?U{ zPrPQhN5+}r16K?&m2!-%J_`{kRBsgArk#S9$3MdTBI(;(G9rBCj9WDp;V)mIt}?_cS&nO0VAE3Rmlb=gDE++(wf`jl zv1n2FclZHgcoInxkw2$#fE*Ym@nsjYJOHXP%@|-^B zGScf=KL$O%P{M$5%&B)BOh|ORlX<(Vl-Atr$f}8lR`FkW_eE|uGu570o*`M7$zgED zQINtI_by|sTN~5J*$ZGoBGPY&zs=(a*>Jm{@^jCM3BA4{JL0uGjz0*cqJR9Z@?{qk z(kP87I#}BK4tiC@ScdnVcT=mkB~N-j>&W~#rll^S2girghlUifPZO$6_u*4LaoVYl zXYzh+vqmiyg0zkCRdV;OM<=fb&Gt}Sbu!QVRC<171TGOLJRC&oGAjvAHq%%}R0^Jb zXE1j<`%BK2K}HKg4+4f!6si;6*b#9SwuqMZ1B3FqEp-oMMr+!hFo|rd>t^+lVOx!C zQyAVpQeUw}O`ba>>1*ZW)U#%4J?!C@T@dTC#qi}XZJR6_oD$;lO2jQ_6hPD^yqBcXZ@>O~1eM|RjC(rU&0&2gl0%n<>IJp_!Xkgy+?^RA*D3}>{ z+|tW*1DGS}($uFCaf}_YS25kH0hD0W^t?hP2S=C(SmY@#!;LC9h>HBQQG>bI-WX+1 zuyWjay(&9?bvP^FGXQBUMipF{!B+nP#%$&(v28oX@v=l6dEMz=m8B@%#h*2N0M(2f zlZsBGx9<;)@*)|A^g{9rdDe*T9L#WT%8TSrF?NamM@ADPUWQJTx5-)Zd+GT%I86wA zlx^5!FxpnF!5X5wZ(6Nke@q@AeU^InO(Fp;JuoVdk<-||V}|XUnfzX=pn7lrW&9{{ z4y7Bv^^6O9zeXB|&q9JS4>hySO)NLARoB2-puBuj%k3TIdTrlR92RaE1Bp6UwDO^J z4@r5X!}8T8d3>CnYQd&aTwI)Th_0>(AuTQKG>_K5|E-wW<>lqyaN|Q?)FDPg$HBp2 z!HA9qpT&>qkp=Ie$yw2W_oB-huyJtGd;Z^kZORG6sZv>wZdp4_W9D~i;EJNWY`%Y6 zF6LVPH2&vH>XD;4aTbaBJqx+JK;@edwgJ_EI=RB0*16&VUcu0t-;coDo&wr^-z(K} zPJm@mtb508mAmQj(J3H*D{w+Jmldhy`Bi5sUe{>^e5Km@vO_ zU+K`+gR;^R&_G*AVS4RiCZ2Y%Z4tn5Q|mLhLKb7qnMk5`o8^0=*JcV9za6rDfJCm{Uw z)hDsQG9Ef$()EaIY30m%|1o^sXz9So=(YLBLfL4A^kFJ+m(zl?wg1K@CHa43z?8|F zhiDU{0E)>g`B_L56yvSNPOos-{|?x}1ZHAByZZYl(`sD(JAf|EDVYdv5q-YC$aj%t zOlT#zl8y#i-)S|JMgy(5(%e;E;+uKS7Y&7IF5cPw8(=4RfSc@i%v;4OXrDqy4M-3P zNdhSM-U`@@tr>RS>F*X@{=4@#uZ>^6t?VH*b-{V+0E>4Iz}YCEo74?d$7o;!IIp=H zIhIAQuUsZU+xq790w|f@I0r@Py#Puj4AaK34J@p4n+e0-hPV?w2!Fp zNPIr1NZhL++~ykzNqnQ~pwJ54=ne%TqZ#0aijZK+%kZW5Sy;krei}TIzwN4VVZ0 zw=Z?cbtl~SFzTB`0L<5QgC0kb`(W|~L0|9}*4Y%6`vGI6JG0?i*uUllm?kfdF zjlEHR`CxPKYqC{7@U0p=4g_#>53pw=&BPM=@-`7hiWHQzd=CyB8h@ zN*j2S-8z-SnM|>oQV;ygUm%m z6N1c;6ux{0KsEFC`PwajUSfho06LH#4av2NA?X2igk)gG)q8-|LGu>}XSW0Z8ba1r zz!GC`|9+V^Am?P}AU;idEun4*225E^{0P3@gg9@igzr;AbNq}h*9gct+01Auh)1)Fn zXsP3kUv{xXPz)$|2OH zisp=70`)V6QwS3@xsVJ9lKqM-^t2P8hqYmB4a+UxK)t;DlTlI!DTCM(s4=KUIav&C zJldf}x3%a$m8vH*V`U{yp2WdYnbUxG4azv|)g0fzM!F&WfF-KV+etS z4%-??_aq2efhyj_L0rHn_AbQan~?e!ugOw`)_~9g+e5Xd zzf>|LPh`ahq>B{g(Ea(e8lSGio`^=f&QI2QE3U191aaIk>{XV7L8`+Vu!2jXB%bIU zBgaCCA;OZC69<+zQw`1Df`0=>x_92DiW8fL;>YryhF&#>0eCy?>=Edx(gXwSUb|IW z%J`(#av29FPAEH*5hnt-N>b|(r5m9iRt1%U9)?=Dj&?dn0sN-)KbGd6TYPA5CQ5>g{bJ%*7dk5lmR`x7_MExOKO_=GRzaG_BZ`(4ibA+Q7 zO_V1yU&*9JkPZK3(Q6ky1E(*j>e@#*bc%g*#*S3}yz=r1Fq0g$U-#af-U4(yPB7f_ z9C$y*Z;0cW_x!le62((E=mk~n#49D@pZwSNlfgg{qhla9Z)R$UI_*JnMOks^ie3bc zd>F(Tu~bZsq>sQgyrFu!8FZ3G15R>Ss_AL6zKqL+)Gk9d)KU>`QC?VH@YBD~wxs!S zNasO~M1=!vMJh6armEM>R`(x4Ml@z3%P1T<7IN8#DHiTAfBtu6Z;xxER7cgB6uazR zB-7H?$)JVd{j^WAy=M@~Jk3!+Vk-2IZQaaJ>j9PdRD;^`h-Jp&)k(&iaWWE&8FO_F zmOqP^pVtNsN#<61+2kJDE5P5Pximy|D{y;2v@=0MPi~h&cXa^zfbsZhT3boxlz!~i zqRsbD%h5WLfs6&dJX?L+HJ=$Kn}SHD542&pw=+E+v%9X#2WDbyXKAk204|_JGv^u=Z(CXQ|aRisE@4PffWVSm73p z*sSSBKI(Or3Ke$rR2)xMajRk9Bq=2~{xpn{y_FdN-N1zTc5=3dK05AZ&;F3Mp_h!^ zd1H3V7U9ekk!1#t5gO^tfLvMWVZI*PdO2-Q>m6wl6HLCS{v{}WDV;!(mR6yw?*xiw zY-|E$R`PyCJYvRr7qJF#9#IIo{I>GIX$BIaJi&=KmgQ=cNP9BW`VMne%6R*b4pOw#p(&Lmt_+-7HLd$NgzRkNfiJ@QW?giw<+$M| zw{^81^$mRI zDYRG|{Y`>_wD2k1FRq(9tVI5ejocAYr&WJzZzQ}d1q!No`@(6YXFd;0^f_uT-a7}g zI;A}WqcpY%PiK@QKGk%34KG-3q`sC`PZzTu9bGr-a$38!ZL6v$02H&4YV{%BqPbd$ zW2=K5#L&fz{_T2%$jvIG7Z#ZuJ5wZ8^6t+c1t$!7qIDF=@W-ID5gnTVAMD`mO}K_l?;c>NkrPz>x?5FXZS5ep`T*Tk%cr`BY)Y4U zxHB5$I1vZ(3t=$G)I>e!GKHpcYv6bjQFpNSj6-j?HYiE>^{%>^cgmce&8nLi^y5x= zHSCi=$$j^r8VY)ATdCwM9b^@2Aj(OJk6VKxuol?{5^2@O1U(W;_>Dx!Y$}eLaS|z& zC%A(*;yaw57v<%nmg6DMM44lxr$Y%*+en_95C4@j!+umQ{vB9Z|M?<&7oE*Hw|ho= ze(xKK=FkOPcf3RF4|(sRLPb+|KPmLx6ZrE=S2O31@>D7b+Z-XgK54+TDZvn-NKHa+{^ z7>gC@r*~pkmuiC`3Z5SE-koNUbVwfB9M0U}Q)CJv@68b4KZO0zX=BmpEe>Mny0N}^ zyf9ul^~nX~6H3bAKP^Q6arsjaH@EN-qbDIxf)jbdU`9~k-0stu%Qv5WL7$i<^OOJf zEB}R9`+qP*|Ic5;?+b^8m;Dzdh%y$1)<#jOhJDTjr#B&}eR8Ft>nH}_81{DIs|oIn zB);sF=WAehL&;>)y78dJhy!woF|nYF(e4j?Kunow0KB1W z^9L-1As`Dxa0INTp>cKk$e-y-HK>BREa2*_??V^WW$zjFHIV5__~4vJ8?BHN`fx{K zdiSmW;&AEnxWj#cOOwhxFqf4DRD&KMD?!e-4bCp9scXHlu}~>I=n<{bPqR!Zm9orX zvRE6T@>(O8nb9Bs8{7|I=** zNL|ho5bZaE<@JWqZ{*d@G~z)jkDJ_QR@W8*7)m#uR^?+cEI2DJ{$$i#`*>;#ACy90)L`Kg5eJEiN z>f#NJc%uM4hz;s_d}<_s4R^aR8A_-DCd3H{NM5HT#LWsNCDMQ4YV5-W0tZghZ*pUO z0WBgLm=%1vs6RUZ5v3I{dcc@74?5%@K0!@le1FJY$W#*SwfhGjh0h(F{2MXog?UMW z*P@Af0L_d7$Y1LR&f&k~*a1v0LcFtK2kN<$Vd%kwbVbuBC{UVm1(C=M`_*;LHxQ*} zKk^}pZ-5vvH{y7NiM9*`SL9SW4qAB`pgtzRp|^T=YjEg%}Hf z8$RgXbUF{FADMy-E&;u7Mr?$MIS4weNsLdYw5%D?GPp;;Je^^;g2E6kAmX)xMnL99 z%g0b{XnvRB*6Y0=Y?N%s8%&BtPt~4+=t$nc6BK}WnYODKtL zK(un|gKc&fZ&xwmzTz$0XamvOn%*RWIr2!fCCqONR}ma>7p$(_BFrGZFMaURl<>6h z6%rDql-Pt>@Tbx`4sy1LNN|`|vp?Y~l&!Sqh70(Cox5ByqM3(3Rckkxw*h8%kjToZ zbS3R)dW=Fw@^2)h#i@=tZ{3O4*a7qtEI!d8xjD2&^T8Udk;x@=N$IgX*_(20a9fY5 zIk1rar}IpyD0n>WiPV~!PlYZ;n77>U)RNeAAbRoJ9lBTpNLlhEl!6uPhSmmD3PJ-x zB|M!qakY7-_|m0&^r}H5(C?s+5uDfNV_CAxHf97*bBn{ttncw}i9oWrYlrT6J|4Ql z@Ieu*9ysoU0AVh3cv%vto|2kU7~1VK;+y+xI6TQHL_0bREmx7-v76J4(TVL-M?m3X zn!yv_*nDUdL5Y);yVXGf2tL`aRGC!PM~|{DdiGhD!iE{w=PNT5|W01Xq5pL zx~7Zz#p?PxCX#-TTh}$SdGU;N&2x}~Xv45|ua$@1v)H2t74z$oAQ1EOpUA3Xr`4HE zyO_`AvB&NA&-JB<0cx*IV?2Z8GxVVl()1M+7;3CpA zBW+2THf$xGG7Hf%kWoEXe*w%CSr%bK^Cs#$--?n3nGK5wegOB^!o+K8u#hvsK^jXQ zSkJUH9u3_BTui%lOk1It#VZkP{5U?wZ!XbV$C0#Uofh(MD0XY?_fB$lHc*UQ?=u6LEyeLZ)xdw-+ zi^b`JvsE4|qCYPF$THoO1W^e!kSj)JT%Y!H#?eei`C4OpwmI5T*csHJbp?t<=x*cj z>H9!KI{wf^3RnPr#u$2ayRzpuMbefhJkN+ug!w<2+EPwTZbKG|gm4Jv5tF0_iXR}@ zoSXfgg@^46Q+(P^A`x>@HaAr9RfSX#4V1_ebegyW_v{u1XhLz>0rE=`^|Zk|hpN?f z|JBu%v{r)^ok*B#<9mAs>g9yRfM)1ZkVHVodI0 z=93Z0v&@+3hBxhsO2hm{y4dpmqfBArxQI#xz1tDMRy`Ti>%e47?3L_yi%K zheG-PPN^WlFc@x^a!?gNxLWdb?*Og}Km5kU`$x5A$qgwMqDtLmnp9Z>GyDbQr?4-XSrZihOIbPXnuZgH0T6iYr2-s1=kcXTG#Yv+Mawc*5=dhyyGH&R2qjV| z>#^>MLM?mcP{9W7?h?*72ryJD4LPc{2)IFJ>*jn5dec;vp9fPYOap&-fvgvP5*+C> zXu>O`VeZ#AzYj00BG~NiZ%!N2pdVcV*6nl&3HjrV;lPuG6%G9r2RQS-1ahBW`lJ&D%(2riO;eU?gR%${K1A2U4hr-269-xeqFtWUE1J1GaGz zL$6Orb*${+W{Hmve+SzVIm>i&!#;iK>3KCyM3p!u5SCl%-Z?F%Aiqe3h92F2v6?t# z5&c=Ijp|Ws9da@;gw=bZDfKL~2g@@8QG`GtR;sDxYlAX1`-x>5^EAk9=JH!dR)Znf z5BInHi2Nnh#d3HLD@wt6#{OS&Z&B(i1~g3g|1M$spQAzL{|D(|+NdWisT>bNEhcX@ Q81Sc}pdnu`YZ>{!0X Date: Tue, 17 Oct 2023 08:14:39 -0700 Subject: [PATCH 022/114] edits --- windows/client-management/copilot-overview.md | 30 +++++++++++-------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 62dbaa8c80..a6faa910aa 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -20,7 +20,7 @@ At a high level, configuring Copilot in Windows for your organization involves t 1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled 1. Verify [other settings that might impact Copilot in Windows](#other-settings-that-might-impact-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider -Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot when it's available to them. +Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them. |   | Setting | |---|---| @@ -34,22 +34,27 @@ Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat **Bing Chat**: -[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and doesn't offer commercial data protection. Users in your organization get consumer Bing Chat without extra commercial protections. The following privacy and security protections apply for Bing Chat: +[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. **Bing Chat Enterprise**: -[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios. The following privacy and security protections apply for Bing Chat Enterprise: +[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: - With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). -- Bing chat enterprise is available, at no additional cost, for customers who are licensed for Microsoft 365 E3 or E5, A3 or A5 for faculty, Business Standard, or Business Premium. +- Bing chat enterprise is available, at no additional cost, for the following licenses: + - Microsoft 365 E3 or E5 + - Microsoft 365 A3 or A5 for faculty + - Business Standard + - Business Premium + > [!Note] > Bing Chat Enterprise doesn't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise can't access Microsoft 365 Apps data, such as email, calendar, or files. ## Configure the chat provider platform that Copilot in Windows uses -Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. +Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. ### Bing Chat as the chat provider platform @@ -68,6 +73,7 @@ Bing Chat Enterprise (recommended for commercial environments), is used as the c 1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses: - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty + - Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage). - Business Standard - Business Premium 1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. @@ -91,7 +97,7 @@ Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails https://learn.microsoft.com/graph/api/resources/licensedetails ``` -When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There is also a shield emblem labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: +When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield emblem labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: :::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png"::: @@ -120,23 +126,23 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n - This selection places devices into an early CFR phase - Users can select which optional updates to receive -1. Managed Windows 11, version 22H2 devices will display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. +1. Managed Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. ### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update (coming soon) One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. -While the user experience for Copilot in Windows is enabled by default, you still need to verify that the the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings impact Copilot in Windows. For more information, see: +While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: - [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) -- [Other settings that might impact Copilot in Windows and its underlying chat provider](#other-settings-that-might-impact-copilot-in-windows-and-its-underlying-chat-provider) +- [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: - **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) - **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** -## Other settings that might impact Copilot in Windows and its underlying chat provider +## Other settings that might affect Copilot in Windows and its underlying chat provider -Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some setting which affect Bing Chat, Bing Chat Enterprise, and the Microsoft Edge sidebar can also affect Copilot in Windows. +Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and the Microsoft Edge sidebar can also affect Copilot in Windows. -The following settings might impact Copilot in Windows and its underlying chat provider: \ No newline at end of file +The following settings might affect Copilot in Windows and its underlying chat provider: \ No newline at end of file From 016afbfd5359870fb03345b56b3195b9e27cceb4 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 08:50:46 -0700 Subject: [PATCH 023/114] edits --- windows/client-management/copilot-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index a6faa910aa..5460203adf 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -8,7 +8,7 @@ appliesto: --- # What is Copilot in Windows? - + >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. @@ -18,7 +18,7 @@ At a high level, configuring Copilot in Windows for your organization involves t 1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows) 1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows 1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled -1. Verify [other settings that might impact Copilot in Windows](#other-settings-that-might-impact-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider +1. Verify [other settings that might affect Copilot in Windows](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them. From 8cabf154e1f7c1996ae87918a26a809b50c3c683 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 09:09:59 -0700 Subject: [PATCH 024/114] edits --- windows/client-management/copilot-overview.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 5460203adf..91b9e6b36a 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -145,4 +145,5 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and the Microsoft Edge sidebar can also affect Copilot in Windows. -The following settings might affect Copilot in Windows and its underlying chat provider: \ No newline at end of file +The following settings might affect Copilot in Windows and its underlying chat provider: + From 5a772de6a939cb0e2ff9a66cfd268d5b2e212fbe Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 10:56:46 -0700 Subject: [PATCH 025/114] edits --- windows/client-management/copilot-overview.md | 29 ++++++++++++++++--- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 91b9e6b36a..742a6e2f87 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -11,7 +11,7 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. At a high level, configuring Copilot in Windows for your organization involves the following steps: @@ -34,10 +34,11 @@ Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat **Bing Chat**: -[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: +[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. + **Bing Chat Enterprise**: [Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: @@ -143,7 +144,27 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t ## Other settings that might affect Copilot in Windows and its underlying chat provider -Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and the Microsoft Edge sidebar can also affect Copilot in Windows. +Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: -The following settings might affect Copilot in Windows and its underlying chat provider: +**Bing SafeSearch settings**: +If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it will block chat providers for Copilot in Windows. The following network changes will block the chat providers for Copilot in Windows, [Bing Chat Enterprise in the Edge sidebar](/bing-chat-enterprise/edge), and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat): +- mapping `www.bing.com` to `strict.bing.com` +- mapping `edgeservices.bing.com` to `strict.bing.com` +- mapping `www.bing.com` to `nochat.bing.com` +- blocking `bing.com` + +**Microsoft Edge policies**: + +- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it will block Bing Chat in the Microsoft Edge sidebar and Bing Chat Enterprise in the Microsoft Edge sidebar from being displayed. +- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it will block Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need to read the current webpage context to provide page summarizations and for sending a string the user selects from the webpage into the chat provider. + +**Search settings**: + +- Setting [ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) to `Hide` might interfere with the Copilot in Windows user experience. +- Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows, Bing Chat in the Microsoft Edge sidebar, and Bing Chat Enterprise in the Microsoft Edge sidebar user experiences. + +**Account settings** + +- [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) +-[RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) \ No newline at end of file From 6fbe174913a5d5eb9fd122ac54cac7d3abcc7143 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 11:23:08 -0700 Subject: [PATCH 026/114] edits --- windows/client-management/copilot-overview.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index 742a6e2f87..c488a12cbc 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -1,5 +1,5 @@ --- -title: Copilot in Windows Overview +title: Manage Copilot in Windows description: Learn about managing Copilot in Windows for commercial environments. ms.topic: overview ms.date: 10/26/2023 @@ -11,7 +11,7 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. At a high level, configuring Copilot in Windows for your organization involves the following steps: @@ -137,14 +137,14 @@ While the user experience for Copilot in Windows is enabled by default, you stil - [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) - [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) -Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using either of the following permanent controls: +Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy: - **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) - **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** ## Other settings that might affect Copilot in Windows and its underlying chat provider -Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: +Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings may affect Copilot in Windows and its underlying chat provider: **Bing SafeSearch settings**: @@ -166,5 +166,6 @@ If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8 **Account settings** -- [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) --[RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) \ No newline at end of file +- The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Bing Chat in the Microsoft Edge sidebar. +- The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication. + From e89a1a265ee269f4e1b46d240772d4082abb4ab2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 11:33:18 -0700 Subject: [PATCH 027/114] edits --- windows/client-management/copilot-overview.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index c488a12cbc..b83ceaae40 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -11,7 +11,7 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. At a high level, configuring Copilot in Windows for your organization involves the following steps: @@ -144,11 +144,11 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t ## Other settings that might affect Copilot in Windows and its underlying chat provider -Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings may affect Copilot in Windows and its underlying chat provider: +Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: **Bing SafeSearch settings**: -If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it will block chat providers for Copilot in Windows. The following network changes will block the chat providers for Copilot in Windows, [Bing Chat Enterprise in the Edge sidebar](/bing-chat-enterprise/edge), and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat): +If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows, [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge), and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat): - mapping `www.bing.com` to `strict.bing.com` - mapping `edgeservices.bing.com` to `strict.bing.com` - mapping `www.bing.com` to `nochat.bing.com` @@ -156,8 +156,8 @@ If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8 **Microsoft Edge policies**: -- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it will block Bing Chat in the Microsoft Edge sidebar and Bing Chat Enterprise in the Microsoft Edge sidebar from being displayed. -- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it will block Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need to read the current webpage context to provide page summarizations and for sending a string the user selects from the webpage into the chat provider. +- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Bing Chat in the Microsoft Edge sidebar and Bing Chat Enterprise in the Microsoft Edge sidebar from being displayed. +- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider. **Search settings**: From ea36036d32bc79750935c3124aa37e3b309c9dd1 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 11:35:33 -0700 Subject: [PATCH 028/114] edits --- windows/client-management/copilot-overview.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md index b83ceaae40..963e9bb45d 100644 --- a/windows/client-management/copilot-overview.md +++ b/windows/client-management/copilot-overview.md @@ -13,7 +13,9 @@ appliesto: Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. -At a high level, configuring Copilot in Windows for your organization involves the following steps: +## Manage Copilot in Windows for commercial environments + +At a high level, managing and configuring Copilot in Windows for your organization involves the following steps: 1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows) 1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows From 435e75d1f16b1569fab9145acaf30b006629f6f1 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 11:39:25 -0700 Subject: [PATCH 029/114] move content to manage copilot page --- .../manage-windows-copilot.md | 170 ++++++++++++++++-- 1 file changed, 156 insertions(+), 14 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index bc4adbca9d..9b30f58ce9 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -1,31 +1,173 @@ --- title: Manage Copilot in Windows -description: Learn how to manage Copilot in Windows using MDM and group policy. +description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. ms.topic: article -ms.date: 10/16/2023 +ms.date: 10/18/2023 appliesto: -- ✅ Windows 11 +- ✅ Windows 11, version 22H2 or later --- -# Manage Copilot in Windows +# What is Copilot in Windows? + +>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Windows is the first PC platform to provide centralized AI assistance for customers. Together, with Bing Chat, Copilot in Windows helps you bring your ideas to life, complete complex projects and collaborate instead of spending energy finding, launching and working across multiple applications. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. -This article lists settings available to manage Copilot in Windows. To learn more about Copilot in Windows, see [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). +## Manage Copilot in Windows for commercial environments -## Turn off Copilot in Windows +At a high level, managing and configuring Copilot in Windows for your organization involves the following steps: -This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot when it's available to them. +1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows) +1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows +1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled +1. Verify [other settings that might affect Copilot in Windows](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider -| | Setting | -|------------------|---------------------------------------------------------------------------------------------------------| -| **CSP** | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | +Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them. + +|   | Setting | +|---|---| +| **CSP** | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | | **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** | +## Chat provider platforms for Copilot in Windows -## Related articles +Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. -- [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0) +**Bing Chat**: + +[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: + - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) + - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. + + +**Bing Chat Enterprise**: + +[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: + +- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). +- Bing chat enterprise is available, at no additional cost, for the following licenses: + - Microsoft 365 E3 or E5 + - Microsoft 365 A3 or A5 for faculty + - Business Standard + - Business Premium + + > [!Note] + > Bing Chat Enterprise doesn't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise can't access Microsoft 365 Apps data, such as email, calendar, or files. + +## Configure the chat provider platform that Copilot in Windows uses + +Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. + +### Bing Chat as the chat provider platform + +Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: + +- Bing Chat Enterprise isn't configured for the user +- The user isn't assigned a license that includes Bing Chat Enterprise +- Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage) +- The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise + +### Bing Chat Enterprise as the chat provider platform + +Bing Chat Enterprise (recommended for commercial environments), is used as the chat provider platform for Copilot in Windows when all of the following conditions occur: + +1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/). +1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses: + - Microsoft 365 E3 or E5 + - Microsoft 365 A3 or A5 for faculty + - Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage). + - Business Standard + - Business Premium +1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. +1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. +1. Verify that **Bing Chat Enterprise** is enabled for the user. + + > [!Note] + > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. + +```http +*would be nice to have a Graph query that lists users that do/do not have BCE app enabled* +*licensedetails does output BCE, so its a matter of just getting the query right* +**powershell or http preferably** +Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails +{ + "servicePlanId": "0d0c0d31-fae7-41f2-b909-eaf4d7f26dba", + "servicePlanName": "Bing_Chat_Enterprise", + "provisioningStatus": "Success", + "appliesTo": "User" +}, +https://learn.microsoft.com/graph/api/resources/licensedetails +``` + +When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield emblem labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: + +:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png"::: + +## Ensure the Copilot in Windows user experience is enabled + +Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. The Copilot in Windows user experience is enabled by default for managed Windows 11, version 22H2 devices. +### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients + +Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. + +To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: + +1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. +1. Apply a policy to disable temporary enterprise control. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: + - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** + + - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) + - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. +1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: + - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** + - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) + - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. + + These policies of optional updates apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs: + - Automatically receive optional updates (including CFRs) + - This selection places devices into an early CFR phase + - Users can select which optional updates to receive + +1. Managed Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. + +### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update (coming soon) + +One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. + +While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: +- [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) +- [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) + +Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy: + +- **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) +- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** + +## Other settings that might affect Copilot in Windows and its underlying chat provider + +Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: + +**Bing SafeSearch settings**: + +If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows, [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge), and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat): +- mapping `www.bing.com` to `strict.bing.com` +- mapping `edgeservices.bing.com` to `strict.bing.com` +- mapping `www.bing.com` to `nochat.bing.com` +- blocking `bing.com` + +**Microsoft Edge policies**: + +- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Bing Chat in the Microsoft Edge sidebar and Bing Chat Enterprise in the Microsoft Edge sidebar from being displayed. +- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider. + +**Search settings**: + +- Setting [ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) to `Hide` might interfere with the Copilot in Windows user experience. +- Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows, Bing Chat in the Microsoft Edge sidebar, and Bing Chat Enterprise in the Microsoft Edge sidebar user experiences. + +**Account settings** + +- The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Bing Chat in the Microsoft Edge sidebar. +- The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication. -- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/copilot-in-windows-your-data-and-privacy-3e265e82-fc76-4d0a-afc0-4a0de528b73a) From 13427d3c5f64df40810b40479699fedd41e9ed2b Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 11:40:31 -0700 Subject: [PATCH 030/114] delete unneeded md file --- windows/client-management/copilot-overview.md | 173 ------------------ 1 file changed, 173 deletions(-) delete mode 100644 windows/client-management/copilot-overview.md diff --git a/windows/client-management/copilot-overview.md b/windows/client-management/copilot-overview.md deleted file mode 100644 index 963e9bb45d..0000000000 --- a/windows/client-management/copilot-overview.md +++ /dev/null @@ -1,173 +0,0 @@ ---- -title: Manage Copilot in Windows -description: Learn about managing Copilot in Windows for commercial environments. -ms.topic: overview -ms.date: 10/26/2023 -appliesto: -- ✅ Windows 11, version 22H2 or later ---- - -# What is Copilot in Windows? - ->**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). - -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. - -## Manage Copilot in Windows for commercial environments - -At a high level, managing and configuring Copilot in Windows for your organization involves the following steps: - -1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows) -1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows -1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled -1. Verify [other settings that might affect Copilot in Windows](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider - -Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them. - -|   | Setting | -|---|---| -| **CSP** | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | -| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** | - - -## Chat provider platforms for Copilot in Windows - -Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. - -**Bing Chat**: - -[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: - - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) - - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. - - -**Bing Chat Enterprise**: - -[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: - -- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). -- Bing chat enterprise is available, at no additional cost, for the following licenses: - - Microsoft 365 E3 or E5 - - Microsoft 365 A3 or A5 for faculty - - Business Standard - - Business Premium - - > [!Note] - > Bing Chat Enterprise doesn't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise can't access Microsoft 365 Apps data, such as email, calendar, or files. - -## Configure the chat provider platform that Copilot in Windows uses - -Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. - -### Bing Chat as the chat provider platform - -Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur: - -- Bing Chat Enterprise isn't configured for the user -- The user isn't assigned a license that includes Bing Chat Enterprise -- Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage) -- The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise - -### Bing Chat Enterprise as the chat provider platform - -Bing Chat Enterprise (recommended for commercial environments), is used as the chat provider platform for Copilot in Windows when all of the following conditions occur: - -1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/). -1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses: - - Microsoft 365 E3 or E5 - - Microsoft 365 A3 or A5 for faculty - - Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage). - - Business Standard - - Business Premium -1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. -1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. -1. Verify that **Bing Chat Enterprise** is enabled for the user. - - > [!Note] - > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. - -```http -*would be nice to have a Graph query that lists users that do/do not have BCE app enabled* -*licensedetails does output BCE, so its a matter of just getting the query right* -**powershell or http preferably** -Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails -{ - "servicePlanId": "0d0c0d31-fae7-41f2-b909-eaf4d7f26dba", - "servicePlanName": "Bing_Chat_Enterprise", - "provisioningStatus": "Success", - "appliesTo": "User" -}, -https://learn.microsoft.com/graph/api/resources/licensedetails -``` - -When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield emblem labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: - -:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png"::: - -## Ensure the Copilot in Windows user experience is enabled - -Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. The Copilot in Windows user experience is enabled by default for managed Windows 11, version 22H2 devices. -### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients - -Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. - -To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: - -1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. -1. Apply a policy to disable temporary enterprise control. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: - - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** - - - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. -1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: - - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** - - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. - - These policies of optional updates apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs: - - Automatically receive optional updates (including CFRs) - - This selection places devices into an early CFR phase - - Users can select which optional updates to receive - -1. Managed Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. - -### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update (coming soon) - -One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. - -While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: -- [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) -- [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) - -Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy: - -- **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) -- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** - -## Other settings that might affect Copilot in Windows and its underlying chat provider - -Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: - -**Bing SafeSearch settings**: - -If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows, [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge), and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat): -- mapping `www.bing.com` to `strict.bing.com` -- mapping `edgeservices.bing.com` to `strict.bing.com` -- mapping `www.bing.com` to `nochat.bing.com` -- blocking `bing.com` - -**Microsoft Edge policies**: - -- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Bing Chat in the Microsoft Edge sidebar and Bing Chat Enterprise in the Microsoft Edge sidebar from being displayed. -- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider. - -**Search settings**: - -- Setting [ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) to `Hide` might interfere with the Copilot in Windows user experience. -- Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows, Bing Chat in the Microsoft Edge sidebar, and Bing Chat Enterprise in the Microsoft Edge sidebar user experiences. - -**Account settings** - -- The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Bing Chat in the Microsoft Edge sidebar. -- The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication. - From 66fc11dfd9060dfe038ec02761d5ae3f2acc51de Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 12:06:35 -0700 Subject: [PATCH 031/114] tweaks --- .../manage-windows-copilot.md | 24 +++++++++++-------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 9b30f58ce9..e089d23ff7 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -46,18 +46,18 @@ Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat [Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: - With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). -- Bing chat enterprise is available, at no additional cost, for the following licenses: +- Bing Chat Enterprise is available, at no additional cost, for the following licenses: - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty - Business Standard - Business Premium > [!Note] - > Bing Chat Enterprise doesn't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise can't access Microsoft 365 Apps data, such as email, calendar, or files. + > Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files. ## Configure the chat provider platform that Copilot in Windows uses -Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. +Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. ### Bing Chat as the chat provider platform @@ -68,9 +68,9 @@ Bing Chat is used as the default chat provider platform for Copilot in Windows w - Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage) - The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise -### Bing Chat Enterprise as the chat provider platform +### Bing Chat Enterprise as the chat provider platform (recommended for commercial environments) -Bing Chat Enterprise (recommended for commercial environments), is used as the chat provider platform for Copilot in Windows when all of the following conditions occur: +To verify that Bing Chat Enterprise is enabled for the user as the chat provider platform for Copilot in Windows, use the following instructions: 1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/). 1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses: @@ -100,13 +100,14 @@ Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails https://learn.microsoft.com/graph/api/resources/licensedetails ``` -When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield emblem labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: +When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield symbol labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: :::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png"::: ## Ensure the Copilot in Windows user experience is enabled -Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. The Copilot in Windows user experience is enabled by default for managed Windows 11, version 22H2 devices. +Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. The Copilot in Windows user experience is enabled by default for managed Windows 11, version 22H2 devices. + ### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. @@ -114,22 +115,25 @@ Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: 1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. -1. Apply a policy to disable temporary enterprise control. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: +1. Apply a policy to disable temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. + > [!Important] + > For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. + 1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category. - These policies of optional updates apply to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs: + The optional updates policy applies to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs: - Automatically receive optional updates (including CFRs) - This selection places devices into an early CFR phase - Users can select which optional updates to receive -1. Managed Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. +1. Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. ### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update (coming soon) From 703b20c37fd55d2357a06f2a44f2e20c8ce79ccb Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 14:58:39 -0700 Subject: [PATCH 032/114] tweaks --- windows/client-management/manage-windows-copilot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index e089d23ff7..344b751a17 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -135,9 +135,9 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n 1. Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. -### Enable the Copilot in Windows user experience for Windows 11 clients with the 2023 annual update (coming soon) +### Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients (coming soon) -One a managed device installs the upcoming 2023 annual update, likely to be called version 23H2, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. +One a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: - [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) From a61806ae3b98e3cef4a0976a17b7a575975e99dc Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 15:39:25 -0700 Subject: [PATCH 033/114] tweaks --- windows/client-management/manage-windows-copilot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 344b751a17..0f9fabc6e9 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -106,7 +106,7 @@ When Bing Chat Enterprise is the chat provider platform, the user experience cle ## Ensure the Copilot in Windows user experience is enabled -Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. The Copilot in Windows user experience is enabled by default for managed Windows 11, version 22H2 devices. +Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. Ensuring the Copilot in Windows user experience is enabled varies by the Windows version. ### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients From bdc0bb7b57830ded1b3c0285e4b3db9a03bf9a3a Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 17 Oct 2023 15:40:36 -0700 Subject: [PATCH 034/114] tweaks --- windows/client-management/manage-windows-copilot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 0f9fabc6e9..be8fbd06e0 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -110,7 +110,7 @@ Once you've configured the chat provider platform that Copilot in Windows uses, ### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients -Copilot in Windows isn't enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. +Copilot in Windows isn't technically enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: From 2666c53991b5e2cdf576ea475f5670766b26b262 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 18 Oct 2023 08:32:33 -0700 Subject: [PATCH 035/114] tweaks --- .../manage-windows-copilot.md | 31 ++++++++++++------- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index be8fbd06e0..c449d9582c 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -86,18 +86,25 @@ To verify that Bing Chat Enterprise is enabled for the user as the chat provider > [!Note] > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. -```http -*would be nice to have a Graph query that lists users that do/do not have BCE app enabled* -*licensedetails does output BCE, so its a matter of just getting the query right* -**powershell or http preferably** -Ex output from my lab: GET https://graph.microsoft.com/v1.0/me/licenseDetails -{ - "servicePlanId": "0d0c0d31-fae7-41f2-b909-eaf4d7f26dba", - "servicePlanName": "Bing_Chat_Enterprise", - "provisioningStatus": "Success", - "appliesTo": "User" -}, -https://learn.microsoft.com/graph/api/resources/licensedetails +The following PowerShell script connects to Microsoft Graph and lists which users that have Bing Chat Enterprise enabled and disabled: + +```powershell +# Install graph module +if (-not (Get-Module Microsoft.Graph.Users)) { + Install-Module Microsoft.Graph.Users +} + +# Connect to MS graph +Connect-MgGraph -Scopes 'User.Read.All' + +# Get all users +$users = Get-MgUser -All -ConsistencyLevel eventual -Property Id, DisplayName, Mail, UserPrincipalName, AssignedPlans + +# Users with BCE enabled +$users | Where-Object { $_.AssignedPlans -and $_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -eq "Enabled" } | Format-Table + +# Users without BCE enabled +$users | Where-Object { -not $_.AssignedPlans -or ($_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -ne "Enabled") } | Format-Table ``` When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield symbol labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows: From dfa48ff0ccdaa034e012ae6193904c517b8979bc Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 18 Oct 2023 08:38:55 -0700 Subject: [PATCH 036/114] tweaks --- windows/client-management/manage-windows-copilot.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index c449d9582c..8346d968d7 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -89,21 +89,21 @@ To verify that Bing Chat Enterprise is enabled for the user as the chat provider The following PowerShell script connects to Microsoft Graph and lists which users that have Bing Chat Enterprise enabled and disabled: ```powershell -# Install graph module +# Install Microsoft Graph module if (-not (Get-Module Microsoft.Graph.Users)) { Install-Module Microsoft.Graph.Users } -# Connect to MS graph +# Connect to Microsoft Graph Connect-MgGraph -Scopes 'User.Read.All' # Get all users $users = Get-MgUser -All -ConsistencyLevel eventual -Property Id, DisplayName, Mail, UserPrincipalName, AssignedPlans -# Users with BCE enabled +# Users with Bing Chat Enterprise enabled $users | Where-Object { $_.AssignedPlans -and $_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -eq "Enabled" } | Format-Table -# Users without BCE enabled +# Users without Bing Chat Enterprise enabled $users | Where-Object { -not $_.AssignedPlans -or ($_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -ne "Enabled") } | Format-Table ``` From 2c3987cb971ed8bc48503e07d2dfe5d56e4da80e Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 18 Oct 2023 09:19:19 -0700 Subject: [PATCH 037/114] tweaks --- windows/client-management/manage-windows-copilot.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 8346d968d7..af2457bb3f 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -82,6 +82,7 @@ To verify that Bing Chat Enterprise is enabled for the user as the chat provider 1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Bing Chat Enterprise** is enabled for the user. +1. If you prefer to view a user's licenses from the Azure portal, you will find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes Bing Chat Enterprise, and verify that it's listed as **On**. > [!Note] > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. From 56a8b0eb2feacef2fd43d7c7004f6c33abfe618a Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 18 Oct 2023 09:19:55 -0700 Subject: [PATCH 038/114] tweaks --- windows/client-management/manage-windows-copilot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index af2457bb3f..e2abb0472f 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -82,7 +82,7 @@ To verify that Bing Chat Enterprise is enabled for the user as the chat provider 1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Bing Chat Enterprise** is enabled for the user. -1. If you prefer to view a user's licenses from the Azure portal, you will find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes Bing Chat Enterprise, and verify that it's listed as **On**. +1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you will find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes Bing Chat Enterprise, and verify that it's listed as **On**. > [!Note] > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. From a93d21064431978d882147b963a1acf31fe7f855 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 09:41:26 -0700 Subject: [PATCH 039/114] Copilot in Edge rebrand for sidebar --- windows/client-management/manage-windows-copilot.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index e2abb0472f..f0e8fa08b8 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -11,7 +11,7 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to be an assistant that can help your users get things done in Windows. Copilot in Windows is a bit different from [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge) (and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat)), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Bing Chat Enterprise in the Microsoft Edge sidebar, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows is a bit different from [Copilot in Edge](/bing-chat-enterprise/edge), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. ## Manage Copilot in Windows for commercial environments @@ -158,11 +158,11 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t ## Other settings that might affect Copilot in Windows and its underlying chat provider -Copilot in Windows and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Bing Chat in the Microsoft Edge sidebar can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: +Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Copilot in Edge can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: **Bing SafeSearch settings**: -If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows, [Bing Chat Enterprise in the Microsoft Edge sidebar](/bing-chat-enterprise/edge), and [Bing Chat in the Microsoft Edge sidebar](https://www.microsoft.com/edge/features/bing-chat): +If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge: - mapping `www.bing.com` to `strict.bing.com` - mapping `edgeservices.bing.com` to `strict.bing.com` - mapping `www.bing.com` to `nochat.bing.com` @@ -170,16 +170,16 @@ If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8 **Microsoft Edge policies**: -- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Bing Chat in the Microsoft Edge sidebar and Bing Chat Enterprise in the Microsoft Edge sidebar from being displayed. +- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Copilot in Edge from being displayed. - If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider. **Search settings**: - Setting [ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) to `Hide` might interfere with the Copilot in Windows user experience. -- Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows, Bing Chat in the Microsoft Edge sidebar, and Bing Chat Enterprise in the Microsoft Edge sidebar user experiences. +- Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows and the Copilot in Edge user experiences. **Account settings** -- The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Bing Chat in the Microsoft Edge sidebar. +- The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Copilot in Edge. - The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication. From 39f41a385c25652014c8688db77745f1df5d92f2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 10:55:57 -0700 Subject: [PATCH 040/114] edits --- .../manage-windows-copilot.md | 35 +++++++++++++------ 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index f0e8fa08b8..daf8b34bc2 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -11,7 +11,7 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows is a bit different from [Copilot in Edge](/bing-chat-enterprise/edge), which provides assistance in the browser, since it can also perform actions such as changing Windows settings or performing common tasks in Windows. However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. ## Manage Copilot in Windows for commercial environments @@ -45,7 +45,7 @@ Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat [Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: -- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, Microsoft has no eyes-on access, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). +- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). - Bing Chat Enterprise is available, at no additional cost, for the following licenses: - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty @@ -160,25 +160,38 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Copilot in Edge can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider: -**Bing SafeSearch settings**: +### Bing settings -If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge: -- mapping `www.bing.com` to `strict.bing.com` -- mapping `edgeservices.bing.com` to `strict.bing.com` -- mapping `www.bing.com` to `nochat.bing.com` -- blocking `bing.com` +1. Block access to only the public version of Bing Chat for all users on your network: -**Microsoft Edge policies**: + - Map `www.bing.com` to `nochat.bing.com` on your router or proxy server + - Map `edgeservices.bing.com` to `nochat.bing.com` to block access to Bing Chat + + This block only applies when devices are connected to your corporate network. Bing Chat is a public service, like search, and will remain available if accessed outside the corporate network. Bing Chat Enterprise will still be available if the public version of Bing Chat is blocked. To also block Bing Chat Enterprise, use its service plan, as detailed here: [Turn off Bing Chat Enterprise](/bing-chat-enterprise/manage#turn-off--enterprise) + + +2. If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge: + - mapping `www.bing.com` to `strict.bing.com` + - mapping `edgeservices.bing.com` to `strict.bing.com` + - blocking `bing.com` + +3. If Bing Chat Enterprise is turned on for your organization, users will be able to access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an [Intune Mobile Application Management (MAM) policy for Microsoft Edge](/mem/intune/apps/manage-microsoft-edge) to remove it: + + |Key |Value | + |:---------|:------------| + |com.microsoft.intune.mam.managedbrowser.Chat| **true** (default) shows the interface
**false** hides the interface | + +### Microsoft Edge policies - If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Copilot in Edge from being displayed. - If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider. -**Search settings**: +### Search settings - Setting [ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) to `Hide` might interfere with the Copilot in Windows user experience. - Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows and the Copilot in Edge user experiences. -**Account settings** +### Account settings - The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Copilot in Edge. - The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication. From 360141f39397dfcfc9bebdbe4fa47361514ced3d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 12:35:06 -0700 Subject: [PATCH 041/114] edits --- .../manage-windows-copilot.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index daf8b34bc2..ef615fb09d 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -11,7 +11,7 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly pass sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly copy and paste sensitive information into the chat provider. ## Manage Copilot in Windows for commercial environments @@ -32,11 +32,11 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t ## Chat provider platforms for Copilot in Windows -Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. +Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because users can copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. **Bing Chat**: -[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: +[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and if a user isn't signed in with their Microsoft account, the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat: - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a) - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section. @@ -45,19 +45,19 @@ Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat [Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise: -- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). +- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Bing Chat Enterprise is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections). - Bing Chat Enterprise is available, at no additional cost, for the following licenses: - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty - - Business Standard - - Business Premium + - Microsoft 365 Business Standard + - Microsoft 365 Business Premium > [!Note] > Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files. ## Configure the chat provider platform that Copilot in Windows uses -Configuring the correct chat provider platform for Copilot in Windows is important because users can pass sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. +Configuring the correct chat provider platform for Copilot in Windows is important because users can copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. ### Bing Chat as the chat provider platform @@ -77,8 +77,8 @@ To verify that Bing Chat Enterprise is enabled for the user as the chat provider - Microsoft 365 E3 or E5 - Microsoft 365 A3 or A5 for faculty - Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage). - - Business Standard - - Business Premium + - Microsoft 365 Business Standard + - Microsoft 365 Business Premium 1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu. 1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list. 1. Verify that **Bing Chat Enterprise** is enabled for the user. @@ -87,7 +87,7 @@ To verify that Bing Chat Enterprise is enabled for the user as the chat provider > [!Note] > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users. -The following PowerShell script connects to Microsoft Graph and lists which users that have Bing Chat Enterprise enabled and disabled: +The following sample PowerShell script connects to Microsoft Graph and lists which users that have Bing Chat Enterprise enabled and disabled: ```powershell # Install Microsoft Graph module @@ -118,7 +118,7 @@ Once you've configured the chat provider platform that Copilot in Windows uses, ### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients -Copilot in Windows isn't technically enabled by default for manged Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. +Copilot in Windows isn't technically enabled by default for managed Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: @@ -145,7 +145,7 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n ### Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients (coming soon) -One a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. +Once a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: - [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) From 2e6ee722b7297264d4bc6616e2570e3d997842d4 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 13:47:52 -0700 Subject: [PATCH 042/114] edits --- windows/client-management/manage-windows-copilot.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index ef615fb09d..3360fd2b5f 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -120,10 +120,10 @@ Once you've configured the chat provider platform that Copilot in Windows uses, Copilot in Windows isn't technically enabled by default for managed Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. -To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to turn off temporary enterprise control for these devices. Since disabling [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: +To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to enable features under temporary enterprise control for these devices. Since enabling features behind [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: 1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section. -1. Apply a policy to disable temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: +1. Apply a policy to enable features under temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) @@ -162,7 +162,7 @@ Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share ### Bing settings -1. Block access to only the public version of Bing Chat for all users on your network: +- Block access to only the public version of Bing Chat for all users on your network: - Map `www.bing.com` to `nochat.bing.com` on your router or proxy server - Map `edgeservices.bing.com` to `nochat.bing.com` to block access to Bing Chat @@ -170,12 +170,12 @@ Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share This block only applies when devices are connected to your corporate network. Bing Chat is a public service, like search, and will remain available if accessed outside the corporate network. Bing Chat Enterprise will still be available if the public version of Bing Chat is blocked. To also block Bing Chat Enterprise, use its service plan, as detailed here: [Turn off Bing Chat Enterprise](/bing-chat-enterprise/manage#turn-off--enterprise) -2. If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge: +- If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge: - mapping `www.bing.com` to `strict.bing.com` - mapping `edgeservices.bing.com` to `strict.bing.com` - blocking `bing.com` -3. If Bing Chat Enterprise is turned on for your organization, users will be able to access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an [Intune Mobile Application Management (MAM) policy for Microsoft Edge](/mem/intune/apps/manage-microsoft-edge) to remove it: +- If Bing Chat Enterprise is turned on for your organization, users will be able to access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an [Intune Mobile Application Management (MAM) policy for Microsoft Edge](/mem/intune/apps/manage-microsoft-edge) to remove it: |Key |Value | |:---------|:------------| From e8d2dc72e8abc9cbb83a0dd8e230aec68edaa671 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 13:53:08 -0700 Subject: [PATCH 043/114] add preview note --- windows/client-management/manage-windows-copilot.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 3360fd2b5f..ba89f9d930 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -13,6 +13,9 @@ appliesto: Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly copy and paste sensitive information into the chat provider. +> [!Note] +> Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. + ## Manage Copilot in Windows for commercial environments At a high level, managing and configuring Copilot in Windows for your organization involves the following steps: From f2a6e983dbf020ad269a389f8767c2d19e53d47a Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 13:53:47 -0700 Subject: [PATCH 044/114] edits --- windows/client-management/manage-windows-copilot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index ba89f9d930..6be25291bd 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -2,7 +2,7 @@ title: Manage Copilot in Windows description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. ms.topic: article -ms.date: 10/18/2023 +ms.date: 10/31/2023 appliesto: - ✅ Windows 11, version 22H2 or later --- From 5c15e73ead859dce74412b30c3ce9c13976b3e91 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 13:59:45 -0700 Subject: [PATCH 045/114] edits --- windows/client-management/manage-windows-copilot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 6be25291bd..8f4fc3beea 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -7,7 +7,7 @@ appliesto: - ✅ Windows 11, version 22H2 or later --- -# What is Copilot in Windows? +# Manage Copilot in Windows >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). @@ -16,7 +16,7 @@ Copilot in Windows provides centralized generative AI assistance to your users r > [!Note] > Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. -## Manage Copilot in Windows for commercial environments +## Configure Copilot in Windows for commercial environments At a high level, managing and configuring Copilot in Windows for your organization involves the following steps: From 7a1d78d007f2939c09ae3b3f02bd0754d302d93e Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 14:07:25 -0700 Subject: [PATCH 046/114] edits --- windows/client-management/manage-windows-copilot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 8f4fc3beea..5fe29b596f 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -131,8 +131,8 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. - > [!Important] - > For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. + > [!Important] + > For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. 1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** From 32afc847d10efbb6547982ecc912350c6a0965b6 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 14:15:54 -0700 Subject: [PATCH 047/114] edits --- windows/client-management/manage-windows-copilot.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 5fe29b596f..327eb32165 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -14,7 +14,8 @@ appliesto: Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly copy and paste sensitive information into the chat provider. > [!Note] -> Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. +> - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. +> - Copilot in Windows will be available in all global markets, including the UK, except mainland China, Belarus, Russia, and the European Economic Area. ## Configure Copilot in Windows for commercial environments From 0983a4b399891b44331c1ff328abad9af768f51e Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 14:56:13 -0700 Subject: [PATCH 048/114] AI edits --- windows/client-management/manage-windows-copilot.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 327eb32165..e457ec80f3 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -200,3 +200,6 @@ Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share - The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Copilot in Edge. - The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication. +## Microsoft's commitment to responsible AI + +Microsoft has been on a responsible AI journey since 2017, when we defined our principles and approach to ensuring this technology is used in a way that is driven by ethical principles that put people first. For more about our responsible AI journey, the ethical principles that guide us, and the tooling and capabilities we've created to assure that we develop AI technology responsibly, see [Responsible AI](https://www.microsoft.com/ai/responsible-ai). From dabc86ba0d97b600d9faedfb285ff7283fefbc39 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 25 Oct 2023 16:04:31 -0700 Subject: [PATCH 049/114] metadata update --- windows/client-management/manage-windows-copilot.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index e457ec80f3..5afe7ecfe8 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -2,6 +2,7 @@ title: Manage Copilot in Windows description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. ms.topic: article +ms.technology: itpro-windows-copilot ms.date: 10/31/2023 appliesto: - ✅ Windows 11, version 22H2 or later From 1bec149c57563e1947c57d5a94dd975ff2f1c407 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 30 Oct 2023 12:12:27 -0700 Subject: [PATCH 050/114] edits --- windows/client-management/manage-windows-copilot.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 5afe7ecfe8..6a6104f2c5 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -16,7 +16,7 @@ Copilot in Windows provides centralized generative AI assistance to your users r > [!Note] > - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. -> - Copilot in Windows will be available in all global markets, including the UK, except mainland China, Belarus, Russia, and the European Economic Area. +> - Copilot in Windows is being released in preview to select global markets as part of our latest update to Windows 11. The initial markets for the Copilot in Windows preview include North America and parts of Asia and South America. It is our intention to add additional markets over time. ## Configure Copilot in Windows for commercial environments @@ -58,7 +58,7 @@ Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat - Microsoft 365 Business Premium > [!Note] - > Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which is used in Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files. + > Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which can be used in the Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files. ## Configure the chat provider platform that Copilot in Windows uses @@ -123,7 +123,7 @@ Once you've configured the chat provider platform that Copilot in Windows uses, ### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients -Copilot in Windows isn't technically enabled by default for managed Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. +Copilot in Windows isn't technically enabled by default for managed Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to enable features under temporary enterprise control for these devices. Since enabling features behind [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions: @@ -134,7 +134,7 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. > [!Important] - > For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. + > For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business. 1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies: - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features** @@ -148,11 +148,11 @@ To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you n 1. Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves. -### Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients (coming soon) +### Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients Once a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices. -While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: +While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see: - [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) - [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) From a40ef7ffc7aa0c898a58d98cbde451a560be3f22 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 1 Nov 2023 09:16:08 -0700 Subject: [PATCH 051/114] edits --- .../client-management/manage-windows-copilot.md | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 6a6104f2c5..86382c61a1 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -3,7 +3,7 @@ title: Manage Copilot in Windows description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. ms.topic: article ms.technology: itpro-windows-copilot -ms.date: 10/31/2023 +ms.date: 11/02/2023 appliesto: - ✅ Windows 11, version 22H2 or later --- @@ -12,7 +12,7 @@ appliesto: >**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0). -Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since users can possibly copy and paste sensitive information into the chat provider. +Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it is possible for users to copy and paste sensitive information into the chat provider. > [!Note] > - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback. @@ -37,7 +37,7 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t ## Chat provider platforms for Copilot in Windows -Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because users can copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. +Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. **Bing Chat**: @@ -62,7 +62,7 @@ Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat ## Configure the chat provider platform that Copilot in Windows uses -Configuring the correct chat provider platform for Copilot in Windows is important because users can copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. +Configuring the correct chat provider platform for Copilot in Windows is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses. ### Bing Chat as the chat provider platform @@ -167,14 +167,6 @@ Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share ### Bing settings -- Block access to only the public version of Bing Chat for all users on your network: - - - Map `www.bing.com` to `nochat.bing.com` on your router or proxy server - - Map `edgeservices.bing.com` to `nochat.bing.com` to block access to Bing Chat - - This block only applies when devices are connected to your corporate network. Bing Chat is a public service, like search, and will remain available if accessed outside the corporate network. Bing Chat Enterprise will still be available if the public version of Bing Chat is blocked. To also block Bing Chat Enterprise, use its service plan, as detailed here: [Turn off Bing Chat Enterprise](/bing-chat-enterprise/manage#turn-off--enterprise) - - - If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge: - mapping `www.bing.com` to `strict.bing.com` - mapping `edgeservices.bing.com` to `strict.bing.com` From e9c010e8e9777cdfb5cdbae81d8678c1dfe36674 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 2 Nov 2023 12:10:42 -0400 Subject: [PATCH 052/114] Add new seting and reformatting --- .../enhanced-phishing-protection.md | 100 ++++++++++-------- 1 file changed, 57 insertions(+), 43 deletions(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index 38961897cb..0ec622546b 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -37,43 +37,49 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc ## Configure Enhanced Phishing Protection for your organization -Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP. +Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. These settings are available to configure your devices using either Microsoft Intune, GPO or CSP. + +| Setting | Description | +|--|--| +| Automatic Data Collection | This policy setting determines whether Enhanced Phishing Protection can collect additional information-such as content displayed, sounds played, and application memory-when your users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious.

  • If you enable this policy setting, Enhanced Phishing Protection may automatically collect additional content for security analysis from a suspicious website or app when your users enter their work or school password into that website or app.
  • If you disable this policy setting, Enhanced Phishing Protection will not collect additional content for security analysis when your users enter their work or school password into a suspicious site or app.
  • If this policy is not set, Enhanced Phishing Protection automatic data collection will honor the end user's settings.
    • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
  • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
    • | +| Notify Malicious | This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above. | +| Notify Password Reuse | This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
  • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password. | +| Notify Unsafe App | This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps. | #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) To configure devices using Microsoft Intune, create a [**Settings catalog** policy][MEM-2], and use the settings listed under the category **`SmartScreen > Enhanced Phishing Protection`**: -|Setting|Description| -|---------|---------| -|Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
  • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
  • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
    • | -|Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.| -|Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
  • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.| -|Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| +- Automatic Data Collection +- Service Enabled +- Notify Malicious +- Notify Password Reuse +- Notify Unsafe App Assign the policy to a security group that contains as members the devices or users that you want to configure. #### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo) -Enhanced Phishing Protection can be configured using the following Administrative Templates policy settings: +Enhanced Phishing Protection can be configured using the following group policy settings found under **Administrative Templates > Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection**: -|Setting|Description| -|---------|---------| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
  • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
  • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
    • | -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
  • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| +- Automatic Data Collection +- Service Enabled +- Notify Malicious +- Notify Password Reuse +- Notify Unsafe App #### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp) Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][WIN-1]. -| Setting | OMA-URI | Data type | -|-------------------------|---------------------------------------------------------------------------|-----------| -| **AutomaticDataCollection** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection` | Integer | -| **NotifyMalicious** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious` | Integer | -| **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer | -| **NotifyUnsafeApp** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp` | Integer | -| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer | +| Setting | OMA-URI | Data type | +|-----------------------------|-------------------------------------------------------------------------------|-----------| +| **AutomaticDataCollection** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection` | Integer | +| **NotifyMalicious** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious` | Integer | +| **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer | +| **NotifyUnsafeApp** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp` | Integer | +| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer | --- @@ -82,33 +88,44 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][ By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios. To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings. + +| Setting | Recommendation | +|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Automatic Data Collection | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence | +| Service Enabled | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. | +| Notify Malicious | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. | +| Notify Password Reuse | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. | +| Notify Unsafe App | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. | + #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -|Settings catalog element|Recommendation| -|---------|---------| -|Service Enabled|**Enable**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.| -|Notify Malicious|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.| -|Notify Password Reuse|**Enable**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.| -|Notify Unsafe App|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.| +| Settings catalog element | Recommended value | +|---------------------------|-------------------| +| Automatic Data Collection | **Enabled** | +| Service Enabled | **Enabled** | +| Notify Malicious | **Enabled** | +| Notify Password Reuse | **Enabled** | +| Notify Unsafe App | **Enabled** | #### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo) -|Group Policy setting|Recommendation| -|---------|---------| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled| **Enable**: Enhanced Phishing Protection is enabled in audit mode and your users are unable to turn it off.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|**Enable**: Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate. It encourages users to change their password.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.| +| Group Policy setting | Recommended value | +|---------------------------|-------------------| +| Automatic Data Collection | **Enabled** | +| Service Enabled | **Enabled** | +| Notify Malicious | **Enabled** | +| Notify Password Reuse | **Enabled** | +| Notify Unsafe App | **Enabled** | #### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp) -|MDM setting|Recommendation| -|---------|---------| -|ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.| -|NotifyMalicious|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.| -|NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.| -|NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.| - +| MDM setting | Recommended value | +|-------------------------|-------------------| +| AutomaticDataCollection | **1** | +| ServiceEnabled | **1** | +| NotifyMalicious | **1** | +| NotifyPasswordReuse | **1** | +| NotifyUnsafeApp | **1** | --- @@ -121,7 +138,4 @@ To better help you protect your organization, we recommend turning on and using [WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense - [MEM-2]: /mem/intune/configuration/settings-catalog - - From 6452e7263480b13028d65fd2eead6c812aeb4a00 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 2 Nov 2023 12:44:21 -0400 Subject: [PATCH 053/114] Minor updates --- .../enhanced-phishing-protection.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index 0ec622546b..313b641bca 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -1,7 +1,7 @@ --- title: Enhanced Phishing Protection in Microsoft Defender SmartScreen description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps. -ms.date: 09/25/2023 +ms.date: 11/02/2023 ms.topic: conceptual appliesto: - ✅ Windows 11, version 22H2 @@ -41,12 +41,14 @@ Enhanced Phishing Protection can be configured via Microsoft Intune, Group Polic | Setting | Description | |--|--| -| Automatic Data Collection | This policy setting determines whether Enhanced Phishing Protection can collect additional information-such as content displayed, sounds played, and application memory-when your users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious.
  • If you enable this policy setting, Enhanced Phishing Protection may automatically collect additional content for security analysis from a suspicious website or app when your users enter their work or school password into that website or app.
  • If you disable this policy setting, Enhanced Phishing Protection will not collect additional content for security analysis when your users enter their work or school password into a suspicious site or app.
  • If this policy is not set, Enhanced Phishing Protection automatic data collection will honor the end user's settings.
    • If you enable this policy setting, Enhanced Phishing Protection may automatically collect additional content for security analysis from a suspicious website or app when your users enter their work or school password into that website or app.
  • If you disable this policy setting, Enhanced Phishing Protection won't collect additional content for security analysis when your users enter their work or school password into a suspicious site or app.
  • If this policy isn't set, Enhanced Phishing Protection automatic data collection honors the end user's settings.
    • | | Service Enabled | This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
  • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
  • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
    • | | Notify Malicious | This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above. | | Notify Password Reuse | This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
  • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password. | | Notify Unsafe App | This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
  • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
  • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps. | +Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP. + #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) To configure devices using Microsoft Intune, create a [**Settings catalog** policy][MEM-2], and use the settings listed under the category **`SmartScreen > Enhanced Phishing Protection`**: From c008b5b446e67a80ed4c300a7b024ec899396875 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Fri, 3 Nov 2023 08:09:26 -0700 Subject: [PATCH 054/114] edit csp location --- windows/client-management/manage-windows-copilot.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 86382c61a1..e8c129e081 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -3,7 +3,7 @@ title: Manage Copilot in Windows description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows. ms.topic: article ms.technology: itpro-windows-copilot -ms.date: 11/02/2023 +ms.date: 11/06/2023 appliesto: - ✅ Windows 11, version 22H2 or later --- @@ -31,7 +31,7 @@ Organizations that aren't ready to use Copilot in Windows can disable it until t |   | Setting | |---|---| -| **CSP** | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | +| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | | **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** | @@ -158,7 +158,7 @@ While the user experience for Copilot in Windows is enabled by default, you stil Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy: -- **CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) +- **CSP**: ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) - **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot** ## Other settings that might affect Copilot in Windows and its underlying chat provider From ae0633f0b1e1f4e9ff4b056f5436b55b146db32f Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 8 Nov 2023 17:47:57 -0500 Subject: [PATCH 055/114] Port from word doc --- .../network-security/windows-firewall/TOC.yml | 2 + .../windows-firewall/hyper-v-firewall.md | 96 +++++++++++++++++++ 2 files changed, 98 insertions(+) create mode 100644 windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md diff --git a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml index 6057d602da..a216ae58ee 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml +++ b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml @@ -148,6 +148,8 @@ items: href: assign-security-group-filters-to-the-gpo.md - name: Change rules from request to require mode href: Change-Rules-From-Request-To-Require-Mode.Md + - name: Configure Hyper-V firewall + href: hyper-v-firewall.md - name: Configure authentication methods href: Configure-authentication-methods.md - name: Configure data protection (Quick Mode) settings diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md new file mode 100644 index 0000000000..71ed4ba1de --- /dev/null +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -0,0 +1,96 @@ +--- +title: Hyper-V firewall +description: Learn how +ms.topic: how-to +ms.date: 11/08/2023 +--- + +# Configure Hyper-V firewall rules + +Hyper-V Firewall is a new network firewall solution introduced with Windows 11 22H2. This firewall solution enables filtering inbound and outbound traffic to/from containers that are being hosted by Windows, including the Windows Subsystem for Linux (WSL). + +## Manage locally from PowerShell + +Follow the steps below to manage Hyper-V firewall locally on your machine via the command line. + +### Get the VMCreatorId GUID + +Hyper-V firewall rules are enabled per VMCreatorId. First you need to obtain this, which you can do by running: + +```powershell +Get-NetFirewallHyperVVMCreator +``` + +This will output a VmCreatorId. Please note that these are unique, and so the one shown below is exclusive to WSL. + +```powershell +VMCreatorId  : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90} +FriendlyName : WSL +``` + +### Firewall Settings + +Hyper-V Firewall has settings that apply in general to a VMCreatorId. To see these you can use the [Get-NetFirewallHyperVVMSetting]( https://learn.microsoft.com/powershell/module/netsecurity/get-netfirewallhypervvmsetting?view=windowsserver2022-ps) commandlet. For example, you can get the policies affecting WSL with the command below: + +```powershell +Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore -Name "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}" +``` + +This will output these values: + +1. Enabled (True/False) - if Hyper-V Firewall is enabled for WSL VMs +2. DefaultInboundAction, DefaultOutboundAction - these are default rule policies as applied to packets entering or leaving the WSL container. These are the defaults (which can be configured more specifically later) +3. LoopbackEnabled - this tracks if loopback traffic between the host and the container is allowed (without requiring any special Hyper-V Firewall rules). WSL enables this by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host +4. AllowHostPolicyMerge - this setting determines how Windows Host Firewall Enterprise Settings (GP), Hyper-V Firewall Enterprise Settings (MDM), Windows Host Firewall Enterprise Settings (MDM), local Hyper-V Firewall settings, and local Host Firewall settings interact + + a. This setting is detailed with Set-NetFirewallHyperVVMSetting: [Set-NetFirewallHyperVVMSetting (NetSecurity) | Microsoft Learn](https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervvmsetting?view=windowsserver2022-ps) + +> [!NOTE] +> `-PolicyStore ActiveStore` returns the *applied* settings. + +You can set specific settings using the [Set-NetFirewallHyperVVMSetting]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervvmsetting?view=windowsserver2022-ps) command. For example, the command below sets the default inbound connection to Allow: + +```powershell +Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow +``` + +### Firewall Rules + +Hyper-V firewall rules can be enumerated and created from PowerShell. To view rules please use the [Get-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/get-netfirewallhypervrule?view=windowsserver2022-ps ) commandlet. For example, to view firewall rules that only pertain to WSL you can use the command below: + +```powershell +Get-NetFirewallHyperVRule -VMCreatorId "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}" +``` + +And to set specific rules you can use the [Set-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervrule?view=windowsserver2022-ps) commandlet. + +For example, you can create an inbound rule to allow TCP traffic to the Windows Subsystem for Linux (WSL) on port 80 with this PowerShell command: + +```powershell +New-NetFirewallHyperVRule -Name MyWebServer -DisplayName "My Web Server" -Direction Inbound -VMCreatorId "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}" -Protocol TCP -LocalPorts 80 +``` + +### Targeting Hyper-V firewall rules and settings to specific profiles + +Hyper-V firewall rules and settings can be targeted to the Firewall profile of the networks that are connected. These are the same Firewall Profiles that the Windows Firewall targets (Public Profile, Private Profile, Domain Profile). This has similar policy options as the above Hyper-V firewall PowerShell commandlets, but are just applied to specific profiles for the connected Windows Host network adapter. + +You can view these settings per profile with this command: + +```powershell +Get-NetFirewallHyperVProfile -PolicyStore ActiveStore +``` + +> [!NOTE] +> `-PolicyStore ActiveStore` returns the *applied* settings. + +The values here are the same as above, with one additional one: + +- AllowLocalFirewallRules: This setting determines how Enterprise (MDM) Hyper-V Firewall Rules interact with locally defined Hyper-V Firewall Rules. If this is set to True, then Windows will apply both the Hyper-V Firewall Rules from Enterprise Policies and the locally defined Hyper-V Firewall Rules. If this is set to False, then the locally defined Hyper-V Firewall rules are not applied, and only the Hyper-V Firewall Rules pushed by the Enterprise Policies are applied. + +You can set these settings per profile using the [Set-NetFirewallHyperVProfile]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervprofile?view=windowsserver2022-ps) commandlet. + +You can set rules per profile using the [Set-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervrule?view=windowsserver2022-ps) commandlet with the `-Profile` option. + +## Manage from Intune + +You can also manage these settings online via Intune. From 15f4b7f836466047ec852f1b7f0bd2a0e6e4b7f3 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 09:37:59 -0500 Subject: [PATCH 056/114] adjust/format content and Acrolinx --- .../network-security/windows-firewall/TOC.yml | 4 +- .../windows-firewall/hyper-v-firewall.md | 84 ++++++++++++------- 2 files changed, 54 insertions(+), 34 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml index a216ae58ee..165242f099 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml +++ b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml @@ -148,14 +148,14 @@ items: href: assign-security-group-filters-to-the-gpo.md - name: Change rules from request to require mode href: Change-Rules-From-Request-To-Require-Mode.Md - - name: Configure Hyper-V firewall - href: hyper-v-firewall.md - name: Configure authentication methods href: Configure-authentication-methods.md - name: Configure data protection (Quick Mode) settings href: configure-data-protection-quick-mode-settings.md - name: Configure Group Policy to autoenroll and deploy certificates href: configure-group-policy-to-autoenroll-and-deploy-certificates.md + - name: Configure Hyper-V firewall + href: hyper-v-firewall.md - name: Configure key exchange (main mode) settings href: configure-key-exchange-main-mode-settings.md - name: Configure the rules to require encryption diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index 71ed4ba1de..045970b469 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -7,48 +7,51 @@ ms.date: 11/08/2023 # Configure Hyper-V firewall rules -Hyper-V Firewall is a new network firewall solution introduced with Windows 11 22H2. This firewall solution enables filtering inbound and outbound traffic to/from containers that are being hosted by Windows, including the Windows Subsystem for Linux (WSL). +Starting in Windows 11, version 22H2, Hyper-V firewall is a network firewall solution that enables filtering of inbound and outbound traffic to/from containers hosted by Windows, including the Windows Subsystem for Linux (WSL). -## Manage locally from PowerShell +## Configure with PowerShell -Follow the steps below to manage Hyper-V firewall locally on your machine via the command line. +This section describes the steps to manage Hyper-V firewall using PowerShell. -### Get the VMCreatorId GUID +### Obtain the VMCreatorId GUID -Hyper-V firewall rules are enabled per VMCreatorId. First you need to obtain this, which you can do by running: +Hyper-V firewall rules are enabled per *VMCreatorId*. To obtain the VMCreatorId, use the cmdlet: ```powershell Get-NetFirewallHyperVVMCreator ``` -This will output a VmCreatorId. Please note that these are unique, and so the one shown below is exclusive to WSL. +The output contains a VmCreatorId object, which has *unique identifier* (GUID) and *friendly name* properties. For example, the following output shows WSL: ```powershell +PS C:\> Get-NetFirewallHyperVVMCreator VMCreatorId  : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90} FriendlyName : WSL ``` -### Firewall Settings +### Verify Hyper-V firewall settings -Hyper-V Firewall has settings that apply in general to a VMCreatorId. To see these you can use the [Get-NetFirewallHyperVVMSetting]( https://learn.microsoft.com/powershell/module/netsecurity/get-netfirewallhypervvmsetting?view=windowsserver2022-ps) commandlet. For example, you can get the policies affecting WSL with the command below: +Hyper-V firewall has settings that apply in general to a VMCreatorId. Use the [Get-NetFirewallHyperVVMSetting][PS-1] cmdlet to check the settings. For example, you can obtain the policies applied to WSL with the command: ```powershell -Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore -Name "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}" +Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' ``` -This will output these values: - -1. Enabled (True/False) - if Hyper-V Firewall is enabled for WSL VMs -2. DefaultInboundAction, DefaultOutboundAction - these are default rule policies as applied to packets entering or leaving the WSL container. These are the defaults (which can be configured more specifically later) -3. LoopbackEnabled - this tracks if loopback traffic between the host and the container is allowed (without requiring any special Hyper-V Firewall rules). WSL enables this by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host -4. AllowHostPolicyMerge - this setting determines how Windows Host Firewall Enterprise Settings (GP), Hyper-V Firewall Enterprise Settings (MDM), Windows Host Firewall Enterprise Settings (MDM), local Hyper-V Firewall settings, and local Host Firewall settings interact - - a. This setting is detailed with Set-NetFirewallHyperVVMSetting: [Set-NetFirewallHyperVVMSetting (NetSecurity) | Microsoft Learn](https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervvmsetting?view=windowsserver2022-ps) - > [!NOTE] > `-PolicyStore ActiveStore` returns the *applied* settings. -You can set specific settings using the [Set-NetFirewallHyperVVMSetting]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervvmsetting?view=windowsserver2022-ps) command. For example, the command below sets the default inbound connection to Allow: +The output contains the following values: + +| Value | Description | +|--|--| +| `Enabled` (True/False) | True if Hyper-V Firewall is enabled for WSL VMs. | +| `DefaultInboundAction`, `DefaultOutboundAction` | These are default rule policies applied to packets entering or leaving the WSL container. The rule policies can be modified, as described in this article. | +| `LoopbackEnabled` | Tracks if loopback traffic between the host and the container is allowed, without requiring any Hyper-V Firewall rules. WSL enables it by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host. | +| `AllowHostPolicyMerge` | Determines how Windows Host Firewall Enterprise Settings (GPO), Hyper-V Firewall Enterprise Settings (CSP), Windows Host Firewall Enterprise Settings (CSP), local Hyper-V Firewall settings, and local Host Firewall settings interact.
    This setting is detailed with the [Set-NetFirewallHyperVVMSetting][PS-2] cmdlet. | + +### Configure Hyper-V firewall settings + +To configure Hyper-V firewall, use the [Set-NetFirewallHyperVVMSetting][PS-2] command. For example, the following command sets the default inbound connection to *Allow*: ```powershell Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow @@ -56,25 +59,31 @@ Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -D ### Firewall Rules -Hyper-V firewall rules can be enumerated and created from PowerShell. To view rules please use the [Get-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/get-netfirewallhypervrule?view=windowsserver2022-ps ) commandlet. For example, to view firewall rules that only pertain to WSL you can use the command below: +Hyper-V firewall rules can be enumerated and created from PowerShell. To view rules, use the [Get-NetFirewallHyperVRule][PS-3] cmdlet. For example, to view firewall rules that only pertain to WSL, use the following command: ```powershell -Get-NetFirewallHyperVRule -VMCreatorId "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}" +Get-NetFirewallHyperVRule -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' ``` -And to set specific rules you can use the [Set-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervrule?view=windowsserver2022-ps) commandlet. +To configure specific rules, use the [Set-NetFirewallHyperVRule][PS-4] cmdlet. -For example, you can create an inbound rule to allow TCP traffic to the Windows Subsystem for Linux (WSL) on port 80 with this PowerShell command: +For example, to create an inbound rule to allow TCP traffic to WSL on port 80, use the following command: ```powershell -New-NetFirewallHyperVRule -Name MyWebServer -DisplayName "My Web Server" -Direction Inbound -VMCreatorId "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}" -Protocol TCP -LocalPorts 80 +New-NetFirewallHyperVRule -Name MyWebServer -DisplayName "My Web Server" -Direction Inbound -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -Protocol TCP -LocalPorts 80 ``` -### Targeting Hyper-V firewall rules and settings to specific profiles +### Target Hyper-V firewall rules and settings to specific profiles -Hyper-V firewall rules and settings can be targeted to the Firewall profile of the networks that are connected. These are the same Firewall Profiles that the Windows Firewall targets (Public Profile, Private Profile, Domain Profile). This has similar policy options as the above Hyper-V firewall PowerShell commandlets, but are just applied to specific profiles for the connected Windows Host network adapter. +Hyper-V firewall rules and settings can be targeted to the *Firewall profiles*, which are based on the type of network the device is connected to: -You can view these settings per profile with this command: +- Public profile +- Private profile +- Domain profile + +The policy options are similar to the ones already described, but are applied to specific profiles for the connected Windows Host network adapter. + +To view the settings per profile, use the following command: ```powershell Get-NetFirewallHyperVProfile -PolicyStore ActiveStore @@ -83,14 +92,25 @@ Get-NetFirewallHyperVProfile -PolicyStore ActiveStore > [!NOTE] > `-PolicyStore ActiveStore` returns the *applied* settings. -The values here are the same as above, with one additional one: +The output contains an extra value compared to the ones described in the previous section: -- AllowLocalFirewallRules: This setting determines how Enterprise (MDM) Hyper-V Firewall Rules interact with locally defined Hyper-V Firewall Rules. If this is set to True, then Windows will apply both the Hyper-V Firewall Rules from Enterprise Policies and the locally defined Hyper-V Firewall Rules. If this is set to False, then the locally defined Hyper-V Firewall rules are not applied, and only the Hyper-V Firewall Rules pushed by the Enterprise Policies are applied. +| Value | Description | +|--|--| +| `AllowLocalFirewallRules` (True/False)| This setting determines how enterprise Hyper-V firewall rules (CSP or GPO) interact with the locally defined Hyper-V firewall rules:
    - if the value is *True*, both the enterprise Hyper-V firewall rules and the locally defined rules are applied
    - if the value is *False*, the locally defined Hyper-V firewall rules aren't applied, and only enterprise rules are applied. | -You can set these settings per profile using the [Set-NetFirewallHyperVProfile]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervprofile?view=windowsserver2022-ps) commandlet. - -You can set rules per profile using the [Set-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervrule?view=windowsserver2022-ps) commandlet with the `-Profile` option. +> [!NOTE] +> To configure these **settings** per profile, use the [Set-NetFirewallHyperVProfile][PS-5] cmdlet. +> +> To configure these **rules** per profile using the [Set-NetFirewallHyperVRule][PS-4] cmdlet with the `-Profile` option. ## Manage from Intune You can also manage these settings online via Intune. + + + +[PS-1]: /powershell/module/netsecurity/get-netfirewallhypervvmsetting +[PS-2]: /powershell/module/netsecurity/set-netfirewallhypervvmsetting +[PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule +[PS-4]: /powershell/module/netsecurity/set-netfirewallhypervrule +[PS-5]: /powershell/module/netsecurity/set-netfirewallhypervprofile From 0c7ab1acd7a3fbb7065af449d746f263d92e4912 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 10:19:45 -0500 Subject: [PATCH 057/114] added example with links to CSP - for review --- .../windows-firewall/hyper-v-firewall.md | 25 +++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index 045970b469..33408db506 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -103,9 +103,26 @@ The output contains an extra value compared to the ones described in the previou > > To configure these **rules** per profile using the [Set-NetFirewallHyperVRule][PS-4] cmdlet with the `-Profile` option. -## Manage from Intune +## Configure with Configuration Service Provider (CSP) -You can also manage these settings online via Intune. +You can configure Hyper-V firewall using the [Firewall CSP][CSP-1]. For example, with an MDM solution like Microsoft Intune. + +Here's a list of settings that can be used to configure Hyper-v firewall: + +| | Path | +|--|--| +| **CSP** | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/`[AllowHostPolicyMerge] +| **GPO** | Not available | + +| | Path | +|--|--| +| **CSP** | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/`[AllowLocalPolicyMerge] +| **GPO** | Not available | + +| | Path | +|--|--| +| **CSP** | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/`[EnableFirewall] +| **GPO** | Not available | @@ -114,3 +131,7 @@ You can also manage these settings online via Intune. [PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule [PS-4]: /powershell/module/netsecurity/set-netfirewallhypervrule [PS-5]: /powershell/module/netsecurity/set-netfirewallhypervprofile +[CSP-1]: /windows/client-management/mdm/firewall-csp +[AllowHostPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge +[AllowLocalPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddomainprofileallowlocalpolicymerge +[EnableFirewall]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddomainprofileenablefirewall \ No newline at end of file From a44d7eb72f9ca5462c174d383de64d2a8f0ab3c1 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 11:48:02 -0500 Subject: [PATCH 058/114] porting from second doc --- .../windows-firewall/hyper-v-firewall.md | 68 +++++++++++++------ 1 file changed, 48 insertions(+), 20 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index 33408db506..095663bbb9 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -1,19 +1,22 @@ --- title: Hyper-V firewall -description: Learn how +description: Learn how to configure Hyper-V firewall rules and settings using PowerShell or Configuration Service Provider (CSP). ms.topic: how-to ms.date: 11/08/2023 +appliesto: +- ✅ Windows 11 --- -# Configure Hyper-V firewall rules +# Configure Hyper-V firewall -Starting in Windows 11, version 22H2, Hyper-V firewall is a network firewall solution that enables filtering of inbound and outbound traffic to/from containers hosted by Windows, including the Windows Subsystem for Linux (WSL). +Starting in Windows 11, version 22H2, Hyper-V firewall is a network firewall solution that enables filtering of inbound and outbound traffic to/from containers hosted by Windows, including the Windows Subsystem for Linux (WSL).\ +This article describes how to configure Hyper-V firewall rules and settings using PowerShell, configuration service provider (CSP), or group policy (GPO). -## Configure with PowerShell +## Configure Hyper-V firewall with PowerShell This section describes the steps to manage Hyper-V firewall using PowerShell. -### Obtain the VMCreatorId GUID +### Obtain the WSL GUID Hyper-V firewall rules are enabled per *VMCreatorId*. To obtain the VMCreatorId, use the cmdlet: @@ -21,7 +24,7 @@ Hyper-V firewall rules are enabled per *VMCreatorId*. To obtain the VMCreatorId, Get-NetFirewallHyperVVMCreator ``` -The output contains a VmCreatorId object, which has *unique identifier* (GUID) and *friendly name* properties. For example, the following output shows WSL: +The output contains a VmCreator object type, which has unique identifier `VMCreatorId` and `friendly name` properties. For example, the following output shows the properties of WSL: ```powershell PS C:\> Get-NetFirewallHyperVVMCreator @@ -29,6 +32,9 @@ VMCreatorId  : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90} FriendlyName : WSL ``` +> [!NOTE] +> The WSL VMCreatorId is `{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}`. + ### Verify Hyper-V firewall settings Hyper-V firewall has settings that apply in general to a VMCreatorId. Use the [Get-NetFirewallHyperVVMSetting][PS-1] cmdlet to check the settings. For example, you can obtain the policies applied to WSL with the command: @@ -103,29 +109,51 @@ The output contains an extra value compared to the ones described in the previou > > To configure these **rules** per profile using the [Set-NetFirewallHyperVRule][PS-4] cmdlet with the `-Profile` option. -## Configure with Configuration Service Provider (CSP) +## Configure Hyper-V firewall with CSP You can configure Hyper-V firewall using the [Firewall CSP][CSP-1]. For example, with an MDM solution like Microsoft Intune. Here's a list of settings that can be used to configure Hyper-v firewall: -| | Path | -|--|--| -| **CSP** | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/`[AllowHostPolicyMerge] -| **GPO** | Not available | +|Value name|Description|Values| +|-|-|-| +|EnableLoopback

    `{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}\HyperVVMSettings\EnableLoopback`|Enables loopback between this guest and another guest or the host.|[True,False]| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`[AllowHostPolicyMerge]|Enables Hyper-V firewall to use applicable host firewall settings and rules.|[True,False]| -| | Path | -|--|--| -| **CSP** | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/`[AllowLocalPolicyMerge] -| **GPO** | Not available | +The following values apply to Hyper-V firewall profile settings: (Public, Private, Domain) -| | Path | -|--|--| -| **CSP** | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/`[EnableFirewall] -| **GPO** | Not available | +|Value name|Description|Values| +|---|---|---| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/DomainProfile/`[EnableFirewall]|Enables Hyper-V firewall rules for this profile.|[True, False]| +|DefaultOutboundAction

    `{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}\HyperVVMSettings\\DefaultOutboundAction`|The default action for outbound traffic that is applied if no rules match the traffic.|0 (allow)

    1 (block)| +|DefaultInboundAction

    `{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}\HyperVVMSettings\\DefaultInboundAction`|The default action for inbound traffic that is applied if no rules match the traffic.|0 (allow)

    1 (block)| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/DomainProfile/`[AllowLocalPolicyMerge]||| - +The following values apply to Hyper-V firewall rules: +|Value name|Description|Values| +|---|---|---| +|Name

    `HyperVFirewallRules\\Name`|Friendly name of the rule|String| +|Priority

    `HyperVFirewallRules\\Priority`|Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one.|int| +|Direction

    `HyperVFirewallRules\\Direction`|Comma separated list.  The rule is enabled based on the traffic direction as following.

    IN - the rule applies to inbound traffic.

    OUT - the rule applies to outbound traffic.

    If not specified the detault is OUT.|String| +|VMCreatorId

    `HyperVFirewallRules\\VMCreatorId`|This field specifies the VM Creator ID that this rule is applicable to. A NULL GUID will result in this rule applying to all VM creators.

    Can be filled in automatically from earlier profile?|String (GUID)| +|Protocol

    `HyperVFirewallRules\\Protocol`|0-255 number representing the ip protocol (TCP = 6, UDP = 17).  If not specified the default is All.|Int| +|LocalAddressRanges

    `HyperVFirewallRules\\LocalAddressRanges`|Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.

    Valid tokens include:

    "*" indicates any local address. If present, this must be the only token included.

    A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.

    A valid IPv6 address.

    An IPv4 address range in the format of "start address - end address" with no spaces included.

    An IPv6 address range in the format of "start address - end address" with no spaces included.  If not specified the default is All.|String| +|LocalPortRanges

    `HyperVFirewallRules\\LocalPortRanges`|Comma Separated list of ranges specifying the local port of the traffic covered by this rule. For example, 100-120,200,300-320.  If not specified the default is All.|String| +|RemoteAddressRanges

    `HyperVFirewallRules\\RemoteAddressRanges`|Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. "*" is the default value.

    Valid tokens include:

    "*" indicates any remote address. If present, this must be the only token included.

    A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.

    A valid IPv6 address.

    An IPv4 address range in the format of "start address - end address" with no spaces included.

    An IPv6 address range in the format of "start address - end address" with no spaces included.  If not specified the default is All.|String| +|RemotePortRanges

    `HyperVFirewallRules\\RemotePortRanges`|Comma Separated list of ranges specifying the remote port of the traffic covered by this rule. For example, 100-120,200,300-320.  If not specified the default is All.|String| +|Action

    `HyperVFirewallRules\\Action`|Specifies the action the rule enforces:

    0 - Block

    1 - Allow|Int| +|Enabled

    `HyperVFirewallRules\\Enabled`|Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default.|Boolean| +|Status

    `HyperVFirewallRules\\Status`|Provides information about the specific version of the rule in deployment for monitoring purposes.|String| +|Profiles

    `HyperVFirewallRules\\Profiles`|Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All.|Int| + +### :::image type="icon" source="../../../images/icons/feedback.svg" border="false"::: Provide feedback + +To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Microsoft Defender Firewall and network protection**. + + + +[CSP-1]: /windows/client-management/mdm/policy-csp-authentication#enablepasswordlessexperience [PS-1]: /powershell/module/netsecurity/get-netfirewallhypervvmsetting [PS-2]: /powershell/module/netsecurity/set-netfirewallhypervvmsetting [PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule From f73601ec2586b994cd7da3fe4be26ddc18d85407 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 12:09:52 -0500 Subject: [PATCH 059/114] updates --- .../windows-firewall/hyper-v-firewall.md | 58 +++++++++---------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index 095663bbb9..142d3c1824 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -111,41 +111,41 @@ The output contains an extra value compared to the ones described in the previou ## Configure Hyper-V firewall with CSP -You can configure Hyper-V firewall using the [Firewall CSP][CSP-1]. For example, with an MDM solution like Microsoft Intune. +You can configure Hyper-V firewall using the [Firewall CSP][CSP-1], for example with an MDM solution like Microsoft Intune. To learn how to configure Hyper-V firewall with Microsoft Intune, see [ADD LINK][INT-1]. Here's a list of settings that can be used to configure Hyper-v firewall: -|Value name|Description|Values| -|-|-|-| -|EnableLoopback

    `{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}\HyperVVMSettings\EnableLoopback`|Enables loopback between this guest and another guest or the host.|[True,False]| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`[AllowHostPolicyMerge]|Enables Hyper-V firewall to use applicable host firewall settings and rules.|[True,False]| +|Value name|Description| +|-|-| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableLoopback]**|Enables loopback between this guest and another guest or the host.| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[AllowHostPolicyMerge]**|Enables Hyper-V firewall to use applicable host firewall settings and rules.| -The following values apply to Hyper-V firewall profile settings: (Public, Private, Domain) +The following values apply to Hyper-V firewall profile settings: `Public`, `Private`, `Domain`: -|Value name|Description|Values| -|---|---|---| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/DomainProfile/`[EnableFirewall]|Enables Hyper-V firewall rules for this profile.|[True, False]| -|DefaultOutboundAction

    `{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}\HyperVVMSettings\\DefaultOutboundAction`|The default action for outbound traffic that is applied if no rules match the traffic.|0 (allow)

    1 (block)| -|DefaultInboundAction

    `{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}\HyperVVMSettings\\DefaultInboundAction`|The default action for inbound traffic that is applied if no rules match the traffic.|0 (allow)

    1 (block)| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/DomainProfile/`[AllowLocalPolicyMerge]||| +|Value name|Description| +|---|---| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall]**|Enables Hyper-V firewall rules for this profile.|[True, False]| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction]**|The default action for outbound traffic that is applied if no rules match the traffic.| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction]**|The default action for inbound traffic that is applied if no rules match the traffic.| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge]**||| The following values apply to Hyper-V firewall rules: -|Value name|Description|Values| -|---|---|---| -|Name

    `HyperVFirewallRules\\Name`|Friendly name of the rule|String| -|Priority

    `HyperVFirewallRules\\Priority`|Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one.|int| -|Direction

    `HyperVFirewallRules\\Direction`|Comma separated list.  The rule is enabled based on the traffic direction as following.

    IN - the rule applies to inbound traffic.

    OUT - the rule applies to outbound traffic.

    If not specified the detault is OUT.|String| -|VMCreatorId

    `HyperVFirewallRules\\VMCreatorId`|This field specifies the VM Creator ID that this rule is applicable to. A NULL GUID will result in this rule applying to all VM creators.

    Can be filled in automatically from earlier profile?|String (GUID)| -|Protocol

    `HyperVFirewallRules\\Protocol`|0-255 number representing the ip protocol (TCP = 6, UDP = 17).  If not specified the default is All.|Int| -|LocalAddressRanges

    `HyperVFirewallRules\\LocalAddressRanges`|Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.

    Valid tokens include:

    "*" indicates any local address. If present, this must be the only token included.

    A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.

    A valid IPv6 address.

    An IPv4 address range in the format of "start address - end address" with no spaces included.

    An IPv6 address range in the format of "start address - end address" with no spaces included.  If not specified the default is All.|String| -|LocalPortRanges

    `HyperVFirewallRules\\LocalPortRanges`|Comma Separated list of ranges specifying the local port of the traffic covered by this rule. For example, 100-120,200,300-320.  If not specified the default is All.|String| -|RemoteAddressRanges

    `HyperVFirewallRules\\RemoteAddressRanges`|Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. "*" is the default value.

    Valid tokens include:

    "*" indicates any remote address. If present, this must be the only token included.

    A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.

    A valid IPv6 address.

    An IPv4 address range in the format of "start address - end address" with no spaces included.

    An IPv6 address range in the format of "start address - end address" with no spaces included.  If not specified the default is All.|String| -|RemotePortRanges

    `HyperVFirewallRules\\RemotePortRanges`|Comma Separated list of ranges specifying the remote port of the traffic covered by this rule. For example, 100-120,200,300-320.  If not specified the default is All.|String| -|Action

    `HyperVFirewallRules\\Action`|Specifies the action the rule enforces:

    0 - Block

    1 - Allow|Int| -|Enabled

    `HyperVFirewallRules\\Enabled`|Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default.|Boolean| -|Status

    `HyperVFirewallRules\\Status`|Provides information about the specific version of the rule in deployment for monitoring purposes.|String| -|Profiles

    `HyperVFirewallRules\\Profiles`|Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All.|Int| +|Value name|Description| +|---|---| +|`HyperVFirewallRules\/`**[Name]**|Friendly name of the rule| +|`HyperVFirewallRules\/`**[Priority]**|Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one.| +|`HyperVFirewallRules\/`**[Direction]**|Comma separated list.  The rule is enabled based on the traffic direction as following.

    `IN` - the rule applies to inbound traffic.

    `OUT` - the rule applies to outbound traffic.

    If not specified the detault is OUT.| +|`HyperVFirewallRules\/`**[VMCreatorId]**|This field specifies the VM Creator ID that this rule is applicable to. A NULL GUID will result in this rule applying to all VM creators.

    Can be filled in automatically from earlier profile?| +|Protocol

    `HyperVFirewallRules\/`**[Protocol]**|0-255 number representing the ip protocol (TCP = 6, UDP = 17).  If not specified the default is All.| +|`HyperVFirewallRules\/`**[LocalAddressRanges]**|Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.

    Valid tokens include:

    "*" indicates any local address. If present, this must be the only token included.

    A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.

    A valid IPv6 address.

    An IPv4 address range in the format of "start address - end address" with no spaces included.

    An IPv6 address range in the format of "start address - end address" with no spaces included.  If not specified the default is All.| +|`HyperVFirewallRules\/`**[LocalPortRanges]**|Comma Separated list of ranges specifying the local port of the traffic covered by this rule. For example, 100-120,200,300-320.  If not specified the default is All.| +|`HyperVFirewallRules\/`**[RemoteAddressRanges]**|Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. "*" is the default value.

    Valid tokens include:

    "*" indicates any remote address. If present, this must be the only token included.

    A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.

    A valid IPv6 address.

    An IPv4 address range in the format of "start address - end address" with no spaces included.

    An IPv6 address range in the format of "start address - end address" with no spaces included.  If not specified the default is All.| +|`HyperVFirewallRules\/`**[RemotePortRanges]**|Comma Separated list of ranges specifying the remote port of the traffic covered by this rule. For example, 100-120,200,300-320.  If not specified the default is All.| +|`HyperVFirewallRules\/`**[Action]**|Specifies the action the rule enforces:

    0 - Block

    1 - Allow| +|`HyperVFirewallRules\/`**[Enabled]**|Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default.| +|`HyperVFirewallRules\/`**[Status]**|Provides information about the specific version of the rule in deployment for monitoring purposes.| +|`HyperVFirewallRules\/`**[Profiles]**|Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All.| ### :::image type="icon" source="../../../images/icons/feedback.svg" border="false"::: Provide feedback @@ -153,7 +153,6 @@ To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use -[CSP-1]: /windows/client-management/mdm/policy-csp-authentication#enablepasswordlessexperience [PS-1]: /powershell/module/netsecurity/get-netfirewallhypervvmsetting [PS-2]: /powershell/module/netsecurity/set-netfirewallhypervvmsetting [PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule @@ -162,4 +161,5 @@ To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use [CSP-1]: /windows/client-management/mdm/firewall-csp [AllowHostPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge [AllowLocalPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddomainprofileallowlocalpolicymerge -[EnableFirewall]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddomainprofileenablefirewall \ No newline at end of file +[EnableFirewall]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddomainprofileenablefirewall +[INT-1]: /windows/client-management/mdm/firewall-csp From 0901fd0901e616270b6b9ae077781fadc57c1d96 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 12:44:36 -0500 Subject: [PATCH 060/114] updates --- .../windows-firewall/hyper-v-firewall.md | 62 +++++++++++-------- 1 file changed, 37 insertions(+), 25 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index 142d3c1824..3349d03222 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -28,7 +28,7 @@ The output contains a VmCreator object type, which has unique identifier `VMCrea ```powershell PS C:\> Get-NetFirewallHyperVVMCreator -VMCreatorId  : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90} +VMCreatorId : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90} FriendlyName : WSL ``` @@ -117,35 +117,39 @@ Here's a list of settings that can be used to configure Hyper-v firewall: |Value name|Description| |-|-| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableFirewall]**|This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles.| |`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableLoopback]**|Enables loopback between this guest and another guest or the host.| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[AllowHostPolicyMerge]**|Enables Hyper-V firewall to use applicable host firewall settings and rules.| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[AllowHostPolicyMerge]**|This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings are applied to Hyper-V Firewall.| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultInboundAction]**|This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultOutboundAction]**|This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.| The following values apply to Hyper-V firewall profile settings: `Public`, `Private`, `Domain`: |Value name|Description| |---|---| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall]**|Enables Hyper-V firewall rules for this profile.|[True, False]| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction]**|The default action for outbound traffic that is applied if no rules match the traffic.| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction]**|The default action for inbound traffic that is applied if no rules match the traffic.| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge]**||| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]**|Enables Hyper-V firewall rules for this profile.|[True, False]| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]**|This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.|[True, False]| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]**|The default action for outbound traffic that is applied if no rules match the traffic.| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]**|The default action for inbound traffic that is applied if no rules match the traffic.| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]**||| The following values apply to Hyper-V firewall rules: -|Value name|Description| -|---|---| -|`HyperVFirewallRules\/`**[Name]**|Friendly name of the rule| -|`HyperVFirewallRules\/`**[Priority]**|Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one.| -|`HyperVFirewallRules\/`**[Direction]**|Comma separated list.  The rule is enabled based on the traffic direction as following.

    `IN` - the rule applies to inbound traffic.

    `OUT` - the rule applies to outbound traffic.

    If not specified the detault is OUT.| -|`HyperVFirewallRules\/`**[VMCreatorId]**|This field specifies the VM Creator ID that this rule is applicable to. A NULL GUID will result in this rule applying to all VM creators.

    Can be filled in automatically from earlier profile?| -|Protocol

    `HyperVFirewallRules\/`**[Protocol]**|0-255 number representing the ip protocol (TCP = 6, UDP = 17).  If not specified the default is All.| -|`HyperVFirewallRules\/`**[LocalAddressRanges]**|Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.

    Valid tokens include:

    "*" indicates any local address. If present, this must be the only token included.

    A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.

    A valid IPv6 address.

    An IPv4 address range in the format of "start address - end address" with no spaces included.

    An IPv6 address range in the format of "start address - end address" with no spaces included.  If not specified the default is All.| -|`HyperVFirewallRules\/`**[LocalPortRanges]**|Comma Separated list of ranges specifying the local port of the traffic covered by this rule. For example, 100-120,200,300-320.  If not specified the default is All.| -|`HyperVFirewallRules\/`**[RemoteAddressRanges]**|Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. "*" is the default value.

    Valid tokens include:

    "*" indicates any remote address. If present, this must be the only token included.

    A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.

    A valid IPv6 address.

    An IPv4 address range in the format of "start address - end address" with no spaces included.

    An IPv6 address range in the format of "start address - end address" with no spaces included.  If not specified the default is All.| -|`HyperVFirewallRules\/`**[RemotePortRanges]**|Comma Separated list of ranges specifying the remote port of the traffic covered by this rule. For example, 100-120,200,300-320.  If not specified the default is All.| -|`HyperVFirewallRules\/`**[Action]**|Specifies the action the rule enforces:

    0 - Block

    1 - Allow| -|`HyperVFirewallRules\/`**[Enabled]**|Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default.| -|`HyperVFirewallRules\/`**[Status]**|Provides information about the specific version of the rule in deployment for monitoring purposes.| -|`HyperVFirewallRules\/`**[Profiles]**|Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All.| +| Value name | Description | +|--|--| +| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Name][RULE]** | Friendly name of the rule. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Priority][RULE]** | Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Direction][RULE]** | Comma separated list. The rule is enabled based on the traffic direction as following.

    - `IN`: the rule applies to inbound traffic.

    -`OUT`: the rule applies to outbound traffic.

    If not specified the detault is OUT. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[VMCreatorId][RULE]** | This field specifies the VM Creator ID that this rule is applicable to. A `NULL` GUID will result in this rule applying to all VM creators. | +| Protocol

    `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Protocol][RULE]** | `0-255` number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[LocalAddressRanges][RULE]** | Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. `*` is the default value.

    Valid tokens include:

    `*`: indicates any local address. If present, this must be the only token included.

    A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to `255.255.255.255`.

    A valid IPv6 address.

    An IPv4 address range in the format of *start address - end address* with no spaces included.

    An IPv6 address range in the format of *start address - end address* with no spaces included. If not specified the default is All. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[LocalPortRanges][RULE]** | Comma Separated list of ranges specifying the local port of the traffic covered by this rule. For example, `100-120,200,300-320`. If not specified the default is All. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[RemoteAddressRanges][RULE]** | Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. `*` is the default value.

    Valid tokens include:

    `*`: indicates any remote address. If present, this must be the only token included.

    A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to `255.255.255.255`.

    A valid IPv6 address.

    An IPv4 address range in the format of *start address - end address* with no spaces included.

    An IPv6 address range in the format of *start address - end address* with no spaces included. If not specified the default is All. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[RemotePortRanges][RULE]** | Comma Separated list of ranges specifying the remote port of the traffic covered by this rule. For example, `100-120,200,300-320`. If not specified the default is All. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Action][RULE]** | Specifies the action the rule enforces:

    0 - Block

    1 - Allow | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Enabled][RULE]** | Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Status][RULE]** | Provides information about the specific version of the rule in deployment for monitoring purposes. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Profiles][RULE]** | Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All. | ### :::image type="icon" source="../../../images/icons/feedback.svg" border="false"::: Provide feedback @@ -153,13 +157,21 @@ To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use + +[CSP-1]: /windows/client-management/mdm/firewall-csp + +[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1 +[INT-1]: /windows/client-management/mdm/firewall-csp [PS-1]: /powershell/module/netsecurity/get-netfirewallhypervvmsetting [PS-2]: /powershell/module/netsecurity/set-netfirewallhypervvmsetting [PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule [PS-4]: /powershell/module/netsecurity/set-netfirewallhypervrule [PS-5]: /powershell/module/netsecurity/set-netfirewallhypervprofile -[CSP-1]: /windows/client-management/mdm/firewall-csp + +[RULE]: /windows/client-management/mdm/firewall-csp#mdmstorehypervfirewallrules +[PROFILE]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatorid +[EnableFirewall]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridenablefirewall +[EnableLoopback]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridenableloopback [AllowHostPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge -[AllowLocalPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddomainprofileallowlocalpolicymerge -[EnableFirewall]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddomainprofileenablefirewall -[INT-1]: /windows/client-management/mdm/firewall-csp +[DefaultOutboundAction]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddefaultoutboundaction +[DefaultInboundAction]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddefaultinboundaction From 1fdbed091df5f457d473db3c0803e60f26534f6b Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 12:46:44 -0500 Subject: [PATCH 061/114] updates --- .../network-security/windows-firewall/hyper-v-firewall.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index 3349d03222..beef0bc4fe 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -123,11 +123,11 @@ Here's a list of settings that can be used to configure Hyper-v firewall: |`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultInboundAction]**|This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.| |`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultOutboundAction]**|This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.| -The following values apply to Hyper-V firewall profile settings: `Public`, `Private`, `Domain`: +The following values apply to Hyper-V firewall profile settings: *Public*, *Private*, *Domain*: |Value name|Description| |---|---| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]**|Enables Hyper-V firewall rules for this profile.|[True, False]| +|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]**|Enables Hyper-V firewall rules for this profile.| |`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]**|This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.|[True, False]| |`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]**|The default action for outbound traffic that is applied if no rules match the traffic.| |`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]**|The default action for inbound traffic that is applied if no rules match the traffic.| @@ -157,7 +157,6 @@ To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use - [CSP-1]: /windows/client-management/mdm/firewall-csp [FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1 From 3de1df9ac8b9ceee6ba9b2c40956f957f57a2c83 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 12:46:59 -0500 Subject: [PATCH 062/114] updates --- .../network-security/windows-firewall/hyper-v-firewall.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index beef0bc4fe..c1e0c81cdf 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -131,7 +131,6 @@ The following values apply to Hyper-V firewall profile settings: *Public*, *Priv |`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]**|This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.|[True, False]| |`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]**|The default action for outbound traffic that is applied if no rules match the traffic.| |`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]**|The default action for inbound traffic that is applied if no rules match the traffic.| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]**||| The following values apply to Hyper-V firewall rules: From a291793a02bda1d0ffc9572fe367f5f5ef5a75fb Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 12:48:18 -0500 Subject: [PATCH 063/114] updates --- .../windows-firewall/hyper-v-firewall.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index c1e0c81cdf..dd4aed1ae8 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -115,26 +115,26 @@ You can configure Hyper-V firewall using the [Firewall CSP][CSP-1], for example Here's a list of settings that can be used to configure Hyper-v firewall: -|Value name|Description| -|-|-| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableFirewall]**|This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles.| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableLoopback]**|Enables loopback between this guest and another guest or the host.| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[AllowHostPolicyMerge]**|This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings are applied to Hyper-V Firewall.| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultInboundAction]**|This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultOutboundAction]**|This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.| +| CSP path | Description | +|--|--| +| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableFirewall]** | This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableLoopback]** | Enables loopback between this guest and another guest or the host. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[AllowHostPolicyMerge]** | This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings are applied to Hyper-V Firewall. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultInboundAction]** | This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultOutboundAction]** | This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree. | The following values apply to Hyper-V firewall profile settings: *Public*, *Private*, *Domain*: -|Value name|Description| -|---|---| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]**|Enables Hyper-V firewall rules for this profile.| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]**|This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.|[True, False]| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]**|The default action for outbound traffic that is applied if no rules match the traffic.| -|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]**|The default action for inbound traffic that is applied if no rules match the traffic.| +| CSP path | Description | +|--|--| +| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]** | Enables Hyper-V firewall rules for this profile. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]** | This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. | [True, False] | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]** | The default action for outbound traffic that is applied if no rules match the traffic. | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]** | The default action for inbound traffic that is applied if no rules match the traffic. | The following values apply to Hyper-V firewall rules: -| Value name | Description | +| CSP path | Description | |--|--| | `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Name][RULE]** | Friendly name of the rule. | | `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Priority][RULE]** | Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one. | From 3a797fe367975f0f1e7bf28e00c46fc450358930 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 12:51:29 -0500 Subject: [PATCH 064/114] updates --- .../network-security/windows-firewall/hyper-v-firewall.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index dd4aed1ae8..92d3e26ea4 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -123,7 +123,7 @@ Here's a list of settings that can be used to configure Hyper-v firewall: | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultInboundAction]** | This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree. | | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultOutboundAction]** | This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree. | -The following values apply to Hyper-V firewall profile settings: *Public*, *Private*, *Domain*: +The following values apply to Hyper-V firewall profile settings: `Public`, `Private`, `Domain`: | CSP path | Description | |--|--| From 6b625b3a1e45893e1dd7b5503d86b6155479a9f1 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 12:57:20 -0500 Subject: [PATCH 065/114] added disclaimer --- .../network-security/windows-firewall/hyper-v-firewall.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index 92d3e26ea4..52c2fc7fd6 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -10,7 +10,10 @@ appliesto: # Configure Hyper-V firewall Starting in Windows 11, version 22H2, Hyper-V firewall is a network firewall solution that enables filtering of inbound and outbound traffic to/from containers hosted by Windows, including the Windows Subsystem for Linux (WSL).\ -This article describes how to configure Hyper-V firewall rules and settings using PowerShell, configuration service provider (CSP), or group policy (GPO). +This article describes how to configure Hyper-V firewall rules and settings using PowerShell or configuration service provider (CSP). + +> [!IMPORTANT] +> The configuration oh Hyper-V firewall is not available via group policy (GPO). If Windows Firewall settings are configured via GPO and Hyper-V firewall settings aren't configured via CSP, then the applicable rules and settings are automatically mirrored from the GPO configuration. ## Configure Hyper-V firewall with PowerShell From c8f54ff00987daf7c0ec9f7d77b8d197be5a97df Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 13:04:46 -0500 Subject: [PATCH 066/114] updates --- .../network-security/windows-firewall/hyper-v-firewall.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index 52c2fc7fd6..a5937ee74c 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -131,7 +131,7 @@ The following values apply to Hyper-V firewall profile settings: `Public`, `Priv | CSP path | Description | |--|--| | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]** | Enables Hyper-V firewall rules for this profile. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]** | This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. | [True, False] | +| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]** | This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. | | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]** | The default action for outbound traffic that is applied if no rules match the traffic. | | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]** | The default action for inbound traffic that is applied if no rules match the traffic. | From 9e4863b0d0301c3fdfc5efef17bb3f833d799183 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 13:05:07 -0500 Subject: [PATCH 067/114] updates --- .../network-security/windows-firewall/hyper-v-firewall.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index a5937ee74c..fc9f27f4a5 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -13,7 +13,7 @@ Starting in Windows 11, version 22H2, Hyper-V firewall is a network firewall sol This article describes how to configure Hyper-V firewall rules and settings using PowerShell or configuration service provider (CSP). > [!IMPORTANT] -> The configuration oh Hyper-V firewall is not available via group policy (GPO). If Windows Firewall settings are configured via GPO and Hyper-V firewall settings aren't configured via CSP, then the applicable rules and settings are automatically mirrored from the GPO configuration. +> The configuration of Hyper-V firewall is not available via group policy (GPO). If Windows Firewall settings are configured via GPO and Hyper-V firewall settings aren't configured via CSP, then the applicable rules and settings are automatically mirrored from the GPO configuration. ## Configure Hyper-V firewall with PowerShell From 232deb63e9d9dd343bb6fd42d6881a053267ab35 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 14:55:23 -0500 Subject: [PATCH 068/114] updates --- .../windows-firewall/hyper-v-firewall.md | 49 +++---------------- 1 file changed, 7 insertions(+), 42 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index fc9f27f4a5..d94d736b75 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -114,44 +114,14 @@ The output contains an extra value compared to the ones described in the previou ## Configure Hyper-V firewall with CSP -You can configure Hyper-V firewall using the [Firewall CSP][CSP-1], for example with an MDM solution like Microsoft Intune. To learn how to configure Hyper-V firewall with Microsoft Intune, see [ADD LINK][INT-1]. +You can configure Hyper-V firewall using the [Firewall CSP][CSP-1], for example with an MDM solution like Microsoft Intune. -Here's a list of settings that can be used to configure Hyper-v firewall: +To learn more about the CSP options, follow these links: -| CSP path | Description | -|--|--| -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableFirewall]** | This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableLoopback]** | Enables loopback between this guest and another guest or the host. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[AllowHostPolicyMerge]** | This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings are applied to Hyper-V Firewall. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultInboundAction]** | This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultOutboundAction]** | This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree. | +- [Configure Hyper-V firewall settings][SETTINGS]: to configure the Hyper-V firewall settings +- [Configure Hyper-V firewall rules][RULE]: to configure list of rules controlling traffic through the Hyper-V firewall -The following values apply to Hyper-V firewall profile settings: `Public`, `Private`, `Domain`: - -| CSP path | Description | -|--|--| -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]** | Enables Hyper-V firewall rules for this profile. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]** | This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]** | The default action for outbound traffic that is applied if no rules match the traffic. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]** | The default action for inbound traffic that is applied if no rules match the traffic. | - -The following values apply to Hyper-V firewall rules: - -| CSP path | Description | -|--|--| -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Name][RULE]** | Friendly name of the rule. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Priority][RULE]** | Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Direction][RULE]** | Comma separated list. The rule is enabled based on the traffic direction as following.

    - `IN`: the rule applies to inbound traffic.

    -`OUT`: the rule applies to outbound traffic.

    If not specified the detault is OUT. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[VMCreatorId][RULE]** | This field specifies the VM Creator ID that this rule is applicable to. A `NULL` GUID will result in this rule applying to all VM creators. | -| Protocol

    `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Protocol][RULE]** | `0-255` number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[LocalAddressRanges][RULE]** | Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. `*` is the default value.

    Valid tokens include:

    `*`: indicates any local address. If present, this must be the only token included.

    A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to `255.255.255.255`.

    A valid IPv6 address.

    An IPv4 address range in the format of *start address - end address* with no spaces included.

    An IPv6 address range in the format of *start address - end address* with no spaces included. If not specified the default is All. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[LocalPortRanges][RULE]** | Comma Separated list of ranges specifying the local port of the traffic covered by this rule. For example, `100-120,200,300-320`. If not specified the default is All. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[RemoteAddressRanges][RULE]** | Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. `*` is the default value.

    Valid tokens include:

    `*`: indicates any remote address. If present, this must be the only token included.

    A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to `255.255.255.255`.

    A valid IPv6 address.

    An IPv4 address range in the format of *start address - end address* with no spaces included.

    An IPv6 address range in the format of *start address - end address* with no spaces included. If not specified the default is All. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[RemotePortRanges][RULE]** | Comma Separated list of ranges specifying the remote port of the traffic covered by this rule. For example, `100-120,200,300-320`. If not specified the default is All. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Action][RULE]** | Specifies the action the rule enforces:

    0 - Block

    1 - Allow | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Enabled][RULE]** | Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Status][RULE]** | Provides information about the specific version of the rule in deployment for monitoring purposes. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Profiles][RULE]** | Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All. | +To learn how to configure the firewall with Microsoft Intune, see [Firewall policy for endpoint security][INT-1]. ### :::image type="icon" source="../../../images/icons/feedback.svg" border="false"::: Provide feedback @@ -162,7 +132,7 @@ To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use [CSP-1]: /windows/client-management/mdm/firewall-csp [FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1 -[INT-1]: /windows/client-management/mdm/firewall-csp +[INT-1]: /mem/intune/protect/endpoint-security-firewall-policy [PS-1]: /powershell/module/netsecurity/get-netfirewallhypervvmsetting [PS-2]: /powershell/module/netsecurity/set-netfirewallhypervvmsetting [PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule @@ -170,9 +140,4 @@ To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use [PS-5]: /powershell/module/netsecurity/set-netfirewallhypervprofile [RULE]: /windows/client-management/mdm/firewall-csp#mdmstorehypervfirewallrules -[PROFILE]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatorid -[EnableFirewall]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridenablefirewall -[EnableLoopback]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridenableloopback -[AllowHostPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge -[DefaultOutboundAction]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddefaultoutboundaction -[DefaultInboundAction]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddefaultinboundaction +[SETTINGS]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettings From f80fbed9af14e264be10e6940b811aca5bb2c669 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 14:57:24 -0500 Subject: [PATCH 069/114] updates --- .../network-security/windows-firewall/hyper-v-firewall.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index d94d736b75..83bc11858a 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -3,6 +3,9 @@ title: Hyper-V firewall description: Learn how to configure Hyper-V firewall rules and settings using PowerShell or Configuration Service Provider (CSP). ms.topic: how-to ms.date: 11/08/2023 +author: paolomatarazzo +ms.author: paoloma +ms.topic: article appliesto: - ✅ Windows 11 --- From adc1527abbe9d541ea0e3c6cb1c09027ca6a8526 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 15:01:28 -0500 Subject: [PATCH 070/114] updates --- .../network-security/windows-firewall/hyper-v-firewall.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index 83bc11858a..534ffb359d 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -5,7 +5,6 @@ ms.topic: how-to ms.date: 11/08/2023 author: paolomatarazzo ms.author: paoloma -ms.topic: article appliesto: - ✅ Windows 11 --- From c4e9b7eb018db952a3e3a0d1ee82216a26b2a3ef Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 16:45:49 -0500 Subject: [PATCH 071/114] [EDU] Freshness --- .openpublishing.redirection.education.json | 15 + education/windows/edu-stickers.md | 10 +- .../windows/set-up-school-pcs-whats-new.md | 97 ------ .../configure-device-settings.md | 6 +- .../configure-devices-overview.md | 2 +- .../{enroll-aadj.md => enroll-entra-join.md} | 6 +- .../enroll-overview.md | 4 +- .../enroll-package.md | 5 +- .../tutorial-school-deployment/index.md | 5 +- .../manage-overview.md | 2 +- .../manage-surface-devices.md | 18 +- .../tutorial-school-deployment/reset-wipe.md | 3 +- ...ure-ad.md => set-up-microsoft-entra-id.md} | 5 +- .../set-up-microsoft-intune.md | 4 +- .../tutorial-school-deployment/toc.yml | 4 +- .../troubleshoot-overview.md | 7 +- .../windows/use-set-up-school-pcs-app.md | 303 +++++++++--------- 17 files changed, 198 insertions(+), 298 deletions(-) delete mode 100644 education/windows/set-up-school-pcs-whats-new.md rename education/windows/tutorial-school-deployment/{enroll-aadj.md => enroll-entra-join.md} (95%) rename education/windows/tutorial-school-deployment/{set-up-azure-ad.md => set-up-microsoft-entra-id.md} (99%) diff --git a/.openpublishing.redirection.education.json b/.openpublishing.redirection.education.json index 94b0deccdb..11fc9cd312 100644 --- a/.openpublishing.redirection.education.json +++ b/.openpublishing.redirection.education.json @@ -159,6 +159,21 @@ "source_path": "education/windows/windows-automatic-redeployment.md", "redirect_url": "/education/windows/autopilot-reset", "redirect_document_id": false + }, + { + "source_path": "education/windows/enroll-aadj.md", + "redirect_url": "/education/windows/enroll-entra-join", + "redirect_document_id": false + }, + { + "source_path": "education/windows/set-up-azure-ad.md", + "redirect_url": "/education/windows/set-up-microsoft-entra-id", + "redirect_document_id": false + }, + { + "source_path": "education/windows/set-up-school-pcs-whats-new.md", + "redirect_url": "/education/windows", + "redirect_document_id": false } ] } diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index d3a6d97411..e15caa2a1a 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -1,21 +1,17 @@ --- title: Configure Stickers for Windows 11 SE description: Learn about the Stickers feature and how to configure it via Intune and provisioning package. -ms.date: 09/15/2022 +ms.date: 11/09/2023 ms.topic: how-to appliesto: - ✅ Windows 11 SE -ms.collection: - - highpri - - education - - tier2 --- # Configure Stickers for Windows 11 SE -Starting in **Windows 11 SE, version 22H2**, *Stickers* is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes. +Starting in **Windows 11 SE, version 22H2**, *Stickers* is a feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes. -Similar to the [education theme packs](edu-themes.md "my tooltip example that opens in a new tab"), Stickers is a personalization feature that helps the device feel like it was designed for students. +Similar to the [education theme packs](edu-themes.md), Stickers is a personalization feature that helps the device feel like it was designed for students. :::image type="content" source="./images/win-11-se-stickers.png" alt-text="Windows 11 SE desktop with 3 stickers" border="true"::: diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md deleted file mode 100644 index 97988171bf..0000000000 --- a/education/windows/set-up-school-pcs-whats-new.md +++ /dev/null @@ -1,97 +0,0 @@ ---- -title: What's new in the Windows Set up School PCs app -description: Find out about app updates and new features in Set up School PCs. -ms.topic: whats-new -ms.date: 08/10/2022 ---- - -# What's new in Set up School PCs -Learn what's new with the Set up School PCs app each week. Find out about new app features and functionality, see updated screenshots, and find information about past releases. - -## Week of August 24, 2020 - -### Longer device names supported in app -You can now give devices running Windows 10, version 2004 and later a name that's up to 53 characters long. - -## Week of September 23, 2019 - -### Easier way to deploy Office 365 to your classroom devices - Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Microsoft 365 Apps for enterprise. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams. - -## Week of June 24, 2019 - -### Resumed support for Windows 10, version 1903 and later -The previously mentioned provisioning problem was resolved, so the Set up School PCs app once again supports Windows 10, version 1903 and later. The Windows 10 settings that were removed are now back in the app. - -### Device rename made optional for Azure AD-joined devices -When you set up your Azure AD join devices in the app, you no longer need to rename your devices. You can keep existing device names. - -## Week of May 23, 2019 - -### Suspended support for Windows 10, version 1903 and later -Due to a provisioning problem, Set up School PCs has temporarily stopped support for Windows 10, version 1903 and later. All settings in the app that were for Windows 10, version 1903 and later have been removed. When the problem is resolved, support will resume again. - -### Mandatory device rename for Azure AD-joined devices -If you configure Azure AD Join, you're now required to rename your devices during setup. You can't keep existing device names. - -## Week of April 15, 2019 - -### Support for Minecraft Education Edition upgrade - Set up School PCs only adds apps to the provisioning package that meet the minimum supported version for Windows 10. For example, Minecraft is the most recent store app to upgrade; it's only installed on devices running Windows 10, version 1709 and later. If you select an earlier version of Windows, Minecraft won't be included in the provisioning package. - -## Week of April 8, 2019 - -### Apps configured as non-removeable -Apps that you deploy with Set up School PCs are configured as non-removable apps. This feature prevents students from unpinning or uninstalling the apps they need. - -### Domain name automatically added during sign-in -Specify your preferred Azure Active Directory tenant domain name to automatically append it to the username on the sign-in screen. With this setting, students don't need to type out long school domain names. To sign in, they type only their unique usernames. - -### Set up devices with hidden Wi-Fi network -Set up devices so that they connect to a hidden Wi-Fi network. To configure a hidden network, open the app. When you get to **Wireless network**, choose **Add a Wi-Fi network**. Enter in your Wi-Fi information and select **Hidden network**. - - -## Week of December 31, 2018 - -### Add Microsoft Whiteboard to provisioning package -Microsoft Whiteboard is now a Microsoft-recommended app for schools. Whiteboard is a freeform digital canvas where ideas, content, and people come together; students can create and collaborate in real time in the classroom. Add the app to your provisioning package on the **Add apps** page. For more information, see [Use Set up School PCs app](use-set-up-school-pcs-app.md#create-the-provisioning-package). - -## Week of November 5, 2018 - -### Sync school app inventory from Microsoft Store -During setup, you can now add apps from your school's Microsoft Store inventory. After you sign in with your school's Office 365 account, Set up School PCs will sync the apps from Microsoft Store, and make them visible on the **Add apps** page. For more information about adding apps, see [Use Set Up School PCs app](use-set-up-school-pcs-app.md#create-the-provisioning-package). - - -## Week of October 15, 2018 - -The Set up School PCs app was updated with the following changes: - -### Three new setup screens added to the app -The following screens and functionality were added to the setup workflow. Select a screen name to view the relevant steps and screenshots in the Set Up School PCs docs. - -* [**Package name**](use-set-up-school-pcs-app.md#package-name): Customize a package name to make it easy to recognize it from your school's other packages. Azure Active Directory generates the name. It appears as the filename, and as the token name in Azure AD in the Azure portal. - -* [**Product key**](use-set-up-school-pcs-app.md#product-key): Enter a product key to upgrade your current edition of Windows 10, or change the existing product key. - -* [**Personalization**](use-set-up-school-pcs-app.md#personalization): Upload images from your computer to customize how the lock screen and background appears on student devices. - -### Azure AD token expiration extended to 180 days -Packages now expire 180 days from the date you create them. - -### Updated apps with more helpful, descriptive text -The **Skip** buttons in the app now communicate the intent of each action. An **Exit** button also appears on the last page of the app. - -### Option to keep existing device names -The [**Name these devices** screen](use-set-up-school-pcs-app.md#device-names) now gives you the option to keep the original or existing names of your student devices. - -### Skype and Messaging apps to be removed from student PCs by default -The Skype and Messaging apps are part of a selection of apps that are, by default, removed from student devices. - - -## Next steps -Learn how to create provisioning packages and set up devices in the app. -* [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) -* [Set up School PCs technical reference](set-up-school-pcs-technical.md) -* [Set up Windows 10 devices for education](set-up-windows-10.md) - -When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md index f9d1d2046f..fc71325532 100644 --- a/education/windows/tutorial-school-deployment/configure-device-settings.md +++ b/education/windows/tutorial-school-deployment/configure-device-settings.md @@ -1,7 +1,7 @@ --- title: Configure and secure devices with Microsoft Intune description: Learn how to configure policies with Microsoft Intune in preparation for device deployment. -ms.date: 08/31/2022 +ms.date: 11/09/2023 ms.topic: tutorial --- @@ -88,7 +88,7 @@ To create a security policy: - Windows SmartScreen For more information, see [Security][INT-4]. - + > [!NOTE] > If you require more sophisticated security policies, you can create them in Microsoft Intune. For more information: > - [Antivirus][MEM-2] @@ -98,7 +98,7 @@ For more information, see [Security][INT-4]. > - [Attack surface reduction][MEM-6] > - [Account protection][MEM-7] -________________________________________________________ +--- ## Next steps diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md index 667695adba..fa6e5c218a 100644 --- a/education/windows/tutorial-school-deployment/configure-devices-overview.md +++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md @@ -1,7 +1,7 @@ --- title: Configure devices with Microsoft Intune description: Learn how to configure policies and applications in preparation for device deployment. -ms.date: 08/31/2022 +ms.date: 11/09/2023 ms.topic: tutorial --- diff --git a/education/windows/tutorial-school-deployment/enroll-aadj.md b/education/windows/tutorial-school-deployment/enroll-entra-join.md similarity index 95% rename from education/windows/tutorial-school-deployment/enroll-aadj.md rename to education/windows/tutorial-school-deployment/enroll-entra-join.md index 9cb7370124..e599fca7ac 100644 --- a/education/windows/tutorial-school-deployment/enroll-aadj.md +++ b/education/windows/tutorial-school-deployment/enroll-entra-join.md @@ -1,9 +1,10 @@ --- title: Enrollment in Intune with standard out-of-box experience (OOBE) description: Learn how to join devices to Microsoft Entra ID from OOBE and automatically get them enrolled in Intune. -ms.date: 08/31/2022 +ms.date: 11/09/2023 ms.topic: tutorial --- + # Automatic Intune enrollment via Microsoft Entra join If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Microsoft Entra tenant, and automatically enroll it in Intune. @@ -21,7 +22,8 @@ With this process, no advance preparation is needed: :::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false"::: -________________________________________________________ +--- + ## Next steps With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status. diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md index fa0b05840b..96b10f34cd 100644 --- a/education/windows/tutorial-school-deployment/enroll-overview.md +++ b/education/windows/tutorial-school-deployment/enroll-overview.md @@ -1,7 +1,7 @@ --- title: Device enrollment overview description: Learn about the different options to enroll Windows devices in Microsoft Intune -ms.date: 08/31/2022 +ms.date: 11/09/2023 ms.topic: overview --- @@ -24,7 +24,7 @@ Select one of the following options to learn the next steps about the enrollment > [!div class="op_single_selector"] > - [Automatic Intune enrollment via Microsoft Entra join](enroll-aadj.md) > - [Bulk enrollment with provisioning packages](enroll-package.md) -> - [Enroll devices with Windows Autopilot ](enroll-autopilot.md) +> - [Enroll devices with Windows Autopilot](enroll-autopilot.md) diff --git a/education/windows/tutorial-school-deployment/enroll-package.md b/education/windows/tutorial-school-deployment/enroll-package.md index 0223d55bd5..22f7c70443 100644 --- a/education/windows/tutorial-school-deployment/enroll-package.md +++ b/education/windows/tutorial-school-deployment/enroll-package.md @@ -1,7 +1,7 @@ --- title: Enrollment of Windows devices with provisioning packages description: Learn about how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer. -ms.date: 08/31/2022 +ms.date: 11/09/2023 ms.topic: tutorial --- @@ -49,7 +49,8 @@ All settings defined in the package and in Intune will be applied to the device, :::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false"::: -________________________________________________________ +--- + ## Next steps With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status. diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md index a5a1998f71..a5fd6fd8da 100644 --- a/education/windows/tutorial-school-deployment/index.md +++ b/education/windows/tutorial-school-deployment/index.md @@ -1,7 +1,7 @@ --- title: Introduction to the tutorial deploy and manage Windows devices in a school description: Introduction to deployment and management of Windows devices in education environments. -ms.date: 08/31/2022 +ms.date: 11/09/2023 ms.topic: tutorial --- @@ -60,7 +60,8 @@ In the remainder of this document, we'll discuss the key concepts and benefits o - **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education - **Device reset:** Resetting managed devices with Intune for Education -________________________________________________________ +--- + ## Next steps Let's begin with the creation and configuration of your Microsoft Entra tenant and Intune environment. diff --git a/education/windows/tutorial-school-deployment/manage-overview.md b/education/windows/tutorial-school-deployment/manage-overview.md index ff0997fad9..0a51b174b9 100644 --- a/education/windows/tutorial-school-deployment/manage-overview.md +++ b/education/windows/tutorial-school-deployment/manage-overview.md @@ -1,7 +1,7 @@ --- title: Manage devices with Microsoft Intune description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting. -ms.date: 08/31/2022 +ms.date: 11/09/2023 ms.topic: tutorial --- diff --git a/education/windows/tutorial-school-deployment/manage-surface-devices.md b/education/windows/tutorial-school-deployment/manage-surface-devices.md index 94efd0d46b..028dc739c7 100644 --- a/education/windows/tutorial-school-deployment/manage-surface-devices.md +++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md @@ -1,7 +1,7 @@ --- title: Management functionalities for Surface devices description: Learn about the management capabilities offered to Surface devices, including firmware management and the Surface Management Portal. -ms.date: 08/31/2022 +ms.date: 11/09/2023 ms.topic: tutorial appliesto: - ✅ Surface devices @@ -9,7 +9,7 @@ appliesto: # Management functionalities for Surface devices -Microsoft Surface devices offer many advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them. +Microsoft Surface devices offer advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them. ## Manage device firmware for Surface devices @@ -27,20 +27,18 @@ When Surface devices are enrolled in cloud management and users sign in for the To access and use the Surface Management Portal: -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **All services** > **Surface Management Portal** +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) +1. Select **All services** > **Surface Management Portal** :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Intune" lightbox="./images/surface-management-portal-expanded.png" border="true"::: -3. To obtain insights for all your Surface devices, select **Monitor** +1. To obtain insights for all your Surface devices, select **Monitor** - Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here -4. To obtain details on each insights category, select **View report** +1. To obtain details on each insights category, select **View report** - This dashboard displays diagnostic information that you can customize and export -5. To obtain the device's warranty information, select **Device warranty and coverage** -6. To review a list of support requests and their status, select **Support requests** +1. To obtain the device's warranty information, select **Device warranty and coverage** +1. To review a list of support requests and their status, select **Support requests** [INT-1]: /intune/configuration/device-firmware-configuration-interface-windows - [MEM-1]: /mem/autopilot/dfci-management - [SURF-1]: /surface/surface-manage-dfci-guide diff --git a/education/windows/tutorial-school-deployment/reset-wipe.md b/education/windows/tutorial-school-deployment/reset-wipe.md index 1d0edf123a..9646537bac 100644 --- a/education/windows/tutorial-school-deployment/reset-wipe.md +++ b/education/windows/tutorial-school-deployment/reset-wipe.md @@ -1,7 +1,7 @@ --- title: Reset and wipe Windows devices description: Learn about the reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices. -ms.date: 08/31/2022 +ms.date: 11/09/2023 ms.topic: tutorial --- @@ -104,6 +104,7 @@ Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4]. + [MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal [MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal [MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal diff --git a/education/windows/tutorial-school-deployment/set-up-azure-ad.md b/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md similarity index 99% rename from education/windows/tutorial-school-deployment/set-up-azure-ad.md rename to education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md index cbfcfae2b5..b1ab1cfc12 100644 --- a/education/windows/tutorial-school-deployment/set-up-azure-ad.md +++ b/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md @@ -1,7 +1,7 @@ --- title: Set up Microsoft Entra ID description: Learn how to create and prepare your Microsoft Entra tenant for an education environment. -ms.date: 08/31/2022 +ms.date: 11/09/2023 ms.topic: tutorial appliesto: --- @@ -86,6 +86,7 @@ There are two options for adding users manually, either individually or in bulk: - Select **Microsoft Entra ID** > **Users** > **All users** > **Bulk operations** > **Bulk create** For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4]. + ### Create groups Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups: @@ -143,7 +144,7 @@ To allow provisioning packages to complete the Microsoft Entra join process: 1. Select Save :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png"::: -________________________________________________________ +--- ## Next steps diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md index f55a5262c3..38dc58b276 100644 --- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md +++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md @@ -1,7 +1,7 @@ --- title: Set up device management description: Learn how to configure the Intune service and set up the environment for education. -ms.date: 08/31/2022 +ms.date: 11/09/2023 ms.topic: tutorial appliesto: --- @@ -74,7 +74,7 @@ To disable Windows Hello for Business at the tenant level: For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4]. -________________________________________________________ +--- ## Next steps diff --git a/education/windows/tutorial-school-deployment/toc.yml b/education/windows/tutorial-school-deployment/toc.yml index a332eb8656..8abc013f68 100644 --- a/education/windows/tutorial-school-deployment/toc.yml +++ b/education/windows/tutorial-school-deployment/toc.yml @@ -4,7 +4,7 @@ items: - name: 1. Prepare your tenant items: - name: Set up Microsoft Entra ID - href: set-up-azure-ad.md + href: set-up-microsoft-entra-id.md - name: Set up Microsoft Intune href: set-up-microsoft-intune.md - name: 2. Configure settings and applications @@ -20,7 +20,7 @@ items: - name: Overview href: enroll-overview.md - name: Enroll devices via Microsoft Entra join - href: enroll-aadj.md + href: enroll-entra-join.md - name: Enroll devices with provisioning packages href: enroll-package.md - name: Enroll devices with Windows Autopilot diff --git a/education/windows/tutorial-school-deployment/troubleshoot-overview.md b/education/windows/tutorial-school-deployment/troubleshoot-overview.md index 5e27915802..0d59f1af56 100644 --- a/education/windows/tutorial-school-deployment/troubleshoot-overview.md +++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md @@ -1,7 +1,7 @@ --- title: Troubleshoot Windows devices description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services. -ms.date: 08/31/2022 +ms.date: 11/09/2023 ms.topic: tutorial --- @@ -25,10 +25,9 @@ Here's a collection of resources to help you troubleshoot Windows devices manage Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop. -Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices. -: +Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices: -- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) - Select **Troubleshooting + support** > **Help and support** :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Intune." lightbox="images/advanced-support.png"::: - Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365 diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index f9a55de678..2689df63e5 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -2,88 +2,90 @@ title: Use Set up School PCs app description: Learn how to use the Set up School PCs app and apply the provisioning package. ms.topic: how-to -ms.date: 08/10/2022 +ms.date: 11/09/2023 appliesto: - ✅ Windows 10 --- + # Use the Set up School PCs app -IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings the app configures through the MDM. +IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows devices for students. The app configures devices with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student device in Microsoft Intune. You can then manage all the settings the app configures through Intune. -Set up School PCs also: -* Joins each student PC to your organization's Office 365 and Microsoft Entra tenant. -* Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state. -* Utilizes Windows Update and maintenance hours to keep student PCs up-to-date, without interfering with class time. -* Locks down the student PC to prevent activity that isn't beneficial to their education. +With Set up School PCs you can: -This article describes how to fill out your school's information in the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md). +- Joins student devices to your organization's Microsoft Entra tenant +- Enable the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state +- Use Windows Update and maintenance hours to keep student devices up-to-date, without interfering with class time +- Lock down student devices to prevent activity that aren't beneficial to their education -## Requirements -Before you begin, make sure that you, your computer, and your school's network are configured with the following requirements. +This article describes how to use the Set up School PCs app. To learn more about the app's functionality, review the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md). -* Office 365 and Microsoft Entra ID -* [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40) -* A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office -* Student PCs must either: - * Be within range of the Wi-Fi network that you configured in the app. - * Have a wired Ethernet connection when you set them up. +## Requirements -### Configure USB drive for additional space -USB drives are, by default, FAT32-formatted, and are unable to save more than 4 GB of data. If you plan to install several apps, or large apps like Microsoft Office, you'll need more space. To create more space on the USB drive, reformat it to NTFS. -1. Insert the USB drive into your computer. -2. Go to the **Start** > **This PC**. -3. In the **Devices and drives** section, find your USB drive. Right-click to see its options. -4. Select **Format** from the list to bring up the **Format drive name** window. -5. Set **File system** to **NTFS**. -6. Click **Start** to format the drive. +Before you begin, make sure that your devices and your school's network are configured with the following requirements: -### Prepare existing PC account for new setup -Apply new packages to factory reset or new PCs. If you apply it to a PC that's already set up, you may lose the accounts and data. +- Microsoft Entra ID and Microsoft 365 licenses +- [Latest Set up School PCs app](https://apps.microsoft.com/detail/9NBLGGH4LS40) +- A NTFS-formatted USB drive that is at least 1 GB +- Student devices must either: + - Be within range of the Wi-Fi network that you configured in the app + - Have a wired Ethernet connection when you set them up -If a PC has already been set up, and you want to apply a new package, reset the PC to a clean state. +### Prepare existing PC account for new setup -To begin, go to the **Settings** app on the appropriate PC. -1. Click **Update & Security** > **Recovery**. -2. In the **Reset this PC** section, click **Get started**. -3. Click **Remove everything**. +Apply new packages to factory reset or new devices. If you apply it to a device that's already set up, you may lose the accounts and data. -You can also go to **Start** > **Power** icon. Hold down the Shift key and click **Restart** to load the Windows boot user experience. From there, follow these steps: -1. Click **Troubleshoot** and then choose **Reset this PC**. -2. Select **Remove everything**. -3. If the option appears, select **Only the drive where Windows is installed**. -4. Click **Just remove my files**. -5. Click **Reset**. +If a device is already set up, and you want to apply a new package, reset the device to a clean state. To reset a device, follow these steps: -## Recommendations -This section offers recommendations to prepare you for the best possible setup experience. -### Run the same Windows 10 build on the admin device and the student PCs -We recommend you run the IT administrator or technical teacher's device on the same Windows 10 build as the student PCs. +1. Open the **Settings** app on target device +1. Select **Update & Security** > **Recovery** +1. In the **Reset this PC** section, select **Get started** +1. Select **Remove everything** -### Student PCs should meet OS requirements for the app -Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs. +Alternatively, you can also select **Start** > **Power** icon. Hold down Shift while selecting **Restart** to load the Windows boot user experience: -To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements > OS**. +1. Select **Troubleshoot** > **Reset this PC** +1. Select **Remove everything** +1. If the option appears, select **Only the drive where Windows is installed** +1. Select **Just remove my files** +1. Select **Reset** + +## Recommendations + +This section offers recommendations to prepare you for the best possible setup experience. + +### Run the same Windows uild on the admin device and the student devices + +We recommend you run the IT administrator or technical teacher's device on the same Windows build as the student devices. + +### Student devices must meet OS requirements for the app + +Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows images on the student devices. + +To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements** > **OS**. ### Use app on a PC that is connected to your school's network + We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you'll need to enter the information manually. - > [!NOTE] - > Don't use the **Set up Schools PCs** app for PCs that must connect to: - >* Enterprise networks that require the user to accept Terms of Use. - >* Open Wi-Fi networks that require the user to accept Terms of Use. +>[!NOTE] +>Don't use the **Set up Schools PCs** app for devices that must connect to enterprise or open Wi-Fi networds that require the user to accept Terms of Use. ### Run app on an open network or network that requires a basic password -Don't use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it. -We recommend that you: -* Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously. -* Configure your IP addresses to expire after a short time--about 30 minutes. IP addresses will free up quickly so you can continue to set up devices without network issues. +Don't use Set up School PCs over a certificate-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it. -> > [!WARNING] -> > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings. +We recommend that you: -### Use an additional USB drive -To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup. +- Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously +- Configure your IP addresses to expire after a short time, for example 30 minutes. IP addresses will free up quickly so you can continue to set up devices without network issues. + +>[!WARNING] +>Only use the provisioning package on devices that you want to configure and lock down for students. After you apply the provisioning package to a student device, the PC must be reset to remove the settings. + +### Use an additional USB drive + +To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup. ### Limit changes to school-optimized settings @@ -91,191 +93,172 @@ We strongly recommend that you avoid changing preset policies. Changes can slow ## Create the provisioning package -The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your PC and click **Get started**. - - ![Launch the Set up School PCs app.](images/suspcs/suspc_getstarted_050817.png) +The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your device and select **Get started**. + +![Launch the Set up School PCs app.](images/suspcs/suspc_getstarted_050817.png) + +### Package name -### Package name Type a unique name to help distinguish your school's provisioning packages. The name appears: -* On the local package folder -* In your tenant's Microsoft Entra account in the Azure portal +- On the local package folder +- In your tenant's Microsoft Entra account in the Azure portal -A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 4-16-2019)*. The expiration date is 180 days after you create your package. +A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 1-1-2024)*. The expiration date is 180 days after you create your package. ![Example screenshot of the Set up School PCs app, Name your package screen.](images/suspcs/1810_Name_Your_Package_SUSPC.png) -After you click **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app. +After you select **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app. To change an existing package's name, right-click the package folder on your device and select **Rename**. This action does not change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there. - ### Sign in -1. Select how you want to sign in. - a. (Recommended) To enable student PCs to automatically be connect to Office 365, Microsoft Entra ID, and management services like Intune for Education, click **Sign-in**. Then go to step 3. - b. To complete setup without signing in, click **Continue without account**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](#wireless-network). -2. In the new window, select the account you want to use throughout setup. +1. Select how you want to sign in + 1. (Recommended) To enable student device to automatically connect and authenticate to Microsoft Entra ID, and management services like Microsoft Intune, select **Sign-in**. Then go to step 3 + 1. To complete setup without signing in, select **Continue without account**. Student devices won't connect to your school's cloud services and their management will be more difficult later. Continue to [Wireless network](#wireless-network) +1. In the new window, select the account you want to use throughout setup. ![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/suspcs/1810_choose_account_suspc.png) To add an account not listed: - a. Click **Work or school account** > **Continue**. - b. Type in the account username and click **Next**. - c. Verify the user account and password, if prompted. + 1. Select **Work or school account** > **Continue**. + 1. Type in the account username and select **Next**. + 1. Verify the user account and password, if prompted. - -3. Click **Accept** to allow Set up School PCs to access your account throughout setup. -2. When your account name appears on the page, as shown in the image below, click **Next.** +1. Select **Accept** to allow Set up School PCs to access your account throughout setup +1. When your account name appears on the page, select **Next** ![Example screenshot of the Set up School PC app, Sign in screen, showing that the user's account name appears at the bottom of the page.](images/suspcs/1810_Sign_In_SUSPC.png) ### Wireless network -Add and save the wireless network profile that you want student PCs to connect to. Only skip Wi-Fi setup if you have an Ethernet connection. -Select your school's Wi-Fi network from the list of available wireless networks, or click **Add a wireless network** to manually configure it. Then click **Next.** +Add and save the wireless network profile that you want student devices to connect to. Only skip Wi-Fi setup if you have an Ethernet connection. + +Select your organization's Wi-Fi network from the list of available wireless networks, or select **Add a wireless network** to manually configure it. Then select **Next** ![Example screenshot of the Set up School PC app, Wireless network page with two Wi-Fi networks listed, one of which is selected.](images/suspcs/1810_SUSPC_select_Wifi.png) ### Device names -Create a short name to add as a prefix to each PC. This name will help you recognize and manage this specific group of devices in your mobile device manager. The name must be five (5) characters or less. -To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *Math4* as the prefix, the device names will appear as *Math4* followed by a random string of letters and numbers. +Create a name to add as a prefix to each device. This name will help you recognize and manage this group of devices in Intune. -To keep the default name for your devices, click **Continue with existing names**. +To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *MATH4* as the prefix, the device names will appear as *MATH4* followed by the device serial number. + +To keep the default name for your devices, select **Continue with existing names**. !["Name these devices" screen with the device field filled in with example device name, "Grd8."](images/suspcs/1810_name-devices_SUSPC.png) - - ### Settings -Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs. + +Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs. ![Screenshot of the Current OS version page with the Select OS version menu selected, showing 7 Windows 10 options. All other settings on page are unavailable to select.](images/suspcs/1810_suspc_settings.png) -Setting selections vary based on the OS version you select. The example screenshot below shows the settings that become available when you select **Windows 10 version 1703**. The option to **Enable Autopilot Reset** is not available for this version of Windows 10. - +Setting selections vary based on the OS version you select. ![Example screenshot of the Current OS version page, with Windows 10 version 1803 selected. 4 available settings and 1 unavailable setting are shown, and none are selected.](images/suspcs/1810_SUSPC_available_settings.png) +The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column. -> [!NOTE] -> The [**Time zone** setting](use-set-up-school-pcs-app.md#time-zone), shown in the sidebar of the screenshot above, is not made available to versions of Windows 10 in S mode. If you select a version in S mode, **Time zone** will become disabled. +| Setting | What happens if I select it? | Note | +|--|--|--| +| Remove apps pre-installed by the device manufacturer | Uninstalls apps that came loaded on the computer by the device's manufacturer. | Adds about 30 minutes to the provisioning process. | +| Allow local storage (not recommended for shared devices) | Lets students save files to the Desktop and Documents folder on the Student PC. | Not recommended if the device will be shared between different students. | +| Optimize device for a single student, instead of a shared cart or lab | Optimizes the device for use by a single student, rather than many students. | Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. | +| Let guests sign in to these PCs | Allows guests to use student PCs without a school account. | Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to. | +| Enable Autopilot Reset | Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Microsoft Entra ID and MDM). | Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met. | +| Lock screen background | Change the default screen lock background to a custom image. | Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png. | | -The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column. - -|Setting |1703|1709|1803|1809|What happens if I select it? |Note| -|---------|---------|---------|---------|---------|---------|---------| -|Remove apps pre-installed by the device manufacturer |X|X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.| -|Allow local storage (not recommended for shared devices) |X|X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be shared between different students.| -|Optimize device for a single student, instead of a shared cart or lab |X|X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. | -|Let guests sign in to these PCs |X|X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.| -|Enable Autopilot Reset |Not available|X|X|X|Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Microsoft Entra ID and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.| -|Lock screen background|X|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.| - -After you've made your selections, click **Next**. +After you've made your selections, select **Next**. ### Time zone > [!WARNING] > If you are using the Autounattend.xml file to reimage your school PCs, do not specify a time zone in the file. If you set the time zone in the file *and* in this app, you will encounter an error. -Choose the time zone where your school's PCs are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, click **Next**. +Choose the time zone where your school's devices are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, click **Next**. ![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/suspcs/1810_suspc_timezone.png) -### Product key -Optionally, type in a 25-digit product key to: -* Upgrade your current edition of Windows. For example, if you want to upgrade from Windows 10 Education to Windows 10 Education Pro, enter the product key for the Pro edition. -* Change the product key. If you want to associate student devices with a new or different Windows 10 product key, enter it now. +### Product key + +Optionally, type in a 25-digit product key to upgrade or change the edition of Windows on your student devices. If you don't have a product key, select **Continue without change**. ![Example screenshot of the Set up School PC app, Product key screen, showing a value field, Next button, and Continue without change option.](images/suspcs/1810_suspc_product_key.png) -### Take a Test -Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student PC so that students can't access anything else on the device. +### Take a Test -1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' PCs. +Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student devices so that students can't access anything else on the device. - ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspcs/1810_SUSPC_Take_Test.png) +1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' devices -2. Select from the advanced settings. Available settings include: - * Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the PC's keyboard. - * Allow teachers to monitor online tests: Enables screen capture in the Take a Test app. -3. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to click or enter the link to view the assessment. -4. Click **Next**. + ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspcs/1810_SUSPC_Take_Test.png) -### Add apps -Choose from Microsoft recommended apps and your school's own Microsoft Store inventory. The apps you select here are added to the provisioning package and installed on student PCs. After they're assigned, apps are pinned to the device's Start menu. +1. Select from the advanced settings. Available settings include: + - Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the device's keyboard + - Allow teachers to monitor online tests: Enables screen capture in the Take a Test app +1. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to select or enter the link to view the assessment +1. Select **Next** -If there aren't any apps in your Microsoft Store inventory, or you don't have the permissions to add apps, you'll need to contact your school admin for help. If you receive a message that you can't add the selected apps, click **Continue without apps**. Contact your school admin to get these apps later. +### Personalization -After you've made your selections, click **Next**. +Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png. +If you don't want to upload custom images or use the images that appear in the app, select **Continue without personalization**. This option does not apply any customizations, and instead uses the devices' default or preset images. - ![Example screenshots of the Add apps screen with selection of recommended apps and school inventory apps.](images/suspcs/1812_Add_Apps_SUSPC.png) +![Example image of the Set up School PCs app, Personalization screen, showing the default desktop and lock screen background photos, a Browse button under each photo, a blue Next button, and a Continue without personalization button.](images/suspcs/1810_SUSPC_personalization.png) -The following table lists the recommended apps you'll see. +### Summary -|App |Note | -|---------|---------| -|Office 365 for Windows 10 in S mode (Education Preview) | Setup is only successful on student PCs that run Windows 10 in S mode. The PC you running the Set up School PCs app is not required to have Windows 10 in S mode. | -|Microsoft Whiteboard | None| -|Minecraft: Education Edition | Free trial| +Review all of the settings for accuracy and completeness +1. To make changes now, select any page along the left side of the window +2. When finished, select **Accept** +![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspcs/1810_SUSPC_summary.png) -### Personalization -Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png. - -If you don't want to upload custom images or use the images that appear in the app, click **Continue without personalization**. This option does not apply any customizations, and instead uses the devices' default or preset images. - - ![Example image of the Set up School PCs app, Personalization screen, showing the default desktop and lock screen background photos, a Browse button under each photo, a blue Next button, and a Continue without personalization button.](images/suspcs/1810_SUSPC_personalization.png) - - -### Summary -Review all of the settings for accuracy and completeness. Check carefully. To make changes to a saved package, you have to start over. -1. To make changes now, click any page along the left side of the window. -2. When finished, click **Accept**. - - ![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspcs/1810_SUSPC_summary.png) +> [!NOTE] +> To make changes to a saved package, you have to start over. ### Insert USB -1. Insert a USB drive. The **Save** button will light up when your computer detects the USB. -2. Choose your USB drive from the list and click **Save**. - ![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspcs/1810_SUSPC_USB.png) +1. Insert a USB drive. The **Save** button will light up when your computer detects the USB +1. Choose your USB drive from the list and select **Save** -3. When the package is ready, you'll see the filename and package expiration date. You can also click **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and click **Next**. + ![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspcs/1810_SUSPC_USB.png) - ![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspcs/1810_SUSPC_Package_ready.png) +1. When the package is ready, you'll see the filename and package expiration date. You can also select **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and select **Next** -## Run package - Get PCs ready -Complete each step on the **Get PCs ready** page to prepare student PCs for set-up. Then click **Next**. - - ![Your provisioning package is ready! screen with 3 steps to get student PCs ready for setup. Save button is active.](images/suspcs/suspc_runpackage_getpcsready.png) +![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspcs/1810_SUSPC_Package_ready.png) + +## Run package - Get PCs ready + +Complete each step on the **Get PCs ready** page to prepare student devices for set-up. Then select **Next**. + +![Your provisioning package is ready! screen with 3 steps to get student devices ready for setup. Save button is active.](images/suspcs/suspc_runpackage_getpcsready.png) ## Run package - Install package on PC -The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows 10 without reimaging the device. +The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows without reimaging the device. -When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student PC. This section describes how to apply the settings to a PC in your school. +When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student device. This section describes how to apply the settings to a device in your school. > [!IMPORTANT] -> The PC must have a new or reset Windows 10 image and must not already have been through first-run setup (also referred to as OOBE). For instructions about how to reset a computer's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup). +> The devices must have a new or reset Windows image and must not already have been through first-run setup experience (which is referred to as *OOBE*). For instructions about how to reset a devices's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup). -1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 version 1803, the first-run setup screen reads, **Let's start with region. Is this right?** +1. Start with the student device turned off or with the device on the first-run setup screen. If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC** - If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - - ![Example screenshot of the first screen the Windows 10 PC setup for OOBE. United States is selected as the region and the Yes button is active.](images/suspcs/win10_1703_oobe_firstscreen.png) + ![Example screenshot of the first screen the Windows 10 PC setup for OOBE. United States is selected as the region and the Yes button is active.](images/suspcs/win10_1703_oobe_firstscreen.png) -2. Insert the USB drive. Windows automatically recognizes and installs the package. - - ![Screen showing that the installation is automatically beginning, with a loading bar showing the status on the installation.](images/suspcs/suspc_studentpcsetup_installingsetupfile.png) -3. When you receive the message that it's okay to remove the USB drive, remove it from the PC. If there are more PCs to set up, insert the USB drive into the next PC. +1. Insert the USB drive. Windows automatically recognizes and installs the package + + ![Screen showing that the installation is automatically beginning, with a loading bar showing the status on the installation.](images/suspcs/suspc_studentpcsetup_installingsetupfile.png) + +1. When you receive the message that it's okay to remove the USB drive, remove it from the device. If there are more devices to set up, insert the USB drive into the next one ![Screen with message telling user to remove the USB drive.](images/suspcs/suspc_setup_removemediamessage.png) -4. If you didn't set up the package with Microsoft Entra join, continue the Windows device setup experience. If you did configure the package with Microsoft Entra join, the computer is ready for use and no further configurations are required. +1. If you didn't set up the package with Microsoft Entra join, continue the Windows device setup experience. If you did configure the package with Microsoft Entra join, the device is ready for use and no further configurations are required - If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources. +If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources. From e1a74147d19c4a6041df2a0f5bfe8459e077362f Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 9 Nov 2023 16:57:15 -0500 Subject: [PATCH 072/114] updates --- .openpublishing.redirection.education.json | 8 ++--- .../enroll-overview.md | 2 +- .../tutorial-school-deployment/index.md | 2 +- .../windows/use-set-up-school-pcs-app.md | 36 +++++++++---------- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/.openpublishing.redirection.education.json b/.openpublishing.redirection.education.json index 11fc9cd312..9b57ae9f30 100644 --- a/.openpublishing.redirection.education.json +++ b/.openpublishing.redirection.education.json @@ -161,13 +161,13 @@ "redirect_document_id": false }, { - "source_path": "education/windows/enroll-aadj.md", - "redirect_url": "/education/windows/enroll-entra-join", + "source_path": "education/windows/tutorial-school-deployment/enroll-aadj.md", + "redirect_url": "/education/windows/tutorial-school-deployment/enroll-entra-join", "redirect_document_id": false }, { - "source_path": "education/windows/set-up-azure-ad.md", - "redirect_url": "/education/windows/set-up-microsoft-entra-id", + "source_path": "education/windows/tutorial-school-deployment/set-up-azure-ad.md", + "redirect_url": "/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id", "redirect_document_id": false }, { diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md index 96b10f34cd..8410be0db9 100644 --- a/education/windows/tutorial-school-deployment/enroll-overview.md +++ b/education/windows/tutorial-school-deployment/enroll-overview.md @@ -22,7 +22,7 @@ This [table][INT-1] describes the ideal scenarios for using either option. It's Select one of the following options to learn the next steps about the enrollment method you chose: > [!div class="op_single_selector"] -> - [Automatic Intune enrollment via Microsoft Entra join](enroll-aadj.md) +> - [Automatic Intune enrollment via Microsoft Entra join](enroll-entra-join.md) > - [Bulk enrollment with provisioning packages](enroll-package.md) > - [Enroll devices with Windows Autopilot](enroll-autopilot.md) diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md index a5fd6fd8da..6ddb3c8c54 100644 --- a/education/windows/tutorial-school-deployment/index.md +++ b/education/windows/tutorial-school-deployment/index.md @@ -67,7 +67,7 @@ In the remainder of this document, we'll discuss the key concepts and benefits o Let's begin with the creation and configuration of your Microsoft Entra tenant and Intune environment. > [!div class="nextstepaction"] -> [Next: Set up Microsoft Entra ID >](set-up-azure-ad.md) +> [Next: Set up Microsoft Entra ID >](set-up-microsoft-entra-id.md) diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 2689df63e5..d6b1fa3e62 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -54,7 +54,7 @@ Alternatively, you can also select **Start** > **Power** icon. Hold down Sh This section offers recommendations to prepare you for the best possible setup experience. -### Run the same Windows uild on the admin device and the student devices +### Run the same Windows build on the admin device and the student devices We recommend you run the IT administrator or technical teacher's device on the same Windows build as the student devices. @@ -66,7 +66,7 @@ To check the app's OS requirements, go to the Microsoft Store and locate the Set ### Use app on a PC that is connected to your school's network -We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you'll need to enter the information manually. +We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you need to enter the information manually. >[!NOTE] >Don't use the **Set up Schools PCs** app for devices that must connect to enterprise or open Wi-Fi networds that require the user to accept Terms of Use. @@ -77,8 +77,8 @@ Don't use Set up School PCs over a certificate-based network, or one where you h We recommend that you: -- Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously -- Configure your IP addresses to expire after a short time, for example 30 minutes. IP addresses will free up quickly so you can continue to set up devices without network issues. +- Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses allow you to set up many devices simultaneously +- Configure your IP addresses to expire after a short time, for example 30 minutes. IP addresses free up quickly so you can continue to set up devices without network issues. >[!WARNING] >Only use the provisioning package on devices that you want to configure and lock down for students. After you apply the provisioning package to a student device, the PC must be reset to remove the settings. @@ -110,7 +110,7 @@ A package expiration date is also attached to the end of each package. For examp After you select **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app. -To change an existing package's name, right-click the package folder on your device and select **Rename**. This action does not change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there. +To change an existing package's name, right-click the package folder on your device and select **Rename**. This action doesn't change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there. ### Sign in @@ -141,9 +141,9 @@ Select your organization's Wi-Fi network from the list of available wireless net ### Device names -Create a name to add as a prefix to each device. This name will help you recognize and manage this group of devices in Intune. +Create a name to add as a prefix to each device. This name helps you recognize and manage this group of devices in Intune. -To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *MATH4* as the prefix, the device names will appear as *MATH4* followed by the device serial number. +To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *MATH4* as the prefix, the device names appear as *MATH4* followed by the device serial number. To keep the default name for your devices, select **Continue with existing names**. @@ -151,7 +151,7 @@ To keep the default name for your devices, select **Continue with existing names ### Settings -Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs. +Select more settings to include in the provisioning package. To begin, select the operating system on your student PCs. ![Screenshot of the Current OS version page with the Select OS version menu selected, showing 7 Windows 10 options. All other settings on page are unavailable to select.](images/suspcs/1810_suspc_settings.png) @@ -163,12 +163,12 @@ The following table describes each setting and lists the applicable Windows 10 v | Setting | What happens if I select it? | Note | |--|--|--| -| Remove apps pre-installed by the device manufacturer | Uninstalls apps that came loaded on the computer by the device's manufacturer. | Adds about 30 minutes to the provisioning process. | -| Allow local storage (not recommended for shared devices) | Lets students save files to the Desktop and Documents folder on the Student PC. | Not recommended if the device will be shared between different students. | -| Optimize device for a single student, instead of a shared cart or lab | Optimizes the device for use by a single student, rather than many students. | Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. | +| Remove apps preinstalled by the device manufacturer | Uninstalls apps that came loaded on the computer by the device's manufacturer. | Adds about 30 minutes to the provisioning process. | +| Allow local storage (not recommended for shared devices) | Lets students save files to the Desktop and Documents folder on the Student PC. | Not recommended if the device are shared between different students. | +| Optimize device for a single student, instead of a shared cart or lab | Optimizes the device for use by a single student, rather than many students. | Recommended if the device are shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. | | Let guests sign in to these PCs | Allows guests to use student PCs without a school account. | Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to. | -| Enable Autopilot Reset | Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Microsoft Entra ID and MDM). | Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met. | -| Lock screen background | Change the default screen lock background to a custom image. | Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png. | | +| Enable Autopilot Reset | Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Microsoft Entra ID and MDM). | WinRE must be enabled on the device. | +| Lock screen background | Change the default screen lock background to a custom image. | Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png. | After you've made your selections, select **Next**. @@ -177,7 +177,7 @@ After you've made your selections, select **Next**. > [!WARNING] > If you are using the Autounattend.xml file to reimage your school PCs, do not specify a time zone in the file. If you set the time zone in the file *and* in this app, you will encounter an error. -Choose the time zone where your school's devices are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, click **Next**. +Choose the time zone where your school's devices are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, select **Next**. ![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/suspcs/1810_suspc_timezone.png) @@ -205,7 +205,7 @@ Set up the Take a Test app to give online quizzes and high-stakes assessments. D Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png. -If you don't want to upload custom images or use the images that appear in the app, select **Continue without personalization**. This option does not apply any customizations, and instead uses the devices' default or preset images. +If you don't want to upload custom images or use the images that appear in the app, select **Continue without personalization**. This option doesn't apply any customizations, and instead uses the devices' default or preset images. ![Example image of the Set up School PCs app, Personalization screen, showing the default desktop and lock screen background photos, a Browse button under each photo, a blue Next button, and a Continue without personalization button.](images/suspcs/1810_SUSPC_personalization.png) @@ -223,12 +223,12 @@ Review all of the settings for accuracy and completeness ### Insert USB -1. Insert a USB drive. The **Save** button will light up when your computer detects the USB +1. Insert a USB drive. The **Save** button lights up when your computer detects the USB 1. Choose your USB drive from the list and select **Save** ![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspcs/1810_SUSPC_USB.png) -1. When the package is ready, you'll see the filename and package expiration date. You can also select **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and select **Next** +1. When the package is ready, you see the filename and package expiration date. You can also select **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and select **Next** ![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspcs/1810_SUSPC_Package_ready.png) @@ -247,7 +247,7 @@ When used in context of the Set up School PCs app, the word *package* refers to > [!IMPORTANT] > The devices must have a new or reset Windows image and must not already have been through first-run setup experience (which is referred to as *OOBE*). For instructions about how to reset a devices's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup). -1. Start with the student device turned off or with the device on the first-run setup screen. If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC** +1. Start with the student device turned off or with the device on the first-run setup screen. If the device is past the account setup screen, reset the device to start over. To reset the it, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC** ![Example screenshot of the first screen the Windows 10 PC setup for OOBE. United States is selected as the region and the Yes button is active.](images/suspcs/win10_1703_oobe_firstscreen.png) From f35df22c9f9fb884d84ff76574bf6bb8552d09c6 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 9 Nov 2023 14:13:58 -0800 Subject: [PATCH 073/114] Attempt to correct lack of indentation of content in a list item Unfortunately, using includes for the content before this table is likely to prevent proper formatting. --- education/windows/edu-stickers.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index e15caa2a1a..3ac82d2b7c 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -31,9 +31,9 @@ Stickers aren't enabled by default. Follow the instructions below to configure y [!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] -| Setting | -|--------| -|
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`**
  • Data type: **Integer**
  • Value: **1**
    • | + | Setting | + |--------| + |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`**
  • Data type: **Integer**
  • Value: **1**
    • | [!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] [!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] From c2f71410f8e40b57d37121be0af3bd3b5ba76c69 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 10 Nov 2023 07:54:48 -0500 Subject: [PATCH 074/114] Firewall checklists - freshness --- ...e-based-isolation-policy-design-example.md | 19 ++++---- ...rtificate-based-isolation-policy-design.md | 19 +++----- ...ange-rules-from-request-to-require-mode.md | 40 +++++++--------- ...ist-configuring-basic-firewall-settings.md | 13 ++--- ...uring-rules-for-an-isolated-server-zone.md | 31 +++++------- ...rs-in-a-standalone-isolated-server-zone.md | 27 +++++------ ...configuring-rules-for-the-boundary-zone.md | 13 ++--- ...nfiguring-rules-for-the-encryption-zone.md | 17 +++---- ...nfiguring-rules-for-the-isolated-domain.md | 28 +++++------ ...checklist-creating-group-policy-objects.md | 15 +++--- ...ecklist-creating-inbound-firewall-rules.md | 28 +++-------- ...cklist-creating-outbound-firewall-rules.md | 27 +++-------- ...ts-of-a-standalone-isolated-server-zone.md | 25 +++++----- ...ementing-a-basic-firewall-policy-design.md | 26 +++++----- ...rtificate-based-isolation-policy-design.md | 15 +++--- ...enting-a-domain-isolation-policy-design.md | 21 ++++---- ...andalone-server-isolation-policy-design.md | 13 ++--- .../windows-firewall/server-isolation-gpos.md | 22 +++++---- .../server-isolation-policy-design-example.md | 48 +++++++++---------- .../server-isolation-policy-design.md | 29 +++++------ 20 files changed, 196 insertions(+), 280 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md index 64cb140f2e..8a453cd437 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md @@ -3,12 +3,11 @@ title: Certificate-based Isolation Policy Design Example description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- # Certificate-based Isolation Policy Design Example - This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). One of the servers that must be included in the domain isolation environment is a device running UNIX that supplies other information to the WGBank dashboard program running on the client devices. This device sends updated information to the WGBank front-end servers as it becomes available, so it's considered unsolicited inbound traffic to the devices that receive this information. @@ -27,20 +26,22 @@ The creation of the IPsec connection security rules for a non-Windows device is The non-Windows device can be effectively made a member of the boundary zone or the encryption zone based on the IPsec rules applied to the device. The only constraint is that the main mode and quick mode encryption algorithms supported by the UNIX device must also be supported by the Windows-based devices with which it communicates. -**Other traffic notes:** +### Other traffic notes -- None of the capabilities of the other designs discussed in this guide are compromised by the use of certificate authentication by a non-Windows device. +- None of the capabilities of the other designs discussed in this guide are compromised by the use of certificate authentication by a non-Windows device. ## Design details Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices in their organization. -The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory–supported Kerberos V5 authentication. This certificate-based authoring doesn't require including new rules, just adding certificate-based authentication as an option to the existing rules. +The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory-supported Kerberos V5 authentication. This certificate-based authoring doesn't require including new rules, just adding certificate-based authentication as an option to the existing rules. -When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because most of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type. +When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because most of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type. -With the help of the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG\_COMPUTER\_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member. +With the help of the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG_COMPUTER_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member. -Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device. +Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG_COMPUTER_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device. -**Next:** [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) +> [!div class="nextstepaction"] +> +> [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md index 1af80586c7..f55fd96a04 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md @@ -3,12 +3,11 @@ title: Certificate-based Isolation Policy Design description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- # Certificate-based isolation policy design - In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. Domain isolation and server isolation help provide security for the devices on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some devices that must run another operating system. These devices can't join an Active Directory domain, without a third-party package being installed. Also, some devices that do run Windows can't join a domain for various reasons. To rely on Kerberos V5 as the authentication protocol, the device needs to be joined to the Active Directory and (for non-Windows devices) support Kerberos as an authentication protocol. @@ -21,14 +20,8 @@ For Windows devices that are part of an Active Directory domain, you can use Gro For more info about this design: -- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). - -- To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md). - -- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). - -- To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md). - -- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md). - - +- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). +- To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md). +- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). +- To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md). +- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md). diff --git a/windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md index 12465d4121..cbfaffb255 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md @@ -2,49 +2,41 @@ title: Change Rules from Request to Require Mode description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices. ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 +ms.topic: how-to +ms.date: 11/10/2023 --- # Change Rules from Request to Require Mode - After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Don't change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that aren't part of the isolated domain. -**Administrative credentials** - To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. In this topic: -- [Convert a rule from request to require mode](#to-convert-a-rule-from-request-to-require-mode) - -- [Apply the modified GPOs to the client devices](#to-apply-the-modified-gpos-to-the-client-devices) +- [Convert a rule from request to require mode](#to-convert-a-rule-from-request-to-require-mode) +- [Apply the modified GPOs to the client devices](#to-apply-the-modified-gpos-to-the-client-devices) ## To convert a rule from request to require mode -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. In the right navigation pane, click **Connection Security Rules**. - -3. In the details pane, double-click the connection security rule that you want to modify. - -4. Click the **Authentication** tab. - -5. In the **Requirements** section, change **Authenticated mode** to **Require inbound and request outbound**, and then click **OK**. +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) +1. In the right navigation pane, click **Connection Security Rules** +1. In the details pane, double-click the connection security rule that you want to modify +1. Click the **Authentication** tab +1. In the **Requirements** section, change **Authenticated mode** to **Require inbound and request outbound**, and then click **OK** ## To apply the modified GPOs to the client devices -1. The next time each device refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, run the following command from an elevated command prompt: +1. The next time each device refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, run the following command from an elevated command prompt: - ``` syntax - gpupdate /force + ``` cmd + gpupdate.exe /force ``` -2. To verify that the modified GPO is correctly applied to the client devices, you can run the following command: +1. To verify that the modified GPO is correctly applied to the client devices, you can run the following command: - ``` syntax - gpresult /r /scope computer + ``` cmd + gpresult.exe /r /scope computer ``` -3. Examine the command output for the list of GPOs that are applied to the device, and make sure that the list contains the GPOs you expect to see on that device. +1. Examine the command output for the list of GPOs that are applied to the device, and make sure that the list contains the GPOs you expect to see on that device. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md index 4fb018d543..9b1d50eb96 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md @@ -3,18 +3,15 @@ title: Checklist Configuring Basic Firewall Settings description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Checklist: Configuring Basic Firewall Settings +# Checklist: configure basic firewall settings - -This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules. - -**Checklist: Configuring firewall defaults and settings** +This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules: | Task | Reference | | - | - | -| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)| +| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)| | Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) | -| Configure the firewall to record a log file. | [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md)| +| Configure the firewall to record a log file. | [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md index bc3c7307e6..eeacecbac9 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -3,35 +3,30 @@ title: Checklist Configuring Rules for an Isolated Server Zone description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Checklist: Configuring Rules for an Isolated Server Zone - +# Checklist: configure rules for an isolated server zone The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that isn't part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or devices who are authenticated members of a network access group (NAG). If you include user accounts in the NAG, then the restrictions can still apply; they're enforced at the application layer, rather than the IP layer. -Devices that are running at least Windows Vista and Windows Server 2008 can identify both devices and users in the NAG because IPsec in these versions of Windows supports AuthIP in addition to IKE. AuthIP adds support for user-based authentication. - The GPOs for an isolated server or group of servers are similar to those GPOs for the isolated domain itself or the encryption zone, if you require encryption to your isolated servers. This checklist refers you to procedures for creating rules and restrictions that allow only members of the NAG to connect to the server. -**Checklist: Configuring rules for isolated servers** - | Task | Reference | | - | - | -| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.
    Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it's constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| -| Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | -| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| -| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| -| Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| -| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| -| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| -| Create a rule that requests authentication for all network traffic.
    **Important:** As in an isolated domain, don't set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules don't work as expected, communications aren't affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| -| Create the NAG to contain the device or user accounts that are allowed to access the servers in the isolated server zone. | [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| -| Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG. | [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| -| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.
    Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO's element to make sure it's constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone's membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| +| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| +| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| +| Create a rule that requests authentication for all network traffic.
    **Important:** As in an isolated domain, don't set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules don't work as expected, communications aren't affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Create the NAG to contain the device or user accounts that are allowed to access the servers in the isolated server zone. | [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| +| Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG. | [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| | Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | Don't change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index 3157528b1b..e9eccb33bf 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -3,32 +3,29 @@ title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Z description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone - +# Checklist: configure rules for servers in a standalone isolated server zone This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that isn't part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). The GPOs for isolated servers are similar to those GPOs for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server. -**Checklist: Configuring rules for isolated servers** - | Task | Reference | | - | - | -| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
    [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
    [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| | If you're working on a copy of a GPO, modify the group memberships and WMI filters so that they're correct for the devices for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | -| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| | Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) | -| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| -| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| | Configure the authentication methods to be used. This procedure sets the default settings for the device. If you want to set authentication on a per-rule basis, this procedure is optional.| [Configure Authentication Methods](configure-authentication-methods.md) | -| Create a rule that requests authentication for all inbound network traffic.

    **Important:** As in an isolated domain, don't set the rules to require authentication until your testing is complete. That way, if the rules don't work as expected, communications aren't affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| -| If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| +| Create a rule that requests authentication for all inbound network traffic.

    **Important:** As in an isolated domain, don't set the rules to require authentication until your testing is complete. That way, if the rules don't work as expected, communications aren't affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| | Create the NAG to contain the device or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client devices, then create a NAG for each set of servers.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) | -| Create a firewall rule that allows inbound network traffic only if it's authenticated from a user or device that is a member of the zone’s NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| -| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| - +| Create a firewall rule that allows inbound network traffic only if it's authenticated from a user or device that is a member of the zone's NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| + Don't change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md index e25ea92a07..2196325d31 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md @@ -3,24 +3,21 @@ title: Checklist Configuring Rules for the Boundary Zone description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Checklist: Configuring Rules for the Boundary Zone - +# Checklist: configure rules for the boundary zone The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. Rules for the boundary zone are typically the same as those rules for the isolated domain, with the exception that the final rule is left to only request, not require, authentication. -**Checklist: Configuring boundary zone rules** - This checklist assumes that you've already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you don't change the rule from request authentication to require authentication when you create the other GPOs. | Task | Reference | | - | - | | Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy isn't changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) | | If you're working on a copy of a GPO, modify the group memberships and WMI filters so that they're correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | -| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| -| Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| +| Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md index 50823a255b..8916500bda 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md @@ -3,25 +3,22 @@ title: Checklist Configuring Rules for the Encryption Zone description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Checklist: Configuring Rules for the Encryption Zone - +# Checklist: configure rules for the encryption zone This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. Rules for the encryption zone are typically the same as those rules for the isolated domain, with the exception that the main rule requires encryption in addition to authentication. -**Checklist: Configuring encryption zone rules** - This checklist assumes that you've already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. | Task | Reference | | - | - | -| Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| | Modify the group memberships and WMI filters so that they're correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | -| Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| -| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| -| Verify that the connection security rules are protecting network traffic.| [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| +| Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| +| Verify that the connection security rules are protecting network traffic.| [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md index 6b3a358d07..51f6cb3c93 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md @@ -3,29 +3,25 @@ title: Checklist Configuring Rules for the Isolated Domain description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Checklist: Configuring Rules for the Isolated Domain - +# Checklist: configure rules for the isolated domain The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. -**Checklist: Configuring isolated domain rules** - | Task | Reference | | - | - | -| Create a GPO for the computers in the isolated domain running one of the operating systems. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
    [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Create a GPO for the computers in the isolated domain running one of the operating systems. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
    [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| | If you're working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they're correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | -| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| -| Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| -| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| -| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| -| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| -| Create the rule that requests authentication for all inbound network traffic. | [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| -| Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| -| Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| - +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| +| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| +| Create the rule that requests authentication for all inbound network traffic. | [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| +| Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| Don't change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md index 82e9ed2a65..c9a715cfbc 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md @@ -3,19 +3,18 @@ title: Checklist Creating Group Policy Objects description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Checklist: Creating Group Policy Objects +# Checklist: Create group policy objects (GPOs) - -To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the end by making GPO assignments as easy as dropping a device into a membership group. +To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the end by making GPO assignments as easy as dropping a device into a membership group. The checklists for firewall, domain isolation, and server isolation include a link to this checklist. ## About membership groups -For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 11, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied. +For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied. ## About exclusion groups @@ -23,12 +22,10 @@ A Windows Defender Firewall with Advanced Security design must often take into a You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To use the group as an exclusion group, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones. -**Checklist: Creating Group Policy objects** - | Task | Reference | | - | - | -| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
    [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| -| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.
    If some devices in the membership group are running an operating system that doesn't support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that can't be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| +| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
    [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| +| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| | Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) | | Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) | | Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) | diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md index 38fdcd2fc4..5afd360e1a 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md @@ -3,31 +3,17 @@ title: Checklist Creating Inbound Firewall Rules description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Checklist: Creating Inbound Firewall Rules - +# Checklist: create inbound firewall rules This checklist includes tasks for creating firewall rules in your GPOs. -**Checklist: Creating inbound firewall rules** - | Task | Reference | | - | - | -| Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires. | [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)| -| Create a rule that allows inbound network traffic on a specified port number. | [Create an Inbound Port Rule](create-an-inbound-port-rule.md)| -| Create a rule that allows inbound ICMP network traffic. | [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)| -| Create rules that allow inbound RPC network traffic. | [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)| -| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)| - -  - -  - -  - - - - - +| Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires. | [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)| +| Create a rule that allows inbound network traffic on a specified port number. | [Create an Inbound Port Rule](create-an-inbound-port-rule.md)| +| Create a rule that allows inbound ICMP network traffic. | [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)| +| Create rules that allow inbound RPC network traffic. | [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)| +| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md index 88c2eccca0..d6d1525053 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md @@ -3,31 +3,18 @@ title: Checklist Creating Outbound Firewall Rules description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Checklist: Creating Outbound Firewall Rules - +# Checklist: create outbound firewall rules This checklist includes tasks for creating outbound firewall rules in your GPOs. ->**Important:**  By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create. - -**Checklist: Creating outbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** +> [!IMPORTANT] +> By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization's network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create. | Task | Reference | | - | - | -| Create a rule that allows a program to send any outbound network traffic on any port it requires. | [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)| -| Create a rule that allows outbound network traffic on a specified port number. | [Create an Outbound Port Rule](create-an-outbound-port-rule.md)| -| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)| - -  - -  - -  - - - - - +| Create a rule that allows a program to send any outbound network traffic on any port it requires. | [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)| +| Create a rule that allows outbound network traffic on a specified port number. | [Create an Outbound Port Rule](create-an-outbound-port-rule.md)| +| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index ebd45a7ede..4d8a44fecc 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -3,25 +3,22 @@ title: Create Rules for Standalone Isolated Server Zone Clients description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone - +# Checklist: Create rules for clients of a standalone isolated server zone This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone. -**Checklist: Configuring isolated server zone client rules** - | Task | Reference | | - | - | -| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you've finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
    [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you've finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
    [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| | To determine which devices receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | -| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| -| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| -| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| -| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| -| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| -| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that can't use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| -| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| +| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| +| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior has no delay when communicating with devices that can't use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md index 7432f4448f..3d970485cf 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md @@ -3,28 +3,26 @@ title: Checklist Implementing a Basic Firewall Policy Design description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Checklist: Implementing a Basic Firewall Policy Design - +# Checklist: implement a basic firewall policy design This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. ->**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. +> [!NOTE] +> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). - **Checklist: Implementing a basic firewall policy design** - | Task | Reference | | - | - | -| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
    [Basic Firewall Policy Design](basic-firewall-policy-design.md)
    [Firewall Policy Design Example](firewall-policy-design-example.md)
    [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| -| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 11, Windows 10, and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10 or Windows 11, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
    [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| -| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| -| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| -| Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)| -| Create one or more outbound firewall rules to block unwanted outbound network traffic. | [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)| -| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
    [Basic Firewall Policy Design](basic-firewall-policy-design.md)
    [Firewall Policy Design Example](firewall-policy-design-example.md)
    [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| +| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 11, Windows 10, and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10 or Windows 11, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
    [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| +| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| +| Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)| +| Create one or more outbound firewall rules to block unwanted outbound network traffic. | [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| | Add test devices to the membership group, and then confirm that the devices receive the firewall rules from the GPOs as expected.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| -| According to the testing and roll-out schedule in your design plan, add device accounts to the membership group to deploy the completed firewall policy settings to your devices. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| +| According to the testing and roll-out schedule in your design plan, add device accounts to the membership group to deploy the completed firewall policy settings to your devices. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md index a0fabcc4f5..edbfae8e7f 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -3,23 +3,20 @@ title: Checklist Implementing a Certificate-based Isolation Policy Design description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Checklist: Implementing a Certificate-based Isolation Policy Design - +# Checklist: implement a certificate-based isolation policy design This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design. > [!NOTE] > Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist -**Checklist: Implementing certificate-based authentication** - | Task | Reference | | - | - | | Review important concepts and examples for certificate-based authentication to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
    [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
    [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
    [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) | -| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you haven't already deployed a CA on your network.| | -| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)| -| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| -| On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)| +| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you haven't already deployed a CA on your network.| | +| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)| +| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| +| On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md index dfd0e45e2c..46079fc693 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md @@ -3,11 +3,10 @@ title: Checklist Implementing a Domain Isolation Policy Design description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Checklist: Implementing a Domain Isolation Policy Design - +# Checklist: implementing a domain isolation policy design This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. @@ -16,14 +15,12 @@ This parent checklist includes cross-reference links to important concepts about The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). -**Checklist: Implementing a domain isolation policy design** - | Task | Reference | | - | - | -| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security implementation goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
    [Domain Isolation Policy Design](domain-isolation-policy-design.md)
    [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
    [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) | -| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)| -| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)| -| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)| -| Create the GPOs and connection security rules for the isolated server zone.| [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)| -| According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.| [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| -| After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.| [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| +| Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security implementation goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
    [Domain Isolation Policy Design](domain-isolation-policy-design.md)
    [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
    [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) | +| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)| +| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)| +| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)| +| Create the GPOs and connection security rules for the isolated server zone.| [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)| +| According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.| [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| +| After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.| [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md index f015a7e0c1..45e296691a 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -3,11 +3,10 @@ title: Checklist Implementing a Standalone Server Isolation Policy Design description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Checklist: Implementing a Standalone Server Isolation Policy Design - +# Checklist: implementing a standalone server isolation policy design This checklist contains procedures for creating a server isolation policy design that isn't part of an isolated domain. For information on the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). @@ -16,13 +15,11 @@ This parent checklist includes cross-reference links to important concepts about > [!NOTE] > Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. -**Checklist: Implementing a standalone server isolation policy design** - | Task | Reference | | - | - | | Review important concepts and examples for the server isolation policy design to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
    [Server Isolation Policy Design](server-isolation-policy-design.md)
    [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
    [Planning Server Isolation Zones](planning-server-isolation-zones.md) | | Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)| -| Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)| -| Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| -| After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it. | [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| +| Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)| +| Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| +| After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it. | [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| | According to the testing and roll-out schedule in your design plan, add device accounts for the client devices to the membership group so that you can deploy the settings. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) | diff --git a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos.md b/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos.md index 4cf32d44c0..8ac3b50872 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos.md @@ -3,23 +3,25 @@ title: Server Isolation GPOs description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/08/2021 +ms.date: 11/10/2023 --- # Server Isolation GPOs +Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The *Woodgrove Bank* example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. *Woodgrove Bank* copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. -Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. +All of the device accounts for devices in the SQL Server server isolation zone are added to the group *CG_SRVISO_WGBANK_SQL*. This group is granted **Read** and **Apply Group Policy** permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client devices aren't expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone. -All of the device accounts for devices in the SQL Server server isolation zone are added to the group CG\_SRVISO\_WGBANK\_SQL. This group is granted Read and Apply Group Policy permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client devices aren't expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone. +## GPO_SRVISO -## GPO\_SRVISO +This GPO is identical to the *GPO_DOMISO_Encryption* GPO with the following changes: +- The firewall rule that enforces encryption is modified to include the NAGs on the **Users and Computers** tab of the rule. The NAGs-granted permissions include *CG_NAG_SQL_Users* and *CG_NAG_SQL_Computers*. -This GPO is identical to the GPO\_DOMISO\_Encryption GPO with the following changes: +## Next steps -- The firewall rule that enforces encryption is modified to include the NAGs on the **Users and Computers** tab of the rule. The NAGs-granted permissions include CG\_NAG\_SQL\_Users and CG\_NAG\_SQL\_Computers. - - >**Important:**  Earlier versions of Windows support only device-based authentication. If you specify that user authentication is mandatory, only users on devices that are running at least Windows Vista or Windows Server 2008 can connect. - -**Next:** [Planning GPO Deployment](planning-gpo-deployment.md) +> [!div class="nextstepaction"] +> Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory. +> +> +> [Plan GPO Deployment >](planning-gpo-deployment.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md b/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md index e1129a36b1..2a049a459f 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md @@ -3,15 +3,14 @@ title: Server Isolation Policy Design Example description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/08/2021 +ms.date: 11/10/2023 --- # Server Isolation Policy Design Example +This design example continues to use the fictitious company *Woodgrove Bank*, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section. -This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section. - -In addition to the protections provided by the firewall and domain isolation, Woodgrove Bank wants to provide extra protection to the devices that are running Microsoft SQL Server for the WGBank program. They contain personal data, including each customer's financial history. Government and industry rules and regulations specify that access to this information must be restricted to only those users who have a legitimate business need. These rules and regulations include a requirement to prevent interception of and access to the information when it is in transit over the network. +In addition to the protections provided by the firewall and domain isolation, *Woodgrove Bank* wants to provide extra protection to the devices that are running Microsoft SQL Server for the WGBank program. They contain personal data, including each customer's financial history. Government and industry rules and regulations specify that access to this information must be restricted to only those users who have a legitimate business need. These rules and regulations include a requirement to prevent interception of and access to the information when it is in transit over the network. The information presented by the WGBank front-end servers to the client devices, and the information presented by the WGPartner servers to the remote partner devices, aren't considered sensitive for the purposes of the government regulations, because they're processed to remove sensitive elements before transmitting the data to the client devices. @@ -23,7 +22,7 @@ Server isolation can also be deployed by itself, to only the devices that must p In short, instead of applying the client GPO to all clients in the domain, you apply the GPO to only the members of the NAG. -If you don't have an Active Directory domain, you can manually apply the connection security rules, use a netsh command-line script, or use a Windows PowerShell script to help automate the configuration of the rules on larger numbers of devices. If you don't have an Active Directory domain, you can't use the Kerberos V5 protocol, but instead must provide the clients and the isolated servers with certificates that are referenced in the connection security rules. +If you don't have an Active Directory domain, you can manually apply the connection security rules, use a netsh command-line script, or use a Windows PowerShell script to help automate the configuration of the rules on larger numbers of devices. If you don't have an Active Directory domain, you can't use the Kerberos V5 protocol, but instead must provide the clients and the isolated servers with certificates that are referenced in the connection security rules. ## Design requirements @@ -33,39 +32,38 @@ The following illustration shows the traffic protection needs for this design ex ![isolated server example.](images/wfas-design3example1.gif) -1. Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. These accounts include the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it's sent from an authorized computer. Authorization is determined by membership in a network access group (NAG). +1. Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. These accounts include the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it's sent from an authorized computer. Authorization is determined by membership in a network access group (NAG) +1. All network traffic to and from the SQL Server devices must be encrypted +1. Client devices or users whose accounts aren't members of the NAG can't access the isolated servers -2. All network traffic to and from the SQL Server devices must be encrypted. +### Other traffic notes -3. Client devices or users whose accounts aren't members of the NAG can't access the isolated servers. - -**Other traffic notes:** - -- All of the design requirements shown in the [Firewall Policy Design Example](firewall-policy-design-example.md) section are still enforced. - -- All of the design requirements shown in the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section are still enforced. +- All of the design requirements shown in the [Firewall Policy Design Example](firewall-policy-design-example.md) section are still enforced +- All of the design requirements shown in the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section are still enforced ## Design details -Woodgrove Bank uses Active Directory groups and GPOs to deploy the server isolation settings and rules to the devices on its network. +*Woodgrove Bank* uses Active Directory groups and GPOs to deploy the server isolation settings and rules to the devices on its network. As in the previously described policy design examples, GPOs to implement the domain isolation environment are linked to the domain container in Active Directory, and then WMI filters and security group filters are attached to GPOs to ensure that the correct GPO is applied to each computer. The following groups were created by using the Active Directory Users and Computers snap-in, and all devices that run Windows were added to the correct groups. -- **CG\_SRVISO\_WGBANK\_SQL**. This group contains the computer accounts for the devices that run SQL Server. Members of this group receive a GPO with firewall and connections security rules that require that only users who are members of the group CG\_NAG\_SQL\_USERS can access the server, and only when they're using a computer that is a member of the group CG\_NAG\_SQL\_COMPUTERS. +- **CG_SRVISO_WGBANK_SQL**. This group contains the computer accounts for the devices that run SQL Server. Members of this group receive a GPO with firewall and connections security rules that require that only users who are members of the group CG_NAG_SQL_USERS can access the server, and only when they're using a computer that is a member of the group CG_NAG_SQL_COMPUTERS. ->**Note:**  You can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group. + > [!NOTE] + > You can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group. -  -Network access groups (NAGs) aren't used to determine which GPOs are applied to a computer. Instead, these groups determine which users and devices can access the services on the isolated server. + Network access groups (NAGs) aren't used to determine which GPOs are applied to a computer. Instead, these groups determine which users and devices can access the services on the isolated server. -- **CG\_NAG\_SQL\_COMPUTERS**. This network access group contains the computer accounts that are able to access the devices running SQL Server hosting the WGBank data. Members of this group include the WGBank front-end servers, and some client devices from which SQL Server administrators are permitted to work on the servers. +- **CG_NAG_SQL_COMPUTERS**. This network access group contains the computer accounts that are able to access the devices running SQL Server hosting the WGBank data. Members of this group include the WGBank front-end servers, and some client devices from which SQL Server administrators are permitted to work on the servers. +- **CG_NAG_SQL_USERS**. This network access group contains the user accounts of users who are permitted to access the SQL Server devices that host the WGBank data. Members of this group include the service account that the WGBank front-end program uses to run on its devices, and the user accounts for the SQL Server administration team members. -- **CG\_NAG\_SQL\_USERS**. This network access group contains the user accounts of users who are permitted to access the SQL Server devices that host the WGBank data. Members of this group include the service account that the WGBank front-end program uses to run on its devices, and the user accounts for the SQL Server administration team members. +> [!NOTE] +> You can use a single group for both user and computer accounts. Woodgrove Bank chose to keep them separate for clarity. ->**Note:**  You can use a single group for both user and computer accounts. Woodgrove Bank chose to keep them separate for clarity. - -If Woodgrove Bank wants to implement server isolation without domain isolation, the CG\_NAG\_SQL\_COMPUTERS group can also be attached as a security group filter on the GPOs that apply connection security rules to the client devices. By doing this task, all the devices that are authorized to access the isolated server also have the required connection security rules. +If Woodgrove Bank wants to implement server isolation without domain isolation, the *CG_NAG_SQL_COMPUTERS* group can also be attached as a security group filter on the GPOs that apply connection security rules to the client devices. By doing this task, all the devices that are authorized to access the isolated server also have the required connection security rules. You don't have to include the encryption-capable rules on all devices. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contains connection security rules to support encryption. -**Next:** [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) +> [!div class="nextstepaction"] +> +> [Certificate-based Isolation Policy Design Example >](certificate-based-isolation-policy-design-example.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design.md index 327863f5ac..c3a7d7762f 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design.md @@ -3,12 +3,11 @@ title: Server Isolation Policy Design description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group. ms.prod: windows-client ms.topic: conceptual -ms.date: 09/08/2021 +ms.date: 11/10/2023 --- # Server Isolation Policy Design - In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG). This design typically begins with a network configured as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. For this design, you then create zones for servers that have more security requirements. The zones can limit access to the server to only members of authorized groups, and can optionally require the encryption of all traffic in or out of these servers. These restrictions and requirements can be done on a per-server basis, or for a group of servers that share common security requirements. @@ -21,11 +20,9 @@ The design is shown in the following illustration, with arrows that show the per Characteristics of this design include: -- Isolated domain (area A) - The same isolated domain described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. If the isolated domain includes a boundary zone, then devices in the boundary zone behave just like other members of the isolated domain in the way that they interact with devices in server isolation zones. - -- Isolated servers (area B) - Devices in the server isolation zones restrict access to devices, and optionally users, that authenticate as a member of a network access group (NAG) authorized to gain access. - -- Encryption zone (area C) - If the data being exchanged is sufficiently sensitive, the connection security rules for the zone can also require that the network traffic be encrypted. Encryption zones are most often implemented as rules that are part of a server isolation zone, instead of as a separate zone. The diagram illustrates the concept as a subset for conceptual purposes only. +- Isolated domain (area A) - The same isolated domain described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. If the isolated domain includes a boundary zone, then devices in the boundary zone behave just like other members of the isolated domain in the way that they interact with devices in server isolation zones. +- Isolated servers (area B) - Devices in the server isolation zones restrict access to devices, and optionally users, that authenticate as a member of a network access group (NAG) authorized to gain access. +- Encryption zone (area C) - If the data being exchanged is sufficiently sensitive, the connection security rules for the zone can also require that the network traffic be encrypted. Encryption zones are most often implemented as rules that are part of a server isolation zone, instead of as a separate zone. The diagram illustrates the concept as a subset for conceptual purposes only. To add support for server isolation, you must ensure that the authentication methods are compatible with the requirements of the isolated server. For example, if you want to authorize user accounts that are members of a NAG in addition to authorizing computer accounts, you must enable both user and computer authentication in your connection security rules. @@ -36,14 +33,12 @@ This design can be applied to devices that are part of an Active Directory fores For more info about this design: -- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). +- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). +- To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). +- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). +- To help you make the decisions required in this design, see [Planning Server Isolation Zones](planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md). +- For a list of tasks that you can use to deploy your server isolation policy design, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). -- To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). - -- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). - -- To help you make the decisions required in this design, see [Planning Server Isolation Zones](planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md). - -- For a list of tasks that you can use to deploy your server isolation policy design, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). - -**Next:** [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) +> [!div class="nextstepaction"] +> +> [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) From dba380983c863a2144bbbfe753b03b9da47ae494 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 10 Nov 2023 09:21:26 -0500 Subject: [PATCH 075/114] Firewall freshness and docfx --- windows/security/docfx.json | 10 +- .../network-security/windows-firewall/TOC.yml | 64 ++++---- ...ices-to-the-membership-group-for-a-zone.md | 58 +++---- ...ices-to-the-membership-group-for-a-zone.md | 52 ++----- ...e-files-for-settings-used-in-this-guide.md | 34 ++--- ...ssign-security-group-filters-to-the-gpo.md | 61 +++----- .../best-practices-configuring.md | 142 ++++++++---------- ...andalone-server-isolation-policy-design.md | 2 +- 8 files changed, 167 insertions(+), 256 deletions(-) diff --git a/windows/security/docfx.json b/windows/security/docfx.json index aa4f877c04..7421416038 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -91,9 +91,7 @@ "operating-system-security/data-protection/**/*.md": "paolomatarazzo", "operating-system-security/data-protection/**/*.yml": "paolomatarazzo", "operating-system-security/network-security/**/*.md": "paolomatarazzo", - "operating-system-security/network-security/**/*.yml": "paolomatarazzo", - "operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms", - "operating-system-security/network-security/windows-firewall/**/*.yml": "ngangulyms" + "operating-system-security/network-security/**/*.yml": "paolomatarazzo" }, "ms.author":{ "application-security//**/*.md": "vinpa", @@ -111,9 +109,7 @@ "operating-system-security/data-protection/**/*.md": "paoloma", "operating-system-security/data-protection/**/*.yml": "paoloma", "operating-system-security/network-security/**/*.md": "paoloma", - "operating-system-security/network-security/**/*.yml": "paoloma", - "operating-system-security/network-security/windows-firewall/*.md": "nganguly", - "operating-system-security/network-security/windows-firewall/*.yml": "nganguly" + "operating-system-security/network-security/**/*.yml": "paoloma" }, "appliesto": { "application-security//**/*.md": [ @@ -220,7 +216,7 @@ "identity-protection/access-control/*.md": "sulahiri", "identity-protection/smart-cards/*.md": "ardenw", "identity-protection/virtual-smart-cards/*.md": "ardenw", - "operating-system-security/network-security/windows-firewall/*.md": "paoloma", + "operating-system-security/network-security/windows-firewall/*.md": "nganguly", "operating-system-security/network-security/vpn/*.md": "pesmith", "operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda", "operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck" diff --git a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml index 165242f099..3914108b37 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml +++ b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml @@ -21,7 +21,7 @@ items: href: restrict-access-to-only-specified-users-or-devices.md - name: Implementation designs items: - - name: Mapping goals to a design + - name: Map goals to a design href: mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md - name: Basic firewall design href: basic-firewall-policy-design.md @@ -45,11 +45,11 @@ items: href: certificate-based-isolation-policy-design-example.md - name: Design planning items: - - name: Planning your design + - name: Plan your design href: planning-your-windows-firewall-with-advanced-security-design.md - - name: Planning settings for a basic firewall policy + - name: Plan settings for a basic firewall policy href: planning-settings-for-a-basic-firewall-policy.md - - name: Planning domain isolation zones + - name: Plan domain isolation zones items: - name: Domain isolation zones href: planning-domain-isolation-zones.md @@ -61,21 +61,21 @@ items: href: boundary-zone.md - name: Encryption zone href: encryption-zone.md - - name: Planning server isolation zones + - name: Plan server isolation zones href: planning-server-isolation-zones.md - - name: Planning certificate-based authentication + - name: Plan certificate-based authentication href: planning-certificate-based-authentication.md items: - - name: Documenting the Zones + - name: Document the Zones href: documenting-the-zones.md - - name: Planning group policy deployment for your isolation zones + - name: Plan group policy deployment for your isolation zones href: planning-group-policy-deployment-for-your-isolation-zones.md items: - - name: Planning isolation groups for the zones + - name: Plan isolation groups for the zones href: planning-isolation-groups-for-the-zones.md - - name: Planning network access groups + - name: Plan network access groups href: planning-network-access-groups.md - - name: Planning the GPOs + - name: Plan the GPOs href: planning-the-gpos.md items: - name: Firewall GPOs @@ -102,41 +102,41 @@ items: href: gpo-domiso-encryption.md - name: Server isolation GPOs href: server-isolation-gpos.md - - name: Planning GPO deployment + - name: Plan GPO deployment href: planning-gpo-deployment.md - - name: Planning to deploy + - name: Plan to deploy href: planning-to-deploy-windows-firewall-with-advanced-security.md - name: Deployment guide items: - name: Deployment overview href: windows-firewall-with-advanced-security-deployment-guide.md - - name: Implementing your plan + - name: Implement your plan href: implementing-your-windows-firewall-with-advanced-security-design-plan.md - name: Basic firewall deployment items: - - name: "Checklist: Implementing a basic firewall policy design" + - name: "Checklist: Implement a basic firewall policy design" href: checklist-implementing-a-basic-firewall-policy-design.md - name: Domain isolation deployment items: - - name: "Checklist: Implementing a Domain Isolation Policy Design" + - name: "Checklist: Implement a Domain Isolation Policy Design" href: checklist-implementing-a-domain-isolation-policy-design.md - name: Server isolation deployment items: - - name: "Checklist: Implementing a Standalone Server Isolation Policy Design" + - name: "Checklist: Implement a Standalone Server Isolation Policy Design" href: checklist-implementing-a-standalone-server-isolation-policy-design.md - name: Certificate-based authentication items: - - name: "Checklist: Implementing a Certificate-based Isolation Policy Design" + - name: "Checklist: Implement a Certificate-based Isolation Policy Design" href: checklist-implementing-a-certificate-based-isolation-policy-design.md - name: Best practices items: - - name: Configuring the firewall + - name: Configure the firewall href: best-practices-configuring.md - - name: Securing IPsec + - name: Secure IPsec href: securing-end-to-end-ipsec-connections-by-using-ikev2.md - name: PowerShell href: windows-firewall-with-advanced-security-administration-with-windows-powershell.md - - name: Isolating Microsoft Store Apps on Your Network + - name: Isolate Microsoft Store Apps on Your Network href: isolating-apps-on-your-network.md - name: How-to items: @@ -220,31 +220,31 @@ items: href: verify-that-network-traffic-is-authenticated.md - name: References items: - - name: "Checklist: Creating Group Policy objects" + - name: "Checklist: Create Group Policy objects" href: checklist-creating-group-policy-objects.md - - name: "Checklist: Creating inbound firewall rules" + - name: "Checklist: Create inbound firewall rules" href: checklist-creating-inbound-firewall-rules.md - - name: "Checklist: Creating outbound firewall rules" + - name: "Checklist: Create outbound firewall rules" href: checklist-creating-outbound-firewall-rules.md - - name: "Checklist: Configuring basic firewall settings" + - name: "Checklist: Configure basic firewall settings" href: checklist-configuring-basic-firewall-settings.md - - name: "Checklist: Configuring rules for the isolated domain" + - name: "Checklist: Configure rules for the isolated domain" href: checklist-configuring-rules-for-the-isolated-domain.md - - name: "Checklist: Configuring rules for the boundary zone" + - name: "Checklist: Configure rules for the boundary zone" href: checklist-configuring-rules-for-the-boundary-zone.md - - name: "Checklist: Configuring rules for the encryption zone" + - name: "Checklist: Configure rules for the encryption zone" href: checklist-configuring-rules-for-the-encryption-zone.md - - name: "Checklist: Configuring rules for an isolated server zone" + - name: "Checklist: Configure rules for an isolated server zone" href: checklist-configuring-rules-for-an-isolated-server-zone.md - - name: "Checklist: Configuring rules for servers in a standalone isolated server zone" + - name: "Checklist: Configure rules for servers in a standalone isolated server zone" href: checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md - - name: "Checklist: Creating rules for clients of a standalone isolated server zone" + - name: "Checklist: Create rules for clients of a standalone isolated server zone" href: checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md - name: "Appendix A: Sample GPO template files for settings used in this guide" href: appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md - name: Troubleshooting items: - - name: Troubleshooting UWP app connectivity issues in Windows Firewall + - name: Troubleshoot UWP app connectivity issues in Windows Firewall href: troubleshooting-uwp-firewall.md - name: Filter origin audit log improvements href: filter-origin-documentation.md diff --git a/windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md index ffdc421b72..7bfb1addfd 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md @@ -2,50 +2,37 @@ title: Add Production Devices to the Membership Group for a Zone description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group. ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 +ms.topic: how-to +ms.date: 11/10/2023 --- # Add Production Devices to the Membership Group for a Zone - - After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices. -**Caution**   -For GPOs that contain connection security rules that prevent unauthenticated connections, ensure you set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Don't change the boundary zone GPO to require mode. +> [!CAUTION] +> For GPOs that contain connection security rules that prevent unauthenticated connections, ensure you set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Don't change the boundary zone GPO to require mode. - - -The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To define this setting successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md). +The method discussed in this guide uses the *Domain Computers* built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To define this setting successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the *CG_DOMISO_NOIPSEC* example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md). Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you. -**Administrative credentials** - To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO. In this topic: -- [Add the group Domain Devices to the GPO membership group](#to-add-domain-devices-to-the-gpo-membership-group) - -- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device) - -- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device) +- [Add the group Domain Devices to the GPO membership group](#to-add-domain-devices-to-the-gpo-membership-group) +- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device) +- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device) ## To add domain devices to the GPO membership group -1. Open Active Directory Users and Computers. - -2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group. - -3. In the details pane, double-click the GPO membership group to which you want to add computers. - -4. Select the **Members** tab, and then click **Add**. - -5. Type **Domain Computers** in the text box, and then click **OK**. - -6. Click **OK** to close the group properties dialog box. +1. Open Active Directory Users and Computers +1. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group +1. In the details pane, double-click the GPO membership group to which you want to add computers +1. Select the **Members** tab, and then click **Add** +1. Type **Domain Computers** in the text box, and then click **OK** +1. Click **OK** to close the group properties dialog box After a computer is a member of the group, you can force a Group Policy refresh on the computer. @@ -53,8 +40,8 @@ After a computer is a member of the group, you can force a Group Policy refresh From an elevated command prompt, type the following command: -``` syntax -gpupdate /target:computer /force +``` cmd +gpupdate.exe /target:computer /force ``` After Group Policy is refreshed, you can see which GPOs are currently applied to the computer. @@ -63,15 +50,6 @@ After Group Policy is refreshed, you can see which GPOs are currently applied to From an elevated command prompt, type the following command: -``` syntax -gpresult /r /scope:computer +``` cmd +gpresult.exe /r /scope:computer ``` - - - - - - - - - diff --git a/windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md index db692b1afa..2ed1c1a950 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md @@ -2,44 +2,33 @@ title: Add Test Devices to the Membership Group for a Zone description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected. ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 +ms.topic: how-to +ms.date: 11/10/2023 --- # Add Test Devices to the Membership Group for a Zone - Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete. We also recommend that you initially deploy the rules to a few devices only to be sure that the correct GPOs are being processed by each device. -Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the **gpresult** command to confirm that each device is receiving only the GPOs it's supposed to receive. - -**Administrative credentials** +Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the `gpresult.exe` command to confirm that each device is receiving only the GPOs it's supposed to receive. To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO. In this topic: -- [Add the test devices to the GPO membership groups](#to-add-test-devices-to-the-gpo-membership-groups) - -- [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device) - -- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device) +- [Add the test devices to the GPO membership groups](#to-add-test-devices-to-the-gpo-membership-groups) +- [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device) +- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device) ## To add test devices to the GPO membership groups -1. Open Active Directory Users and Computers. - -2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account. - -3. In the details pane, double-click the GPO membership group to which you want to add devices. - -4. Select the **Members** tab, and then click **Add**. - -5. Type the name of the device in the text box, and then click **OK**. - -6. Repeat steps 5 and 6 for each extra device account or group that you want to add. - -7. Click **OK** to close the group properties dialog box. +1. Open Active Directory Users and Computers +1. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account +1. In the details pane, double-click the GPO membership group to which you want to add devices +1. Select the **Members** tab, and then click **Add** +1. Type the name of the device in the text box, and then click **OK** +1. Repeat steps 5 and 6 for each extra device account or group that you want to add +1. Click **OK** to close the group properties dialog box After a device is a member of the group, you can force a Group Policy refresh on the device. @@ -47,8 +36,8 @@ After a device is a member of the group, you can force a Group Policy refresh on From an elevated command prompt, run the following command: -``` syntax -gpupdate /target:device /force +``` cmd +gpupdate /target:device /force ``` After Group Policy is refreshed, you can see which GPOs are currently applied to the device. @@ -57,15 +46,6 @@ After Group Policy is refreshed, you can see which GPOs are currently applied to From an elevated command prompt, run the following command: -``` syntax +``` cmd gpresult /r /scope:computer ``` - -  - -  - - - - - diff --git a/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index 09b4dfb941..4c3d750caa 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -3,21 +3,21 @@ title: Appendix A Sample GPO Template Files for Settings Used in this Guide description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO). ms.prod: windows-client ms.topic: conceptual -ms.date: 09/07/2021 +ms.date: 11/10/2023 --- -# Appendix A: Sample GPO Template Files for Settings Used in this Guide - +# Appendix A: aample GPO template files for settings used in this guide You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). -To manually create the file, build the settings under **Computer Configuration**, **Preferences**, **Windows Settings**, **Registry**. After you have created the settings, drag the container to the desktop. An .xml file is created there. +To manually create the file, build the settings under **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry**. After you create the settings, drag the container to the desktop. An .xml file is created there. -To import an .xml file to GPMC, drag it and drop it on the **Registry** node under **Computer Configuration**, **Preferences**, **Windows Settings**. If you copy the following sample XML code to a file, and then drag and drop it on the **Registry** node, it creates a **Server and Domain Isolation** collection with the six registry keys discussed in this guide. +To import an .xml file to GPMC, drag it and drop it on the **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry** node. If you copy the following sample XML code to a file, and then drag and drop it on the **Registry** node, it creates a **Server and Domain Isolation** collection with the six registry keys discussed in this guide. The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply. ->**Note:**  The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization. +> [!NOTE] +> The file shown here is for sample use only. It should be customized to meet the requirements of your organization's deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization. ```xml @@ -31,11 +31,11 @@ The following sample file uses item-level targeting to ensure that the registry image="12" changed="2008-05-30 20:37:37" uid="{52C38FD7-A081-404C-A8EA-B24A9614D0B5}" - desc="<b>Enable PMTU Discovery</b><p> + desc="Enable PMTU Discovery

    This setting configures whether computers can use PMTU - discovery on the network.<p> - <b>1</b> -- Enable<br> - <b>0</b> -- Disable" + discovery on the network.

    + 1 -- Enable
    + 0 -- Disable" bypassErrors="1"> IPsec Default Exemptions for Windows Server 2008 + and later

    This setting determines which network traffic type is exempt - from any IPsec authentication requirements.<p> - <b>0</b>: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP<br> - <b>1</b>: Exempts multicast, broadcast, ISAKMP<br> - <b>2</b>: Exempts RSVP, Kerberos, ISAKMP<br> - <b>3</b>: Exempts ISAKMP only" + from any IPsec authentication requirements.

    + 0: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP
    + 1: Exempts multicast, broadcast, ISAKMP
    + 2: Exempts RSVP, Kerberos, ISAKMP
    + 3: Exempts ISAKMP only" bypassErrors="1"> [!IMPORTANT] >This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones. -  - -**Administrative credentials** - To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs. In this topic: -- [Allow members of a group to apply a GPO](#to-allow-members-of-a-group-to-apply-a-gpo) - -- [Prevent members of a group from applying a GPO](#to-prevent-members-of-a-group-from-applying-a-gpo) +- [Allow members of a group to apply a GPO](#to-allow-members-of-a-group-to-apply-a-gpo) +- [Prevent members of a group from applying a GPO](#to-prevent-members-of-a-group-from-applying-a-gpo) ## To allow members of a group to apply a GPO Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO. -1. Open the Group Policy Management console. - -2. In the navigation pane, find and then click the GPO that you want to modify. - -3. In the details pane, under **Security Filtering**, click **Authenticated Users**, and then click **Remove**. +1. Open the Group Policy Management console +1. In the navigation pane, find and then select the GPO that you want to modify +1. In the details pane, under **Security Filtering**, select **Authenticated Users**, and then select **Remove** >[!NOTE] - >You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. If the GPO contains User settings, and the **Authenticated Users** group is removed, and new security filtering is added using a security group that only contains user accounts, the GPO can fail to apply. Details and various workarounds are mentioned in this [Microsoft blog](https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/Who-broke-my-user-GPOs/ba-p/258781). + >You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. If the GPO contains User settings, and the **Authenticated Users** group is removed, and new security filtering isdded using a security group that only contains user accounts, the GPO can fail to apply. Details and various workarounds are mentioned in this [Microsoft blog](https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/Who-broke-my-user-GPOsa-p/258781). -4. Click **Add**. +1. Se;ect **Add** +1. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then select **OK**. If you do not know the name, you can select **Advanced** to browse the list of groups available in the domain -5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain. - -## To prevent members of a group from applying a GPO +## To prevent members of a group from applying a GPO Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain. -1. Open the Group Policy Management console. - -2. In the navigation pane, find and then click the GPO that you want to modify. - -3. In the details pane, click the **Delegation** tab. - -4. Click **Advanced**. - -5. Under the **Group or user names** list, click **Add**. - -6. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain. - -7. Select the group in the **Group or user names** list, and then select the box in the **Deny** column for both **Read** and **Apply group policy**. - -8. Click **OK**, and then in the **Windows Security** dialog box, click **Yes**. - -9. The group appears in the list with **Custom** permissions. +1. Open the Group Policy Management console +1. In the navigation pane, find and then select the GPO that you want to modify +1. In the details pane, select the **Delegation** tab +1. Select **Advanced** +1. Under the **Group or user names** list, select **Add** +1. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then select **OK**. If you do not know the name, you can select **Advanced** to browse the list of groups lable in the domain +1. Select the group in the **Group or user names** list, and then select the box in the **Deny** column for both **Read** and **Apply group policy** +1. Select **OK**, and then in the **Windows Security** dialog box, select **Yes** +1. The group appears in the list with **Custom** permissions diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md index c0f7eb352f..41280919f0 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md @@ -1,132 +1,112 @@ --- -title: Best practices for configuring Windows Defender Firewall -description: Learn about best practices for configuring Windows Defender Firewall +title: Best practices for configuring Windows Firewall +description: Learn about best practices for configuring Windows Firewall ms.prod: windows-client -ms.date: 11/09/2022 -ms.collection: - - highpri - - tier3 - - must-keep +ms.date: 11/10/2023 ms.topic: best-practice --- -# Best practices for configuring Windows Defender Firewall +# Best practices for configuring Windows Firewall -Windows Defender Firewall with Advanced Security provides host-based, two-way -network traffic filtering and blocks unauthorized network traffic flowing into -or out of the local device. Configuring your Windows Firewall based on the -following best practices can help you optimize protection for devices in your -network. These recommendations cover a wide range of deployments including home -networks and enterprise desktop/server systems. +Windows Firewall with Advanced Security provides host-based, two-way network traffic filtering and blocks unauthorized network traffic flowing into or out of the local device. Configuring your Windows Firewall based on the following best practices can help you optimize protection for devices in your network. These recommendations cover a wide range of deployments including home networks and enterprise desktop/server systems. -To open Windows Firewall, go to the **Start** menu, select **Run**, -type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](open-windows-firewall-with-advanced-security.md). +To open Windows Firewall, select **Start** > **Run**, type **wf.msc**, and then select **OK**. See also [Open Windows Firewall](open-windows-firewall-with-advanced-security.md). ## Keep default settings -When you open the Windows Defender Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect. +When you open the Windows Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect. -![Windows Defender Firewall with Advanced Security first time opening.](images/fw01-profiles.png) - -*Figure 1: Windows Defender Firewall* +![Windows Firewall with Advanced Security first time opening.](images/fw01-profiles.png) 1. **Domain profile**: Used for networks where there's a system of account authentication against an Active Directory domain controller 1. **Private profile**: Designed for and best used in private networks such as a home network 1. **Public profile**: Designed with higher security in mind for public networks, like Wi-Fi hotspots, coffee shops, airports, hotels, or stores -View detailed settings for each profile by right-clicking the top-level **Windows Defender Firewall with Advanced Security** node in the left pane and then selecting **Properties**. +To view detailed settings for each profile, right-click the top-level **Windows Defender Firewall with Advanced Security** node in the left pane and then select **Properties**. -Maintain the default settings in Windows Defender -Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections. +Maintain the default settings in Windows Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections. -![A screenshot of a cell phone Description automatically generated.](images/fw03-defaults.png) - -*Figure 2: Default inbound/outbound settings* +:::image type="content" source="images/fw03-defaults.png" alt-text="Screenshot of the default inbound/outbound Firewall settings."::: > [!IMPORTANT] > To maintain maximum security, do not change the default Block setting for inbound connections. For more on configuring basic firewall settings, see [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) and [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md). -## Understand rule precedence for inbound rules +## Rule precedence for inbound rules -In many cases, a next step for administrators will be to customize these profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic. +In many cases, a next step for administrators is to customize the firewall profiles using *rules* (sometimes called *filters*), so that they can work with applications or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic. -This rule-adding task can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this: +The rule-adding task can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this: ![Rule creation wizard.](images/fw02-createrule.png) -*Figure 3: Rule Creation Wizard* +> [!NOTE] +>This article doesn't cover step-by-step rule configuration. See the [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) for general guidance on policy creation. + +In many cases, allowing specific types of inbound traffic is required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions: + +1. Explicitly defined allow rules take precedence over the default block setting +1. Explicit block rules take precedence over any conflicting allow rules +1. More specific rules take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 takes precedence. + +> [!TIP] +> Because of 1 and 2, when designing a set of policies you should make sure that there are no other explicit block rules that could inadvertently overlap, thus preventing the traffic flow you wish to allow. + +A general security recommended practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation. > [!NOTE] ->This article does not cover step-by-step rule configuration. See the [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) for general guidance on policy creation. - -In many cases, allowing specific types of inbound traffic will be required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions. - -1. Explicitly defined allow rules will take precedence over the default block setting. -1. Explicit block rules will take precedence over any conflicting allow rules. -1. More specific rules will take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.) - -Because of 1 and 2, it's important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow. - -A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation. - -> [!NOTE] -> Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above. +> Windows Firewall doesn't support weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors as described. ## Create rules for new applications before first launch ### Inbound allow rules -When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there's a default block action in Windows Defender Firewall, it's necessary to create inbound exception rules to allow this traffic. It's common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule. +When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there's a default block action in Windows Firewall, it's necessary to create inbound exception rules to allow this traffic. It's common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule. -If there's no active application or administrator-defined allow rule(s), a dialog box will prompt the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network. +If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network. -- If the user has admin permissions, they'll be prompted. If they respond *No* or cancel the prompt, block rules will be created. Two rules are typically created, one each for TCP and UDP traffic. +- If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic. +- If the user isn't a local admin, they won't be prompted. In most cases, block rules are created. -- If the user isn't a local admin, they won't be prompted. In most cases, block rules will be created. - -In either of the scenarios above, once these rules are added they must be deleted in order to generate the prompt again. If not, the traffic will continue to be blocked. +In either of these scenarios, once the rules are added, they must be deleted to generate the prompt again. If not, the traffic continues to be blocked. > [!NOTE] -> The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user. +> The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user. ### Known issues with automatic rule creation -When designing a set of firewall policies for your network, it's a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience. +When designing a set of firewall policies for your network, it's a recommended practice to configure *allow rules* for any networked applications deployed on the host. Having the rules in place before the user first launches the application helps to ensure a seamless experience. The absence of these staged rules doesn't necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practices and provide these rules before the application's first launch to avoid unexpected networking issues. To determine why some applications are blocked from communicating in the network, check for the following instances: -1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt. -1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes. -1. Local Policy Merge is disabled, preventing the application or network service from creating local rules. +1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt +1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes +1. Local Policy Merge is disabled, preventing the application or network service from creating local rules Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy. :::image type="content" alt-text="Windows Firewall prompt." source="images/fw04-userquery.png"::: -*Figure 4: Dialog box to allow access* - See also [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md). ## Establish local policy merge and application rules Firewall rules can be deployed: -1. Locally using the Firewall snap-in (**WF.msc**) -1. Locally using PowerShell -1. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager, or Intune (using workplace join) +1. Locally using the Firewall snap-in (**wf.msc**) +1. Locally using PowerShell +1. Remotely using Group Policy if the device is a member of an Active Directory Name or managed by Configuration Manager +1. Remotely, using a mobile device management (MDM) solution like Microsoft Intune -Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles. +Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for *Domain*, *Private*, and *Public profiles*. The rule-merging settings either allow or prevent local administrators from creating their own firewall rules in addition to those rules obtained from Group Policy. ![Customize settings.](images/fw05-rulemerge.png) -*Figure 5: Rule merging setting* - > [!TIP] > In the firewall [configuration service provider](/windows/client-management/mdm/firewall-csp), the equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*. @@ -139,14 +119,14 @@ Management (MDM), or both (for hybrid or co-management environments). As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools. -In general, to maintain maximum security, admins should only push firewall exceptions for apps and services determined to serve legitimate purposes. +In general, to maintain maximum security, admins should only deploy firewall exceptions for apps and services determined to serve legitimate purposes. > [!NOTE] -> The use of wildcard patterns, such as *C:\*\\teams.exe* is not supported in application rules. We currently only support rules created using the full path to the application(s). +> The use of wildcard patterns, such as *C:\*\\teams.exe* is not supported in application rules. You can only create rules using the full path to the application(s). -## Understand Group Policy Processing +## Understand group policy processing -The Windows Firewall settings configured via group policy are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset of 0 to 30 minutes. +The Windows Firewall settings configured via group policy or CSP are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset of 0 to 30 minutes. Windows Firewall monitors the registry for changes, and if something is written to the registry it notifies the *Windows Filtering Platform (WFP)*, which performs the following actions: @@ -157,13 +137,13 @@ Windows Firewall monitors the registry for changes, and if something is written > [!NOTE] > The actions are triggered whenever something is written to, or deleted from the registry location the GPO settings are stored, regardless if there's really a configuration change. During the process, IPsec connections are disconnected. -Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. To control the behavior of the registry group policy processing, you can use the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing`. The *Process even if the Group Policy objects have not changed* option updates and reapplies the policies even if the policies have not changed. This option is disabled by default. +Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. To control the behavior of the registry group policy processing, you can use the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing`. The *Process even if the Group Policy objects haven't changed* option updates and reapplies the policies even if the policies haven't changed. This option is disabled by default. -If you enable the option *Process even if the Group Policy objects have not changed*, the WFP filters get reapplied during **every** background refresh. In case you have ten group policies, the WFP filters get reapplied ten times during the refresh interval. If an error happens during policy processing, the applied settings may be incomplete, resulting in issues like: +If you enable the option *Process even if the Group Policy objects haven't changed*, the WFP filters get reapplied during **every** background refresh. In case you have 10 group policies, the WFP filters get reapplied 10 times during the refresh interval. If an error happens during policy processing, the applied settings might be incomplete, resulting in issues like: -- Windows Defender Firewall blocks inbound or outbound traffic allowed by group policies +- Windows Firewall blocks inbound or outbound traffic allowed by group policies - Local Firewall settings are applied instead of group policy settings -- IPsec connections cannot establish +- IPsec connections can't establish The temporary solution is to refresh the group policy settings, using the command `gpupdate.exe /force`, which requires connectivity to a domain controller. @@ -174,7 +154,7 @@ To avoid the issue, leave the policy `Computer Configuration > Administrative Te > > If there's a requirement to force registry deletion and rewrite, then disable background processing by checking the checkbox next to **Do not apply during periodic background processing**. -## Know how to use "shields up" mode for active attacks +## Know how to use *shields up* mode for active attacks An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It's an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack. @@ -189,7 +169,7 @@ incoming connections, including those in the list of allowed apps** setting foun *Figure 7: Legacy firewall.cpl* -By default, the Windows Defender Firewall will block everything unless there's an exception rule created. This setting overrides the exceptions. +By default, the Windows Firewall blocks everything unless there's an exception rule created. This setting overrides the exceptions. For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there's an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access won't work as long as shields up is activated. @@ -201,7 +181,7 @@ What follows are a few general guidelines for configuring outbound rules. - The default configuration of Blocked for Outbound rules can be considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default - It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use -- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments) +- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments) For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md). @@ -211,21 +191,19 @@ When creating an inbound or outbound rule, you should specify details about the ## Configure Windows Firewall rules with WDAC tagging policies -Windows Firewall now supports the use of Windows Defender Application Control (WDAC) Application ID (AppID) tags in firewall rules. With this capability, Windows Firewall rules can now be scoped to an application or a group of applications by referencing process tags, without using absolute path or sacrificing security. There are two steps for this configuration: +Windows Firewall now supports the use of Windows Defender Application Control (WDAC) Application ID (AppID) tags in firewall rules. With this capability, Windows Firewall rules can now be scoped to an application or a group of applications by referencing process tags, without using absolute path or sacrificing security. There are two steps for this configuration: ### Step 1: Deploy WDAC AppId Tagging Policies -A Windows Defender Application Control (WDAC) policy needs to be deployed which specifies individual applications or groups of applications to apply a PolicyAppId tag to the process token(s). Then, the admin can define firewall rules which are scoped to all processes tagged with the matching PolicyAppId.   +A Windows Defender Application Control (WDAC) policy needs to be deployed which specifies individual applications or groups of applications to apply a PolicyAppId tag to the process token(s). Then, the admin can define firewall rules that are scoped to all processes tagged with the matching PolicyAppId. -Follow the detailed [WDAC Application ID (AppId) Tagging Guide](/windows/security/threat-protection/windows-defender-application-control/appidtagging/windows-defender-application-control-appid-tagging-guide) to create, deploy, and test an AppID (Application ID) policy to tag applications.  +Follow the detailed [WDAC Application ID (AppId) Tagging Guide](/windows/security/threat-protection/windows-defender-application-control/appidtagging/windows-defender-application-control-appid-tagging-guide) to create, deploy, and test an AppID (Application ID) policy to tag applications. ### Step 2: Configure Firewall Rules using PolicyAppId Tags -- **Deploy firewall rules with Intune:** When creating firewall rules with Intune Microsoft Defender Firewall Rules, provide the AppId tag in the Policy App ID setting. The properties come directly from the [Firewall configuration service provider ](/windows/client-management/mdm/firewall-csp)(CSP) and apply to the Windows platform. -You can do this through the Intune admin center under Endpoint security > Firewall. Policy templates can be found via Create policy > Windows 10, Windows 11, and Windows Server > Microsoft Defender Firewall or Microsoft Defender Firewall Rules. +- **Deploy firewall rules with Intune:** When creating firewall rules with Intune Microsoft Defender Firewall Rules, provide the AppId tag in the Policy App ID setting. The properties come directly from the [Firewall configuration service provider](/windows/client-management/mdm/firewall-csp)(CSP) and apply to the Windows platform. +You can do this through the Intune admin center under Endpoint security > Firewall. Policy templates can be found via Create policy > Windows 10, Windows 11, and Windows Server > Microsoft Defender Firewall or Microsoft Defender Firewall Rules. OR -- **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule) and specify the `–PolicyAppId` tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported.  - - +- **Create local firewall rules with PowerShell**: You can use PowerShell to configure by adding a Firewall rule using [New-NetFirewallRule](/powershell/module/netsecurity/new-netfirewallrule) and specify the `-PolicyAppId` tag. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md index 45e296691a..7596ee7611 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -18,7 +18,7 @@ This parent checklist includes cross-reference links to important concepts about | Task | Reference | | - | - | | Review important concepts and examples for the server isolation policy design to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
    [Server Isolation Policy Design](server-isolation-policy-design.md)
    [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
    [Planning Server Isolation Zones](planning-server-isolation-zones.md) | -| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)| +| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)| | Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)| | Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| | After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it. | [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| From 6e5a5ed0294aebd86821c9c68b15c907cfc4dc19 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 10 Nov 2023 12:11:02 -0500 Subject: [PATCH 076/114] fix issues --- ...le-gpo-template-files-for-settings-used-in-this-guide.md | 2 +- .../assign-security-group-filters-to-the-gpo.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index 4c3d750caa..03fe642a1d 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -6,7 +6,7 @@ ms.topic: conceptual ms.date: 11/10/2023 --- -# Appendix A: aample GPO template files for settings used in this guide +# Appendix A: sample GPO template files for settings used in this guide You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). diff --git a/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md index bf0178639f..f708e6a031 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md @@ -29,9 +29,9 @@ Use the following procedure to add a group to the security filter on the GPO tha 1. In the details pane, under **Security Filtering**, select **Authenticated Users**, and then select **Remove** >[!NOTE] - >You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. If the GPO contains User settings, and the **Authenticated Users** group is removed, and new security filtering isdded using a security group that only contains user accounts, the GPO can fail to apply. Details and various workarounds are mentioned in this [Microsoft blog](https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/Who-broke-my-user-GPOsa-p/258781). + >You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. -1. Se;ect **Add** +1. Select **Add** 1. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then select **OK**. If you do not know the name, you can select **Advanced** to browse the list of groups available in the domain ## To prevent members of a group from applying a GPO @@ -43,7 +43,7 @@ Use the following procedure to add a group to the security filter on the GPO tha 1. In the details pane, select the **Delegation** tab 1. Select **Advanced** 1. Under the **Group or user names** list, select **Add** -1. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then select **OK**. If you do not know the name, you can select **Advanced** to browse the list of groups lable in the domain +1. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then select **OK**. If you do not know the name, you can select **Advanced** to browse the list of groups available in the domain 1. Select the group in the **Group or user names** list, and then select the box in the **Deny** column for both **Read** and **Apply group policy** 1. Select **OK**, and then in the **Windows Security** dialog box, select **Yes** 1. The group appears in the list with **Custom** permissions From ec8bcd2224e1f90537afa9518a5bfca452855bdc Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 10 Nov 2023 16:13:50 -0500 Subject: [PATCH 077/114] batch1 --- .../network-security/windows-firewall/TOC.yml | 87 -------------- .../basic-firewall-policy-design.md | 51 -------- .../windows-firewall/boundary-zone-gpos.md | 22 ---- .../windows-firewall/boundary-zone.md | 57 --------- ...e-based-isolation-policy-design-example.md | 47 -------- ...rtificate-based-isolation-policy-design.md | 27 ----- .../windows-firewall/documenting-the-zones.md | 21 ---- .../domain-isolation-policy-design-example.md | 52 --------- .../domain-isolation-policy-design.md | 58 --------- .../windows-firewall/encryption-zone-gpos.md | 16 --- .../windows-firewall/encryption-zone.md | 56 --------- .../windows-firewall/exemption-list.md | 46 -------- .../windows-firewall/firewall-gpos.md | 14 --- .../firewall-policy-design-example.md | 100 ---------------- .../windows-firewall/gpo-domiso-boundary.md | 37 ------ .../windows-firewall/gpo-domiso-encryption.md | 51 -------- .../windows-firewall/gpo-domiso-firewall.md | 59 ---------- .../gpo-domiso-isolateddomain-clients.md | 77 ------------ .../gpo-domiso-isolateddomain-servers.md | 20 ---- .../windows-firewall/isolated-domain-gpos.md | 20 ---- .../windows-firewall/isolated-domain.md | 57 --------- ...-firewall-with-advanced-security-design.md | 27 ----- ...anning-certificate-based-authentication.md | 48 -------- .../planning-domain-isolation-zones.md | 24 ---- .../planning-gpo-deployment.md | 110 ------------------ ...icy-deployment-for-your-isolation-zones.md | 22 ---- ...planning-isolation-groups-for-the-zones.md | 34 ------ .../planning-network-access-groups.md | 27 ----- .../planning-server-isolation-zones.md | 68 ----------- ...ng-settings-for-a-basic-firewall-policy.md | 44 ------- .../windows-firewall/planning-the-gpos.md | 51 -------- ...windows-firewall-with-advanced-security.md | 54 --------- ...-firewall-with-advanced-security-design.md | 84 ------------- .../windows-firewall/server-isolation-gpos.md | 27 ----- .../server-isolation-policy-design-example.md | 69 ----------- .../server-isolation-policy-design.md | 44 ------- 36 files changed, 1708 deletions(-) delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/basic-firewall-policy-design.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/boundary-zone-gpos.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/boundary-zone.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/documenting-the-zones.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design-example.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/encryption-zone-gpos.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/encryption-zone.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/exemption-list.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/firewall-gpos.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/firewall-policy-design-example.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-boundary.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-encryption.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-firewall.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-clients.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-servers.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/isolated-domain-gpos.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/isolated-domain.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/planning-certificate-based-authentication.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/planning-domain-isolation-zones.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/planning-gpo-deployment.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/planning-isolation-groups-for-the-zones.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/planning-network-access-groups.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/planning-server-isolation-zones.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/planning-settings-for-a-basic-firewall-policy.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/planning-the-gpos.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design.md diff --git a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml index 3914108b37..ab921f1437 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml +++ b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml @@ -19,93 +19,6 @@ items: href: require-encryption-when-accessing-sensitive-network-resources.md - name: Restrict access href: restrict-access-to-only-specified-users-or-devices.md - - name: Implementation designs - items: - - name: Map goals to a design - href: mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md - - name: Basic firewall design - href: basic-firewall-policy-design.md - items: - - name: Basic firewall design example - href: firewall-policy-design-example.md - - name: Domain isolation design - href: domain-isolation-policy-design.md - items: - - name: Domain isolation design example - href: domain-isolation-policy-design-example.md - - name: Server isolation design - href: server-isolation-policy-design.md - items: - - name: Server Isolation design example - href: server-isolation-policy-design-example.md - - name: Certificate-based isolation design - href: certificate-based-isolation-policy-design.md - items: - - name: Certificate-based Isolation design example - href: certificate-based-isolation-policy-design-example.md - - name: Design planning - items: - - name: Plan your design - href: planning-your-windows-firewall-with-advanced-security-design.md - - name: Plan settings for a basic firewall policy - href: planning-settings-for-a-basic-firewall-policy.md - - name: Plan domain isolation zones - items: - - name: Domain isolation zones - href: planning-domain-isolation-zones.md - - name: Exemption list - href: exemption-list.md - - name: Isolated domain - href: isolated-domain.md - - name: Boundary zone - href: boundary-zone.md - - name: Encryption zone - href: encryption-zone.md - - name: Plan server isolation zones - href: planning-server-isolation-zones.md - - name: Plan certificate-based authentication - href: planning-certificate-based-authentication.md - items: - - name: Document the Zones - href: documenting-the-zones.md - - name: Plan group policy deployment for your isolation zones - href: planning-group-policy-deployment-for-your-isolation-zones.md - items: - - name: Plan isolation groups for the zones - href: planning-isolation-groups-for-the-zones.md - - name: Plan network access groups - href: planning-network-access-groups.md - - name: Plan the GPOs - href: planning-the-gpos.md - items: - - name: Firewall GPOs - href: firewall-gpos.md - items: - - name: GPO_DOMISO_Firewall - href: gpo-domiso-firewall.md - - name: Isolated domain GPOs - href: isolated-domain-gpos.md - items: - - name: GPO_DOMISO_IsolatedDomain_Clients - href: gpo-domiso-isolateddomain-clients.md - - name: GPO_DOMISO_IsolatedDomain_Servers - href: gpo-domiso-isolateddomain-servers.md - - name: Boundary zone GPOs - href: boundary-zone-gpos.md - items: - - name: GPO_DOMISO_Boundary - href: gpo-domiso-boundary.md - - name: Encryption zone GPOs - href: encryption-zone-gpos.md - items: - - name: GPO_DOMISO_Encryption - href: gpo-domiso-encryption.md - - name: Server isolation GPOs - href: server-isolation-gpos.md - - name: Plan GPO deployment - href: planning-gpo-deployment.md - - name: Plan to deploy - href: planning-to-deploy-windows-firewall-with-advanced-security.md - name: Deployment guide items: - name: Deployment overview diff --git a/windows/security/operating-system-security/network-security/windows-firewall/basic-firewall-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/basic-firewall-policy-design.md deleted file mode 100644 index 748a749676..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/basic-firewall-policy-design.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Basic Firewall Policy Design -description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design. -ms.topic: conceptual -ms.date: 11/07/2023 ---- - -# Basic Firewall Policy Design - -Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but don't have a host-based firewall enabled on each device in the organization. - -The Basic Firewall Policy Design helps you to protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each device in your organization to allow traffic that is required by the programs that are used. Traffic that doesn't match the rules is dropped. - -Traffic can be blocked or permitted based on the characteristics of each network packet: its source or destination IP address, its source or destination port numbers, the program on the device that receives the inbound packet, and so on. This design can also be deployed together with one or more of the other designs that add IPsec protection to the network traffic permitted. - -Many network administrators don't want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs don't require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy: - -- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device -- When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you. For example, when you install a server role, the appropriate firewall rules are created and enabled automatically -- For other standard network behavior, the predefined rules that are built into Windows can be configured in a GPO and deployed to the devices in your organization. For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols. - -With a few exceptions, the firewall can be enabled on all configurations. Therefore, we recommend that you enable the firewall on every device in your organization. The term "device" includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network. - -> [!CAUTION] -> Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft. - -Windows Defender Firewall with Advanced Security is turned on by default. - -If you turn off the Windows Defender Firewall service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting. - -Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This approach is the recommended one for third-party firewalls to coexist with the Windows Defender Firewall; third-party firewalls that comply with this recommendation have the certified logo from Microsoft. - -An organization typically uses this design as a first step toward a more comprehensive Windows Defender Firewall design that adds server isolation and domain isolation. - -After implementing this design, you'll have centralized management of the firewall rules applied to all devices that are running Windows in your organization. - -> [!IMPORTANT] -> If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design. - -The basic firewall design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules. - -For more information about this design: - -- This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) -- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md) -- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) -- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) -- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md) - -> [!div class="nextstepaction"] -> [Domain Isolation Policy Design](domain-isolation-policy-design.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/boundary-zone-gpos.md b/windows/security/operating-system-security/network-security/windows-firewall/boundary-zone-gpos.md deleted file mode 100644 index 16684e9cbd..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/boundary-zone-gpos.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: Boundary Zone GPOs -description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Boundary Zone GPOs - - -All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section. - ->**Note:**  If you are designing GPOs for at least Windows Vista or Windows Server 2008, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group. - -This recommendation means that you create a GPO for a boundary group for a specific operating system by copying and pasting the corresponding GPO for the isolated domain, and then modifying the new copy to provide the behavior required in the boundary zone. - -The boundary zone GPOs discussed in this guide are only for server versions of Windows because client devices aren't expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows. - -In the Woodgrove Bank example, only the GPO settings for a Web service on at least Windows Server 2008 are discussed. - -- [GPO\_DOMISO\_Boundary\_WS2008](gpo-domiso-boundary.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/boundary-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/boundary-zone.md deleted file mode 100644 index 36a61d385c..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/boundary-zone.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Boundary Zone -description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Boundary Zone - - -In most organizations, some devices can receive network traffic from devices that aren't part of the isolated domain, and therefore can't authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. - -Devices in the boundary zone are trusted devices that can accept communication requests both from other isolated domain member devices and from untrusted devices. Boundary zone devices try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating device. - -The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but don't require it. - -These boundary zone devices might receive unsolicited inbound communications from untrusted devices that use plaintext and must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the extra risk. The following illustration shows a sample process that can help make such a decision. - -![design flowchart.](images/wfas-designflowchart1.gif) - -The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk can't be mitigated, membership must be denied. - -You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically similar to those settings and rules for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain. - - [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section discusses creation of the group and how to link it to the GPOs that apply the rules to members of the group. - -## GPO settings for boundary zone servers running at least Windows Server 2008 - - -The boundary zone GPO for devices running at least Windows Server 2008 should include the following components: - -- IPsec default settings that specify the following options: - - 1. Exempt all ICMP traffic from IPsec. - - 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES, and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. - - 3. Data protection (quick mode) algorithm combinations. We recommend that you don't include DES or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. - - If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies. - - 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members can't use Kerberos V5, you must include certificate-based authentication as an optional authentication method. - -- The following connection security rules: - - - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. - - - A connection security rule, from **Any IP address** to **Any IP address**, that requests inbound and outbound authentication. - -- A registry policy that includes the following values: - - - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - - >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) - -**Next:**[Encryption Zone](encryption-zone.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md deleted file mode 100644 index 8a453cd437..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Certificate-based Isolation Policy Design Example -description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Certificate-based Isolation Policy Design Example - -This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). - -One of the servers that must be included in the domain isolation environment is a device running UNIX that supplies other information to the WGBank dashboard program running on the client devices. This device sends updated information to the WGBank front-end servers as it becomes available, so it's considered unsolicited inbound traffic to the devices that receive this information. - -## Design requirements - -One possible solution to this design example is to include an authentication exemption rule in the GPO applied to the WGBank front-end servers. This rule would instruct the front-end servers to accept traffic from the non-Windows device even though it can't authenticate. - -A more secure solution, and the one selected by Woodgrove Bank, is to include the non-Windows device in the domain isolation design. Because it can't join an Active Directory domain, Woodgrove Bank chose to use certificate-based authentication. Certificates are cryptographically protected documents, encrypted in such a way that their origin can be positively confirmed. - -In this case, Woodgrove Bank used Active Directory Certificate Services to create the appropriate certificate. They might also have acquired and installed a certificate from a third-party commercial certification authority. They then used Group Policy to deploy the certificate to the front-end servers. The GPOs applied to the front-end servers also include updated connection security rules that permit certificate-based authentication in addition to Kerberos V5 authentication. They then manually installed the certificate on the UNIX server. - -The UNIX server is configured with firewall and IPsec connection security rules using the tools that are provided by the operating system vendor. Those rules specify that authentication is performed by using the certificate. - -The creation of the IPsec connection security rules for a non-Windows device is beyond the scope of this document, but support for a certificate that can be used to authenticate such a non-Windows device by using the standard IPsec protocols is the subject of this design. - -The non-Windows device can be effectively made a member of the boundary zone or the encryption zone based on the IPsec rules applied to the device. The only constraint is that the main mode and quick mode encryption algorithms supported by the UNIX device must also be supported by the Windows-based devices with which it communicates. - -### Other traffic notes - -- None of the capabilities of the other designs discussed in this guide are compromised by the use of certificate authentication by a non-Windows device. - -## Design details - -Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices in their organization. - -The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory-supported Kerberos V5 authentication. This certificate-based authoring doesn't require including new rules, just adding certificate-based authentication as an option to the existing rules. - -When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because most of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type. - -With the help of the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG_COMPUTER_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member. - -Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG_COMPUTER_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device. - -> [!div class="nextstepaction"] -> -> [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md deleted file mode 100644 index f55fd96a04..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: Certificate-based Isolation Policy Design -description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Certificate-based isolation policy design - -In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. - -Domain isolation and server isolation help provide security for the devices on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some devices that must run another operating system. These devices can't join an Active Directory domain, without a third-party package being installed. Also, some devices that do run Windows can't join a domain for various reasons. To rely on Kerberos V5 as the authentication protocol, the device needs to be joined to the Active Directory and (for non-Windows devices) support Kerberos as an authentication protocol. - -To authenticate with non-domain member devices, IPsec supports using standards-based cryptographic certificates. Because this authentication method is also supported by many third-party operating systems, it can be used as a way to extend your isolated domain to devices that don't run Windows. - -The same principles of the domain and server isolation designs apply to this design. Only devices that can authenticate (in this case, by providing a specified certificate) can communicate with the devices in your isolated domain. - -For Windows devices that are part of an Active Directory domain, you can use Group Policy to deploy the certificates required to communicate with the devices that are trusted but aren't part of the Active Directory domain. For other devices, you'll have to either manually configure them with the required certificates, or use a third-party program to distribute the certificates in a secure manner. - -For more info about this design: - -- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). -- To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md). -- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). -- To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md). -- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md). diff --git a/windows/security/operating-system-security/network-security/windows-firewall/documenting-the-zones.md b/windows/security/operating-system-security/network-security/windows-firewall/documenting-the-zones.md deleted file mode 100644 index 16cb030c90..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/documenting-the-zones.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: Documenting the Zones -description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Documenting the Zones - - -Generally, the task of determining zone membership isn't complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here: - -| Host name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | Group | -| - | - | - | - | - | - | -| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware not compatible with newer versions of Windows.| $??| Isolated domain| -| SERVER002 | Yes| No| Join trusted domain, upgrade from Windows Server 2008 to at least Windows Server 2012| No antivirus software present.| $??| Encryption| -| SENSITIVE001 | Yes| Yes| Not required.| Running Windows Server 2012. Ready for inclusion.| $0| Isolated server (in zone by itself)| -| PRINTSVR1 | Yes| Yes| Not required.| Running Windows Server 2008 R2. Ready for inclusion.| $0| Boundary| - -**Next:** [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design-example.md deleted file mode 100644 index c01ba555ff..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design-example.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Domain Isolation Policy Design Example -description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Domain Isolation Policy Design Example - - -This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. - -## Design Requirements - -In addition to the basic protection provided by the firewall rules in the previous design example, you might want to implement domain isolation to provide another layer of security to their networked devices. You can create firewall and connection security rules that use authentication to reduce the risk of communicating with untrusted and potentially hostile devices. - -The following illustration shows the traffic protection needed for this design example. - -![domain isolation policy design.](images/wfas-design2example1.gif) - -1. All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that isn't authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule. - -2. The servers hosting the WGPartner programs must be able to receive unsolicited inbound traffic from devices owned by its partners, which aren't members of Woodgrove Bank's domain. - -3. Client devices can initiate non-authenticated outbound communications with devices that aren't members of the domain, such as browsing external Web sites. Unsolicited inbound traffic from non-domain members is blocked. - -4. Devices in the encryption zone require that all network traffic inbound and outbound must be encrypted, in addition to the authentication already required by the isolated domain. - -**Other traffic notes:** - -- All of the design requirements described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section are still enforced. - -## Design Details - -Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices on its network. - -Setting up groups as described here ensures that you don't have to know what operating system a computer is running before assigning it to a group. As in the firewall policy design, a combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. - -The following groups were created by using the Active Directory Users and Computers MMC snap-in, all devices that run Windows were added to the correct groups, and then the appropriate GPO are applied to the group. To include a device in the isolated domain or any one of its subordinate zones, add the device's account in the appropriate group. - -- **CG\_DOMISO\_ISOLATEDDOMAIN**. The members of this group participate in the isolated domain. After an initial pilot period, followed by a slowly increasing group membership, the membership of this group was eventually replaced with the entry **Domain Computers** to ensure that all devices in the domain participate by default. The WMI filters ensure that the GPO doesn't apply to domain controllers. GPOs with connection security rules to enforce domain isolation behavior are linked to the domain container and applied to the devices in this group. Filters ensure that each computer receives the correct GPO for its operating system type. The rules in the domain isolation GPO require Kerberos v5 authentication for inbound network connections, and request (but not require) it for all outbound connections. - -- **CG\_DOMISO\_NO\_IPSEC**. This group is denied read or apply permissions on any of the domain isolation GPOs. Any computer that can't participate in domain isolation, such as a DHCP server running UNIX, is added to this group. - -- **CG\_DOMISO\_BOUNDARY**. This group contains the computer accounts for all the devices that are part of the boundary group able to receive unsolicited inbound traffic from untrusted devices. Members of the group receive a GPO that configures connection security rules to request (but not require) both inbound and outbound authentication. - -- **CG\_DOMISO\_ENCRYPTION**. This group contains the computer accounts for all the devices that require all inbound and outbound traffic to be both authenticated and encrypted. Members of the group receive a GPO that configures connection security and firewall rules to require both authentication and encryption on all inbound and outbound traffic. - ->**Note:**  If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group. - -**Next:** [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design.md deleted file mode 100644 index abb10fe004..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: Domain Isolation Policy Design -description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Domain Isolation Policy Design - - -In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain. - -This design typically begins with a network configured as described in the [Basic Firewall Policy Design](basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure devices in the isolated domain to accept only network traffic from other devices that can authenticate as a member of the isolated domain. After the new rules are implemented, your devices reject unsolicited network traffic from devices that aren't members of the isolated domain. - -The isolated domain might not be a single Active Directory domain. It can consist of all the domains in a forest, or domains in separate forests that have two-way trust relationships configured between them. - -By using connection security rules based on IPsec, you provide a logical barrier between devices even if they're connected to the same physical network segment. - -The design is shown in the following illustration, with the arrows that show the permitted communication paths. - -![isolated domain boundary zone.](images/wfasdomainisoboundary.gif) - -Characteristics of this design, as shown in the diagram, include: - -- Isolated domain (area A) - Devices in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from devices referenced in authentication exemption rules. Devices in the isolated domain can send traffic to any device. This traffic includes unauthenticated traffic to devices that aren't in the isolated domain. Devices that can't join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more info, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). - -- Boundary zone (area B) - Devices in the boundary zone are part of the isolated domain but are allowed to accept inbound connections from untrusted devices, such as clients on the Internet. - - Devices in the boundary zone request but don't require authentication to communicate. When a member of the isolated domain communicates with a boundary zone member, the traffic is authenticated. When a device that isn't part of the isolated domain communicates with a boundary zone member the traffic isn't authenticated. - - Because boundary zone devices are exposed to network traffic from untrusted and potentially hostile devices, they must be carefully managed and secured. Put only the devices that must be accessed by external devices in this zone. Use firewall rules to ensure that network traffic is accepted only for services that you want exposed to non-domain member devices. - -- Trusted non-domain members (area C) - Devices on the network that aren't domain members or that can't use IPsec authentication are allowed to communicate by configuring authentication exemption rules. These rules enable devices in the isolated domain to accept inbound connections from these trusted non-domain member devices. - -- Untrusted non-domain members (area D) - Devices that aren't managed by your organization and have an unknown security configuration must have access only to those devices required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted Devices and your organization's devices. - -After this design is implemented, your administrative team will have centralized management of the firewall and connection security rules applied to the devices in your organization. -> [!IMPORTANT] -> This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented. - -This design can be applied to Devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. - -In order to expand the isolated domain to include Devices that can't be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). - -For more info about this design: - -- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). - -- To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md). - -- Before completing the design, gather the info described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). - -- To help you make the decisions required in this design, see [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md). - -- For a list of tasks that you can use to deploy your domain isolation policy design, see [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). - -**Next:** [Server Isolation Policy Design](server-isolation-policy-design.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/encryption-zone-gpos.md b/windows/security/operating-system-security/network-security/windows-firewall/encryption-zone-gpos.md deleted file mode 100644 index eb9e6e58ad..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/encryption-zone-gpos.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Encryption Zone GPOs -description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Encryption Zone GPOs - - -Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. - -The GPO is only for server versions of Windows. Client devices aren't expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. - -- [GPO\_DOMISO\_Encryption](gpo-domiso-encryption.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/encryption-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/encryption-zone.md deleted file mode 100644 index b421043953..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/encryption-zone.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -title: Encryption Zone -description: Learn how to create an encryption zone to contain devices that host sensitive data and require that the sensitive network traffic be encrypted. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Encryption Zone - - -Some servers in the organization host data that's sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it's transferred between devices. - -To support the other security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic is encrypted. - -You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those settings and rules for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols. - -Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. - -## GPO settings for encryption zone servers running at least Windows Server 2008 - - -The GPO for devices that are running at least Windows Server 2008 should include: - -- IPsec default settings that specify the following options: - - 1. Exempt all ICMP traffic from IPsec. - - 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. - - 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you don't include DES or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. - - If any NAT devices are present on your networks, use ESP encapsulation.. - - 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members can't use Kerberos V5 authentication, then you must include certificate-based authentication as an optional authentication method. - -- The following connection security rules: - - - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. - - - A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication using the default authentication specified earlier in this policy. - - **Important**   - Be sure to begin operations by using request in and request out behavior until you're sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. - - - -- A registry policy that includes the following values: - - - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - - >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). - -- If domain member devices must communicate with devices in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs. - -**Next:** [Planning Server Isolation Zones](planning-server-isolation-zones.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/exemption-list.md b/windows/security/operating-system-security/network-security/windows-firewall/exemption-list.md deleted file mode 100644 index cb0b5ee9e1..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/exemption-list.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Exemption List -description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Exemption List - - -When you implement a server and domain isolation security model in your organization, you're likely to find more challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers can't require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. - -In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices can't use IPsec to access, which would be added to the exemption list. - -Generally, the following conditions are reasons to consider adding a device to the exemption list: - -- If the device must be accessed by trusted devices but it doesn't have a compatible IPsec implementation. - -- If the device must provide services to both trusted and untrusted devices, but doesn't meet the criteria for membership in the boundary zone. - -- If the device must be accessed by trusted devices from different isolated domains that don't have an Active Directory trust relationship established with each other. - -- If the device is a domain controller running version of Windows earlier than Windows Server 2008, or if any of its clients are running a version of Windows earlier than Windows Vista. - -- If the device must support trusted and untrusted devices, but can't use IPsec to help secure communications to trusted devices. - -For large organizations, the list of exemptions might grow large if all the exemptions are implemented by one connection security rule for the whole domain or for all trusted forests. If you can require all devices in your isolated domain to run at least Windows Vista or Windows Server 2008, you can greatly reduce the size of this list. A large exemption list has several unwanted effects on every device that receives the GPO, including the following effects: - -- Reduces the overall effectiveness of isolation. - -- Creates a larger management burden (because of frequent updates). - -- Increases the size of the IPsec policy, which means that it consumes more memory and CPU resources, slows down network throughput, and increases the time required to download and apply the GPO containing the IPsec policy. - -To keep the number of exemptions as small as possible, you have several options: - -- Carefully consider the communications requirements of each isolation zone, especially server-only zones. They might not be required to communicate with every exemption in the domain-level policy for clients. - -- Consolidate server functions. If several exempt services can be hosted at one IP address, the number of exemptions is reduced. - -- Consolidate exempted hosts on the same subnet. Where network traffic volume allows, you might be able to locate the servers on a subnet that is exempted, instead of using exemptions for each IP address. - -As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](boundary-zone.md) section. - -**Next:** [Isolated Domain](isolated-domain.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/firewall-gpos.md b/windows/security/operating-system-security/network-security/windows-firewall/firewall-gpos.md deleted file mode 100644 index 526ffd83a3..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/firewall-gpos.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: Firewall GPOs -description: In this example, a Group Policy Object is linked to the domain container because the domain controllers aren't part of the isolated domain. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Firewall GPOs - - -All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. - -The GPO created for the example Woodgrove Bank scenario includes [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md). diff --git a/windows/security/operating-system-security/network-security/windows-firewall/firewall-policy-design-example.md b/windows/security/operating-system-security/network-security/windows-firewall/firewall-policy-design-example.md deleted file mode 100644 index f290a9943c..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/firewall-policy-design-example.md +++ /dev/null @@ -1,100 +0,0 @@ ---- -title: Basic Firewall Policy Design Example -description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Basic Firewall Policy Design Example - - -In this example, the fictitious company Woodgrove Bank is a financial services institution. - -Woodgrove Bank has an Active Directory domain that provides Group Policy-based management for all their Windows devices. The Active Directory domain controllers also host Domain Name System (DNS) for host name resolution. Separate devices host Windows Internet Name Service (WINS) for network basic input/output system (NetBIOS) name resolution. A set of devices that are running UNIX provide the Dynamic Host Configuration Protocol (DHCP) services for automatic IP addressing. - -Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems. - -A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing—they don't store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server. - -## Design requirements - -The network administrators want to implement Windows Defender Firewall with Advanced Security throughout their organization to provide another security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that isn't wanted. - -The following illustration shows the traffic protection needs for this design example. - -![design example 1.](images/wfas-designexample1.gif) - -1. The network infrastructure servers that are running services, such as Active Directory, DNS, DHCP, or WINS, can receive unsolicited inbound requests from network clients. The network clients can receive the responses from the infrastructure servers. - -2. The WGBank front-end servers can receive unsolicited inbound traffic from the client devices and the WGBank partner servers. The WGBank client devices and partner servers can receive the response. - -3. The WGBank front-end servers can send updated information to the client devices to support real-time display. The clients don't poll for this unsolicited traffic, but must be able to receive it. - -4. The WGBank back-end servers can receive SQL query requests from the WGBank front-end servers. The WGBank front-end servers can receive the corresponding responses. - -5. There's no direct communications between the client devices and the WGBank back-end devices. - -6. There's no unsolicited traffic from the WGBank back-end devices to the WGBank front-end servers. - -7. Company policy prohibits the use of peer-to-peer file transfer software. A recent review by the IT staff found that although the perimeter firewall does prevent most of the programs in this category from working, two programs are being used by staff members that don't require an outside server. Firewall rules must block the network traffic created by these programs. - -8. The WGBank partner servers can receive inbound requests from partner devices through the Internet. - -Other traffic notes: - -- Devices aren't to receive any unsolicited traffic from any computer other than allowed above. - -- Other outbound network traffic from the client devices not identified in this example is permitted. - -## Design details - - -Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy the firewall settings and rules to the devices on their network. They know that they must deploy policies to the following collections of devices: - -- Client devices that run Windows 11, Windows 10, Windows 8, or Windows 7 - -- WGBank front-end servers that run Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them) - -- WGBank partner servers that run Windows Server 2008 - -- WGBank back-end SQL Server devices that run Windows Server 2008 (there are none in place yet, but their solution must support adding them) - -- Infrastructure servers that run Windows Server 2008 - -- Active Directory domain controllers that run Windows Server 2008 R2 or Windows Server 2012 - -- DHCP servers that run the UNIX operating system - -After the Woodgrove Bank network administrators evaluated these sets of devices, and compared them to the Active Directory organizational unit (OU) structure, they determined that there wasn't a good one-to-one match between the OUs and the sets. Therefore the firewall GPOs won't be linked directly to OUs that hold the relevant devices. Instead, the GPOs are linked to the domain container in Active Directory, and then WMI and group filters are attached to the GPO to ensure that it's applied to the correct devices. - -Setting up groups as described here ensures that you don't have to know what operating system a computer is running before assigning it to a group. A combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. - -The following groups were created by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, and all devices that run Windows were added to the correct groups: - -- **CG\_FIREWALL\_ALLCOMPUTERS**. Add the predefined and system managed **Domain computers** group as a member of this group. All members of the FIREWALL\_ALLCOMPUTERS group receive an operating system-specific GPO with the common firewall rules applied to all devices. - - The two device types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for devices that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only devices that are running server versions of Windows can apply that GPO. Each of the GPOs also has security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs. - - - Client devices receive a GPO that configures Windows Defender Firewall to enforce the default Windows Defender Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound. - - - Server devices receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update aren't included, because it's not needed on server devices. - - All rules are scoped to allow network traffic only from devices on Woodgrove Bank's corporate network. - -- **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group don't receive the default firewall GPO. Devices are added to this group if there's a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it's a member of this group. - -- **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO. - -- **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end devices that run SQL Server. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Devices in this group also receive the default firewall GPO. - -- **CG\_FIREWALL\_BOUNDARY\_WGBANKFE**. This group contains the computer accounts for the servers that host Web services that can be accessed from the Internet. Members of this group receive a GPO that adds an inbound firewall rule to allow inbound HTTP and HTTPS network traffic from any address, including the Internet. Devices in this group also receive the default firewall GPO. - -- **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server devices. Members of this group receive a GPO that configures Windows Defender Firewall with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Devices in this group also receive the default firewall GPO. - -- **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO. - -In your own design, create a group for each computer role in your organization that requires different or more firewall rules. For example, file servers and print servers require more rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there's a security reason not to include it there. - -**Next:** [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) - diff --git a/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-boundary.md b/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-boundary.md deleted file mode 100644 index 741f91081d..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-boundary.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: GPO\_DOMISO\_Boundary -description: This example GPO supports devices that aren't part of the isolated domain to access specific servers that must be available to those untrusted devices. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# GPO\_DOMISO\_Boundary - - -This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. - -This GPO supports the ability for devices that aren't part of the isolated domain to access specific servers that must be available to those untrusted devices. It's intended to only apply to server devices that are running at least Windows Server 2008. - -## IPsec settings - -The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain when authentication can be used. - -## Connection security rules - - -Rename the **Isolated Domain Rule** to **Boundary Zone Rule**. Change the authentication mode to **Request inbound and request outbound**. In this mode, the device uses authentication when it can, such as during communication with a member of the isolated domain. It also supports the "fall back to clear" ability of request mode when an untrusted device that isn't part of the isolated domain connects. - -## Registry settings - - -The boundary zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md). - -## Firewall rules - - -Copy the firewall rules for the boundary zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other devices. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 80 for Web client requests. - -Make sure that the GPO that contains firewall rules for the isolated domain doesn't also apply to the boundary zone to prevent overlapping, and possibly conflicting rules. - -**Next:** [Encryption Zone GPOs](encryption-zone-gpos.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-encryption.md b/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-encryption.md deleted file mode 100644 index b5d7b1384b..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-encryption.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: GPO\_DOMISO\_Encryption\_WS2008 -description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. -ms.topic: conceptual -ms.prod: windows-client -ms.date: 09/08/2021 ---- - -# GPO\_DOMISO\_Encryption\_WS2008 - - -This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. - -This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It's intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. - -## IPsec settings - - -The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain. The following changes are made to encryption zone copy of the GPO: - -The encryption zone servers require all connections to be encrypted. To do this encryption, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This setting disables all integrity-only algorithm combinations. - -## Connection security rules - - -Rename the **Isolated Domain Rule** to **Encryption Zone Rule**. Leave the authentication mode setting on **Require inbound and request outbound**. In this mode, the computer forces authentication for all inbound network traffic, and uses it when it can on outbound traffic. - -## Registry settings - - -The encryption zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md). - -## Firewall rules - - -Copy the firewall rules for the encryption zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other computers. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 1433 for SQL Server client requests. - -Change the action for every inbound firewall rule from **Allow the connection** to **Allow only secure connections**, and then select **Require the connections to be encrypted**. - -Make sure that the GPO that contains firewall rules for the isolated domain doesn't also apply to the boundary zone to prevent overlapping, and possibly conflicting rules. - -**Next:** [Server Isolation GPOs](server-isolation-gpos.md) - -  - -  - - - - - diff --git a/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-firewall.md deleted file mode 100644 index 057cf7bdf5..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-firewall.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: GPO\_DOMISO\_Firewall -description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# GPO\_DOMISO\_Firewall - - -This GPO is authored by using the Windows Defender Firewall -with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008. - -## Firewall settings - -This GPO provides the following settings: - -- Unless otherwise stated, the firewall rules and settings described here are applied to all profiles. - -- The firewall is enabled, with inbound, unsolicited connections blocked and outbound connections allowed. - -- Under the domain profile, the settings **Display notifications to the user**, **Apply local firewall rules**, and **Apply local connection security rules** are all set to **No**. These settings are applied only to the domain profile because the devices can only receive an exception rule for a required program from a GPO if they are connected to the domain. Under the public and private profiles, those settings are all set to **Yes**. - - >**Note:**  Enforcing these settings requires that you define any firewall exceptions for programs, because the user cannot manually permit a new program. You must deploy the exception rules by adding them to this GPO. We recommend that you do not enable these settings until you have tested all your applications and have tested the resulting rules in a test lab and then on pilot devices. - -## Firewall rules - -This GPO provides the following rules: - -- Built-in firewall rule groups are configured to support typically required network operation. The following rule groups are set to **Allow the connection**: - - - Core Networking - - - File and Printer Sharing - - - Network Discovery - - - Remote Administration - - - Remote Desktop - - - Remote Event Log Management - - - Remote Scheduled Tasks Management - - - Remote Service Management - - - Remote Volume Management - - - Windows Defender Firewall Remote Management - - - Windows Management Instrumentation (WMI) - - - Windows Remote Management - -- A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile. - -**Next:** [Isolated Domain GPOs](isolated-domain-gpos.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-clients.md deleted file mode 100644 index 1f72fa6064..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: GPO\_DOMISO\_IsolatedDomain\_Clients -description: Author this GPO by using Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# GPO\_DOMISO\_IsolatedDomain\_Clients - - -This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It's intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista. - -Because client devices can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile. - -## General settings - -This GPO provides the following settings: - -- No firewall settings are included in this GPO. Woodgrove Bank created separate GPOs for firewall settings (see the [Firewall GPOs](firewall-gpos.md) section) in order to share them with all clients in all isolation zones with minimum redundancy. - -- The ICMP protocol is exempted from authentication requirements to support easier network troubleshooting. - -- Diffie-Hellman Group 2 is specified as the key exchange algorithm. This algorithm is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, they can remove the weaker key exchange algorithms, and use only the stronger ones. - -- The registry settings shown in the following table. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md). - -| Setting | Value | -| - | - | -| Enable PMTU Discovery | 1 | -| IPsec Exemptions | 3 | - -- The main mode security method combinations in the order shown in the following table. - -| Integrity | Encryption | -| - | - | -| Secure Hash Algorithm (SHA-1) | Advanced Encryption Standard (AES-128) | -| SHA-1 | 3DES | - -- The following quick mode security data integrity algorithms combinations in the order shown in the following table. - -| Protocol | Integrity | Key Lifetime (minutes/KB) | -| - | - | - | -| ESP | SHA-1 | 60/100,000 | - -- The quick mode security data integrity and encryption algorithm combinations in the order shown in the following table. - -| Protocol | Integrity | Encryption | Key Lifetime (minutes/KB) | -| - | - | - | - | -| ESP | SHA-1 | AES-128 | 60/100,000| -| ESP | SHA-1 | 3DES | 60/100,000| - ->**Note:**  Do not use the MD5 and DES algorithms in your GPOs. They are included only for compatibility with previous versions of Windows. - -## Connection Security Rules - -This GPO provides the following rules: - -- A connection security rule named **Isolated Domain Rule** with the following settings: - - - From **Any IP address** to **Any IP address**. - - - **Require inbound and request outbound** authentication requirements. - - >**Important:**  On this, and all other GPOs that require authentication, Woodgrove Bank first chose to only request authentication. After confirming that the devices were successfully communicating by using IPsec, they switched the GPOs to require authentication. - - - For **First authentication methods**, select **Computer Kerberos v5** as the primary method. Add certificate-based authentication from **DC=com,DC=woodgrovebank,CN=CorporateCertServer** for devices that can't run Windows or can't join the domain, but must still participate in the isolated domain. - - - For **Second authentication**, select **User Kerberos v5**, and then select the **Second authentication is optional** check box. - -- A connection security rule to exempt devices that are in the exemption list from the requirement to authenticate: - - - The IP addresses of all devices on the exemption list must be added individually under **Endpoint 2**. - - - Authentication mode is set to **Do not authenticate**. - -**Next:** [GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-servers.md deleted file mode 100644 index 2ca05d9120..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -title: GPO\_DOMISO\_IsolatedDomain\_Servers -description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# GPO\_DOMISO\_IsolatedDomain\_Servers - - -This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It's intended to only apply to server devices that are running at least Windows Server 2008. - -Because so many of the settings and rules for this GPO are common to those settings and rules in the GPO for at least Windows Vista, you can save time by exporting the Windows Defender Firewall piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here: - -- This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server isn't expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the device to the Public profile with a different set of rules (the example of a server running Windows Server 2008). - - >**Important:**  Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the device. If you attach a network adapter to a device that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the device. - -**Next:** [Boundary Zone GPOs](boundary-zone-gpos.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/isolated-domain-gpos.md b/windows/security/operating-system-security/network-security/windows-firewall/isolated-domain-gpos.md deleted file mode 100644 index bc7273b8b5..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/isolated-domain-gpos.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -title: Isolated Domain GPOs -description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Isolated Domain GPOs - - -All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. - -Each GPO has a security group filter that prevents the GPO from applying to members of the group GP\_DOMISO\_No\_IPsec. A WMI filter is attached to each GPO to ensure that the GPO is applied to only the specified version of Windows. For more information, see the [Planning GPO Deployment](planning-gpo-deployment.md) section. - -The GPOs created for the Woodgrove Bank isolated domain include: - -- [GPO\_DOMISO\_IsolatedDomain\_Clients](gpo-domiso-isolateddomain-clients.md) - -- [GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/isolated-domain.md b/windows/security/operating-system-security/network-security/windows-firewall/isolated-domain.md deleted file mode 100644 index 9925b88452..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/isolated-domain.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Isolated Domain -description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Isolated Domain - -**Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - -The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone. - -The term *domain* in this context means a boundary of communications trust instead of an Active Directory domain. In this solution, the two constructs are similar because Active Directory domain authentication (Kerberos V5) is required for accepting inbound connections from trusted devices. However, many Active Directory domains (or forests) can be linked with trust relationships to provide a single, logical, isolated domain. In addition, devices that authenticate by using certificates can also be included in an isolated domain without joining the Active Directory domain. - -For most implementations, an isolated domain will contain the largest number of devices. Other isolation zones can be created for the solution if their communication requirements differ from those requirements of the isolated domain. Examples of these differences are what result in the boundary and encryption zones described in this guide. Conceptually, the isolated domain is just the largest isolation zone, and a superset to the other zones. - -You must create a group in Active Directory to contain members of the isolated domain. You then apply one of several GPOs that contain connection security and firewall rules to the group so that authentication on all inbound network connections is enforced. Creation of the group and how to link the GPOs that apply the rules to its members are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. - -The GPOs for the isolated domain should contain the following connection security rules and settings. - -## GPO settings for isolated domain members running at least Windows Vista and Windows Server 2008 - - -GPOs for devices running at least Windows Vista and Windows Server 2008 should include: - -- IPsec default settings that specify the following options: - - 1. Exempt all ICMP traffic from IPsec. - - 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. - - 3. Data protection (quick mode) algorithm combinations. We recommend that you don't include DES, or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. - - If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies. - - 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then also include user-based Kerberos V5 as an optional authentication method. Likewise, if any of your isolated domain members can't use Kerberos V5 authentication, then include certificate-based authentication as an optional authentication method. - -- The following connection security rules: - - - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, where possible, instead of discrete addresses, if applicable in your environment. - - - A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication by using Kerberos V5 authentication. - - >**Important:**  Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the policy to require in, request out.  - -- A registry policy that includes the following values: - - - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - - >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). - -**Next:** [Boundary Zone](boundary-zone.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/operating-system-security/network-security/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md deleted file mode 100644 index 438921b4cf..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: Mapping your implementation goals to a Windows Firewall with Advanced Security design -description: Mapping your implementation goals to a Windows Firewall with Advanced Security design -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Mapping your implementation goals to a Windows Firewall with Advanced Security design - - -After you finish reviewing the existing Windows Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. -> [!IMPORTANT] -> The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design. - -Use the following table to determine which Windows Firewall with Advanced Security design maps to the appropriate combination of Windows Firewall with Advanced Security implementation goals for your organization. This table refers only to the Windows Firewall with Advanced Security designs as described in this guide. However, you can create a hybrid or custom Windows Firewall with Advanced Security design by using any combination of the Windows Firewall with Advanced Security implementation goals to meet the needs of your organization. - -| Deployment Goals | Basic Firewall Policy Design | Domain Isolation Policy Design | Server Isolation Policy Design | Certificate-based Isolation Policy Design | -| - |- | - | - | - | -| [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)| Yes| Yes| Yes| Yes| -| [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md) | -| Yes| Yes| Yes| -| [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)| -| -| Yes| Yes| -| [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)| -| Optional| Optional| Optional| - -To examine details for a specific design, click the design title at the top of the column in the preceding table. - -**Next:** [Basic Firewall Policy Design](basic-firewall-policy-design.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-certificate-based-authentication.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-certificate-based-authentication.md deleted file mode 100644 index da42f627c0..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/planning-certificate-based-authentication.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: Planning Certificate-based Authentication -description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Planning Certificate-based Authentication - - -Sometimes a device can't join an Active Directory domain, and therefore can't use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication. - -The non-domain member server, and the clients that must be able to communicate with it, must be configured to use cryptographic certificates based on the X.509 standard. These certificates can be used as an alternate set of credentials. During IKE negotiation, each device sends a copy of its certificate to the other device. Each device examines the received certificate, and then validates its authenticity. To be considered authentic, the received certificate must be validated by a certification authority certificate in the recipient's Trusted Root Certification Authorities store on the local device. - -Certificates can be acquired from commercial firms, or by an internal certificate server set up as part of the organization's public key infrastructure (PKI). Microsoft provides a complete PKI and certification authority solution with Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Active Directory Certificate Services (AD CS). - -## Deploying certificates - -No matter how you acquire your certificates, you must deploy them to clients and servers that require them in order to communicate. - -### Using Active Directory Certificate Services - -If you use AD CS to create your own user and device certificates in-house, then the servers designated as certification authorities (CAs) create the certificates based on administrator-designed templates. AD CS then uses Group Policy to deploy the certificates to domain member devices. Device certificates are deployed when a domain member device starts. User certificates are deployed when a user logs on. - -If you want non-domain member devices to be part of a server isolation zone that requires access by only authorized users, make sure to include certificate mapping to associate the certificates with specific user accounts. When certificate mapping is enabled, the certificate issued to each device or user includes enough identification information to enable IPsec to match the certificate to both user and device accounts. - -AD CS automatically ensures that certificates issued by the CAs are trusted by the client devices by putting the CA certificates in the correct store on each domain member device. - -### Using a commercially purchased certificate for devices running Windows - -You can import the certificates manually onto each device if the number of devices is relatively small. For a deployment to more than a handful of devices, use Group Policy. - -You must first download the vendor's root CA certificate, and then import it to a GPO that deploys it to the Local Computer\\Trusted Root Certification Authorities store on each device that applies the GPO. - -You must also import the purchased certificate into a GPO that deploys it to the Local Computer\\Personal store on each device that applies the GPO. - -### Using a commercially purchased certificate for devices running a non-Windows operating system - -If you're installing the certificates on an operating system other than Windows, see the documentation for that operating system. - -## Configuring IPsec to use the certificates - -When the clients and servers have the certificates available, you can configure the IPsec and connection security rules to include those certificates as a valid authentication method. The authentication method requires the subject name of the certificate, for example: **DC=com,DC=woodgrovebank,CN=CorporateCertServer**. Optionally, select **Enable certificate to account mapping** to support using these credentials for restricting access to users or devices that are members of authorized groups in a server isolation solution. - -Starting in Windows Server 2012, you can configure certificate selection criteria so the desired certificate is selected and/or validated. extended key usage (EKU) criteria can be configured, and name restrictions and certificate thumbprints. This EKU is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell. - -**Next:** [Documenting the Zones](documenting-the-zones.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-domain-isolation-zones.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-domain-isolation-zones.md deleted file mode 100644 index 70214d68c5..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/planning-domain-isolation-zones.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Planning Domain Isolation Zones -description: Learn how to use information you've gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Planning Domain Isolation Zones - - -After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment. - -The bulk of the work in planning server and domain isolation is determining which devices to assign to each isolation zone. Correctly choosing the zone for each device is important to providing the correct level of security without compromising performance or the ability for a device to send or receive required network traffic. - -The zones described in this guide include: - -- [Exemption List](exemption-list.md) - -- [Isolated Domain](isolated-domain.md) - -- [Boundary Zone](boundary-zone.md) - -- [Encryption Zone](encryption-zone.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-gpo-deployment.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-gpo-deployment.md deleted file mode 100644 index 0370e8cb08..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/planning-gpo-deployment.md +++ /dev/null @@ -1,110 +0,0 @@ ---- -title: Planning GPO Deployment -description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Planning GPO Deployment - - -You can control which GPOs are applied to devices in Active Directory in a combination of three ways: - -- **Active Directory organizational unit hierarchy**. This method involves linking the GPO to a specific OU in the Active Directory OU hierarchy. All devices in the OU and its subordinate containers receive and apply the GPO. - - Controlling GPO application through linking to OUs is typically used when you can organize the OU hierarchy according to your domain isolation zone requirements. GPOs can apply settings to devices based on their location within Active Directory. If a device is moved from one OU to another, the policy linked to the second OU will eventually take effect when Group Policy detects the change during polling. - -- **Security group filtering**. This method involves linking the GPOs to the domain level (or other parent OU) in the OU hierarchy, and then selecting which devices receive the GPO by using permissions that only allow correct group members to apply the GPO. - - The security group filters are attached to the GPOs themselves. A group is added to the security group filter of the GPO in Active Directory, and then assigned Read and Apply Group Policy permissions. Other groups can be explicitly denied Read and Apply Group Policy permissions. Only those devices whose group membership are granted Read and Apply Group Policy permissions without any explicit deny permissions can apply the GPO. - -- **WMI filtering**. A WMI filter is a query that is run dynamically when the GPO is evaluated. If a device is a member of the result set when the WMI filter query runs, the GPO is applied to the device. - - A WMI filter consists of one or more conditions that are evaluated against the local device. You can check almost any characteristic of the device, its operating system, and its installed programs. If all of the specified conditions are true for the device, the GPO is applied; otherwise the GPO is ignored. - -This guide uses a combination of security group filtering and WMI filtering to provide the most flexible options. If you follow this guidance, even though there might be five different GPOs linked to a specific group because of operating system version differences, only the correct GPO is applied. - -## General considerations - -- Deploy your GPOs before you add any device accounts to the groups that receive the GPOs. That way you can add your devices to the groups in a controlled manner. Be sure to add only a few test devices at first. Before adding many group members, examine the results on the test devices and verify that the configured firewall and connection security rules have the effect that you want. See the following sections for some suggestions on what to test before you continue. - -## Test your deployed groups and GPOs - -After you've deployed your GPOs and added some test devices to the groups, confirm the following before you continue with more group members: - -- Examine the GPOs that are both assigned to and filtered from the device. Run the **gpresult** tool at a command prompt. - -- Examine the rules deployed to the device. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes. - -- Verify that communications are authenticated. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**. - -- Verify that communications are encrypted when the devices require it. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column. - -- Verify that your programs are unaffected. Run them and confirm that they still work as expected. - -After you've confirmed that the GPOs have been correctly applied, and that the devices are now communicating by using IPsec network traffic in request mode, you can begin to add more devices to the group accounts, in manageable numbers at a time. Continue to monitor and confirm the correct application of the GPOs to the devices. - -## Don't enable require mode until deployment is complete - -If you deploy a GPO that requires authentication to a device before the other devices have a GPO deployed, communication between them might not be possible. Wait until you have all the zones and their GPOs deployed in request mode and confirm (as described in the previous section) that the devices are successfully communicating by using IPsec. - -If there are problems with GPO deployment, or errors in configuration of one or more of the IPsec GPOs, devices can continue to operate, because request mode enables any device to fall back to clear communications. - -Only after you've added all of the devices to their zones, and you've confirmed that communications are working as expected, you can start changing the request mode rules to require mode rules where it's required in the zones. We recommend that you enable require mode in the zones one zone at a time, pausing to confirm that they're functioning properly before you continue. Turn the required mode setting on for the server isolation zones first, then the encryption zone, and then the isolated domain. - -Don't change the boundary zone GPO, because it must stay in request mode for both inbound and outbound connections. - -If you create other zones that require either inbound or outbound require mode, make the setting change in a manner that applies the setting in stages from the smaller groups of devices to the larger groups. - -## Example Woodgrove Bank deployment plans - -Woodgrove Bank links all its GPOs to the domain level container in the Active Directory OU hierarchy. It then uses the following WMI filters and security group filters to control the application of the GPOs to the correct subset of devices. All of the GPOs have the User Configuration section disabled to improve performance. - -### GPO\_DOMISO\_Firewall - -- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: - - `select * from Win32_OperatingSystem where Version like "6.%" and ProductType <> "2"` - - >**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices running versions of Windows earlier than Windows Vista and Windows Server 2008. - -- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the CG\_DOMISO\_NO\_IPSEC. - -### GPO\_DOMISO\_IsolatedDomain\_Clients - -- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: - - `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "1"` - -- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. - -### GPO\_DOMISO\_IsolatedDomain\_Servers - -- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: - - `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"` - - >**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008. - -- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. - -### GPO\_DOMISO\_Boundary - -- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: - - `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"` - - >**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008. - -- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_Boundary. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. - -### GPO\_DOMISO\_Encryption - -- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: - - `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"` - - >**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008. - -- **Security filter**. This GPO grants Read and Apply permissions in Group Policy only to devices that are members of the group CG\_DOMISO\_Encryption. The GPO also explicitly denies Read and Apply permissions in Group Policy to members of the group CG\_DOMISO\_NO\_IPSEC. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md deleted file mode 100644 index 2dc15edfc9..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: Planning Group Policy Deployment for Your Isolation Zones -description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Planning Group Policy Deployment for Your Isolation Zones - - -After you've decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan. - -You have a list of isolation zones with the security requirements of each. For implementation, you must plan the groups that will hold the device accounts in each zone, the network access groups that will be used to determine who can access an isolated server, and the GPOs with the connection security and firewall rules to apply to corresponding groups. Finally you must determine how you'll ensure that the policies will only apply to the correct devices within each group. - -- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) - -- [Planning Network Access Groups](planning-network-access-groups.md) - -- [Planning the GPOs](planning-the-gpos.md) - -- [Planning GPO Deployment](planning-gpo-deployment.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-isolation-groups-for-the-zones.md deleted file mode 100644 index b58bf3b769..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/planning-isolation-groups-for-the-zones.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Planning Isolation Groups for the Zones -description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Planning Isolation Groups for the Zones - - -Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group that represents that zone. - -> [!CAUTION] -> Do not add devices to your groups yet. If a device is in a group when the GPO is activated then that GPO is applied to the device. If the GPO is one that requires authentication, and the other devices have not yet received their GPOs, the device that uses the new GPO might not be able to communicate with the others. - -Universal groups are the best option to use for GPO assignment because they apply to the whole forest and reduce the number of groups that must be managed. However, if universal groups are unavailable, you can use domain global groups instead. - -The following table lists typical groups that can be used to manage the domain isolation zones discussed in the Woodgrove Bank example in this guide: - -| Group name | Description | -| - | - | -| CG_DOMISO_No_IPsec | A universal group of device accounts that don't participate in the IPsec environment. Typically consists of infrastructure device accounts that will also be included in exemption lists.
    This group is used in security group filters to ensure that GPOs with IPsec rules aren't applied to group members.| -| CG_DOMISO_IsolatedDomain | A universal group of device accounts that contains the members of the isolated domain.
    During the early days of testing, this group might contain only a small number of devices. During production, it might contain the built-in **Domain Computers** group to ensure that every device in the domain participates.
    Members of this group receive the domain isolation GPO that requires authentication for inbound connections.| -| CG_DOMISO_Boundary | A universal group of device accounts that contains the members of the boundary zone.

    Members of this group receive a GPO that specifies that authentication is requested, but not required.| -| CG_DOMISO_Encryption | A universal group of device accounts that contains the members of the encryption zone.
    Members of this group receive a GPO that specifies that both authentication and encryption are required for all inbound connections. -| CG_SRVISO_*ServerRole* | A universal group of device accounts that contains the members of the server isolation group.
    Members of this group receive the server isolation GPO that requires membership in a network access group in order to connect.
    There will be one group for each set of servers that have different user and device restriction requirements. | - -Multiple GPOs might be delivered to each group. Which one actually becomes applied depends on the security group filters assigned to the GPOs in addition to the results of any WMI filtering assigned to the GPOs. Details of the GPO layout are discussed in the section [Planning the GPOs](planning-the-gpos.md). - -If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it's more specific. - -**Next:** [Planning Network Access Groups](planning-network-access-groups.md) - diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-network-access-groups.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-network-access-groups.md deleted file mode 100644 index 436bc55bbd..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/planning-network-access-groups.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: Planning Network Access Groups -description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Planning Network Access Groups - - -A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required. - -Minimize the number of NAGs to limit the complexity of the solution. You need one NAG for each server isolation group to restrict the devices or users that are granted access. You can optionally split the NAG into two different groups: one for authorized devices and one for authorized users. - -The NAGs that you create and populate become active by referencing them in the **Users and Computers** tab of the firewall rules in the GPO assigned to the isolated servers. The GPO must also contain connection security rules that require authentication to supply the credentials checked for NAG membership. - -For the Woodgrove Bank scenario, access to the devices running SQL Server which support the WGBank application are restricted to the WGBank front-end servers and to approved administrative users logged on to specific authorized administrative devices. They're also only accessed by the approved admin users and the service account that is used to the run the WGBank front end service. - -| NAG Name | NAG Member Users, Computers, or Groups | Description | -| - | - | - | -| CG_NAG_*ServerRole*_Users| Svr1AdminA
    Svr1AdminB
    Group_AppUsers
    AppSvcAccount| This group is for all users who are authorized to make inbound IPsec connections to the isolated servers in this zone.| -| CG_NAG_*ServerRole*_Computers| Desktop1
    Desktop2
    AdminDT1
    AppAdminDT1| This group contains all devices that are authorized to make inbound IPsec connections to the isolated servers in this zone.| - ->**Note:**  Membership in a NAG does not control the level of IPsec traffic protection. The IKE negotiation is only aware of whether the device or user passed or failed the Kerberos V5 authentication process. The connection security rules in the applied GPO control the security methods that are used for protecting traffic and are independent of the identity being authenticated by Kerberos V5. - -**Next:** [Planning the GPOs](planning-the-gpos.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-server-isolation-zones.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-server-isolation-zones.md deleted file mode 100644 index c729611dac..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/planning-server-isolation-zones.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Planning Server Isolation Zones -description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Planning Server Isolation Zones - - -Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server. - -The second option is to additionally restrict access to the server, not just to members of the isolated domain, but to only those users or devices who have business reasons to access the resources on the server. You can specify only approved users, or you can additionally specify that the approved users can only access the server from approved devices. - -To grant access, you add the approved user and device accounts to network access groups (NAGs) that are referenced in a firewall rule on this server. When the user sends a request to the server, the standard domain isolation rules are invoked. This invocation causes IKE to use Kerberos V5 to exchange credentials with the server. The other firewall rule on the server causes Windows to check the provided device and user accounts for group membership in the NAGs. If either the user or device isn't a member of a required NAG, then the network connection is refused. - -## Isolated domains and isolated servers - -If you're using an isolated domain, the client devices already have the IPsec rules to enable them to authenticate traffic when the server requires it. If you add an isolated server, it must have a GPO applied to its group with the appropriate connection security and firewall rules. The rules enforce authentication and restrict access to only connections that are authenticated as coming from an authorized device or user. - -If you aren't using an isolated domain, but still want to isolate a server that uses IPsec, you must configure the client devices that you want to access the server to use the appropriate IPsec rules. If the client devices are members of an Active Directory domain, you can still use Group Policy to configure the clients. Instead of applying the GPO to the whole domain, you apply the GPO to only members of the NAG. - -## Creating multiple isolated server zones - -Each set of servers that must be accessed by different sets of users should be set up in its own isolated server zone. After one set of GPOs for one isolated server zone has been successfully created and verified, you can copy the GPOs to a new set. You must change the GPO names to reflect the new zone, the name and membership of the isolated server zone group to which the GPOs are applied, and the names and membership of the NAG groups that determine which clients can access the servers in the isolated server zone. - -## Creating the GPOs - -Creation of the groups and how to link them to the GPOs that apply the rules to members of the groups are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. - -An isolated server is often a member of the encryption zone. Therefore, copying that GPO set serves as a good starting point. You then modify the rules to additionally restrict access to only NAG members. - -### GPO settings for isolated servers running at least Windows Server 2008 - -GPOs for devices running at least Windows Server 2008 should include: - ->**Note:**  The connection security rules described here are identical to the ones for the encryption zone. If you do not want to encrypt access and also restrict access to NAG members, you can use connection security rules identical to the main isolated domain. You must still add the firewall rule described at the end of this list to change it into an isolated server zone. - -- IPsec default settings that specify the following options: - - 1. Exempt all ICMP traffic from IPsec. - - 2. Key exchange (main mode) security methods and algorithm. We recommend that you don't include Diffie-Hellman Group 1, DES, or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. - - 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you don't include DES or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. - - If any NAT devices are present on your networks, don't use AH because it can't traverse NAT devices. If isolated servers must communicate with hosts in the encryption zone, include an algorithm that is compatible with the requirements of the encryption zone GPOs. - - 4. Authentication methods. Include at least device-based Kerberos V5 authentication for compatibility with the rest of the isolated domain. If you want to restrict access to specific user accounts, also include user-based Kerberos V5 authentication as an optional authentication method. Don't make the user-based authentication method mandatory, or else devices that can't use AuthIP instead of IKE, including Windows XP and Windows Server 2003, can't communicate. Likewise, if any of your domain isolation members can't use Kerberos V5, include certificate-based authentication as an optional authentication method. - -- The following connection security and firewall rules: -s - - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. - - - A connection security rule, from **Any IP address** to **Any IP address**, that requires inbound and requests outbound authentication by using Kerberos V5 authentication. - - >**Important:**  Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. - - - A firewall rule that specifies **Allow only secure connections**, **Require encryption**, and on the **Users and Computers** tab includes references to both device and user network access groups. - -- A registry policy that includes the following values: - - - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - - >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). - -**Next:** [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-settings-for-a-basic-firewall-policy.md deleted file mode 100644 index 98e6a224a8..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/planning-settings-for-a-basic-firewall-policy.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Planning Settings for a Basic Firewall Policy -description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Planning Settings for a Basic Firewall Policy - - -After you've identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices. - -The following list is that of the firewall settings that you might consider for inclusion in a basic firewall design, together with recommendations to serve as a starting point for your analysis: - -- **Profile selection**. The firewall rules can be configured for any of the network location profiles that you see in the Network and Sharing Center: **Domain**, **Public**, and **Private**. Most settings are enforced in the Domain profile, without an option for the user to change them. However, you might want to leave the profile settings configurable by the user on devices that can be taken from the organization's physical network and joined to a public or home network. If you lock down the public and private profiles, you might prevent a user from accessing a required network program or service. Because they aren't on the organization's network, you can't fix a connectivity problem by deploying rule changes in a GPO. For each section that follows, consider each profile and apply the rules to those profiles that make sense for your organization. - - >**Important:**  We recommend that on server devices that you set all rules for all profiles to prevent any unexpected profile switch from disrupting network connectivity. You might consider a similar practice for your desktop devices, and only support different profiles on portable devices. - -- **Firewall state: On**. We recommend that you prevent the user from turning it off. - -- **Default behavior for Inbound connections: Block**. We recommend that you enforce the default behavior of blocking unsolicited inbound connections. To allow network traffic for a specific program, create an inbound rule that serves as an exception to this default behavior. - -- **Default behavior for Outbound connections: Allow**. We recommend that you enforce the default behavior of allowing outbound connections. - -- **Allow unicast response: Yes**. We recommend that you use the default setting of **Yes** unless you have specific requirements to do otherwise. - -- **Apply local firewall rules: Yes**. We recommend that you allow users to create and use local firewall rules. If you set this setting to **No**, then when a user clicks **Allow** on the notification message to allow traffic for a new program, Windows doesn't create a new firewall rule and the traffic remains blocked. - - If you and the IT staff can create and maintain the list of firewall rules for all permitted applications and deploy them by using GPOs, then you can set this value to **No**. - -- **Apply local connection security rules: No**. We recommend that you prevent users from creating and using their own connection security rules. Connection failures caused by conflicting rules can be difficult to troubleshoot. - -- **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Defender Firewall with Advanced Security service account has write permissions. - -- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another device on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program can't receive unexpected traffic on a different port. - - Inbound rules are common on servers, because they host services to which client devices connect. When you install programs and services on a server, the installation program typically creates and enables the rules for you. Examine the rules to ensure that they don't open up more ports than are required. - - >**Important:**  If you create inbound rules that permit RPC network traffic by using the **RPC Endpoint Mapper** and **Dynamic RPC** rule options, then all inbound RPC network traffic is permitted because the firewall cannot filter network traffic based on the UUID of the destination application. - -- **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs. - -**Next:** [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-the-gpos.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-the-gpos.md deleted file mode 100644 index 88716eaf2a..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/planning-the-gpos.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Planning the GPOs -description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Planning the GPOs - - -When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones. - -## General considerations - -A few things to consider as you plan the GPOs: - -- Don't allow a device to be a member of more than one isolation zone. A device in more than one zone receives multiple and possibly contradictory GPOs. This receipt of multiple GPOs can result in unexpected, and difficult to troubleshoot behavior. - - The examples in this guide show GPOs that are designed to prevent the requirement to belong to multiple zones. - -- Ensure that the IPsec algorithms you specify in your GPOs are compatible across all the versions of Windows. The same principle applies to the data integrity and encryption algorithms. We recommend that you include the more advanced algorithms when you have the option of selecting several in an ordered list. The devices will negotiate down from the top of their lists, selecting one that is configured on both devices. - -- The primary difference in your domain isolation GPOs is whether the rules request or require authentication. - - >**Caution:**  It is **critical** that you begin with all your GPOs set to request authentication instead of requiring it. Since the GPOs are delivered to the devices over time, applying a require policy to one device breaks its ability to communicate with another device that has not yet received its policy. Using request mode at the beginning enables devices to continue communicating by using plaintext connections if required. After you confirm that your devices are using IPsec where expected, you can schedule a conversion of the rules in the GPOs from requesting to requiring authentication, as required by each zone. - -- Windows Defender Firewall* in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles. - -*Windows Defender Firewall is now called Windows Defender Firewall with Advanced Security in Windows 10 and Windows 11. - - > [!NOTE] - > Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Defender Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network. - -After you consider these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs. - -## Woodgrove Bank example GPOs - -The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which devices receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section. - -In this section you can find information about: - -- [Firewall GPOs](firewall-gpos.md) - -- [Isolated Domain GPOs](isolated-domain-gpos.md) - -- [Boundary Zone GPOs](boundary-zone-gpos.md) - -- [Encryption Zone GPOs](encryption-zone-gpos.md) - -- [Server Isolation GPOs](server-isolation-gpos.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md deleted file mode 100644 index 7e7bff476d..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Plan to Deploy Windows Defender Firewall with Advanced Security -description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Planning to Deploy Windows Defender Firewall with Advanced Security - - -After you collect information about your environment and decide on a design by following the guidance in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Defender Firewall with Advanced Security in your organization. - -## Reviewing your Windows Defender Firewall with Advanced Security Design - -If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure the deployment team reviews the final design with the design team. Review the following information before starting your deployment. - -### Decide which devices apply to which GPO - -The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide: - -- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) - -- [Planning the GPOs](planning-the-gpos.md) - -- [Planning GPO Deployment](planning-gpo-deployment.md) - -### Configure communication between members and devices - -Decide what communication is to be allowed between members of each of the zones in the isolated domain and devices that aren't part of the isolated domain or members of the isolated domain's exemption list. - -### Exempt domain controllers from IPsec authentication requirements - -It's recommended that domain controllers are exempt from IPsec authentication requirements. If they aren't exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers. - -### Configure IPsec authentication rules - -The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior. Communications can continue while the authentication failures are investigated. - -### Make sure all devices can communicate with each other - -For all devices to communicate with each other, they must share a common set of: - -- Authentication methods - -- Main mode key exchange algorithms - -- Quick mode data integrity algorithms - -If at least one set of each doesn't match between two devices, then the devices can't successfully communicate. - -## Deploy your Windows Firewall Design Plan - -After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Defender Firewall design. For more information, see [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md). diff --git a/windows/security/operating-system-security/network-security/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/operating-system-security/network-security/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md deleted file mode 100644 index e048764374..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md +++ /dev/null @@ -1,84 +0,0 @@ ---- -title: Planning Your Windows Defender Firewall with Advanced Security Design -description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Planning Your Windows Defender Firewall with Advanced Security Design - - -After you've gathered the relevant information in the previous sections, and understood the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. - -## Basic firewall design - -We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization. - -When you're ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) section. - -## Algorithm and method support and selection - -To create a domain isolation or server isolation design, you must understand the algorithms available in each version of Windows, and their relative strengths. - -## IPsec performance considerations - -Although IPsec is critically important in securing network traffic going to and from your devices, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your device from making use of all of the available bandwidth. For example, an IPsec-enabled device using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This reduction is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms. - -IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This configuration frees up a device’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps. - -## Domain isolation design - - -Include this design in your plans: - -- If you have an Active Directory domain of which most of the devices are members. - -- If you want to prevent the devices in your organization from accepting any unsolicited network traffic from devices that aren't part of the domain. - -If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you're sure that the devices are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you're troubleshooting. - -When you're ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. - -## Server isolation design - - -Include this design in your plans: - -- If you have an isolated domain and you want to additionally restrict access to specific servers to only authorized users and devices. - -- You aren't deploying an isolated domain, but want to take advantage of similar benefits for a few specific servers. You can restrict access to the isolated servers to only authorized users and devices. - -If you plan to include domain isolation in your deployment, we recommend that you complete that layer and confirm its correct operation before you implement the other server isolation elements. - -When you're ready to examine the options for isolating servers, see the [Planning Server Isolation Zones](planning-server-isolation-zones.md) section. - -## Certificate-based authentication design - - -Include this design in your plans: - -- If you want to implement some of the elements of domain or server isolation on devices that aren't joined to an Active Directory domain, or don't want to use domain membership as an authentication mechanism. - -- You have an isolated domain and want to include a server that isn't a member of the Active Directory domain because the device isn't running Windows, or for any other reason. - -- You must enable external devices that aren't managed by your organization to access information on one of your servers in a secure way. - -If you plan to include domain or server isolation in your deployment, we recommend that you complete those elements and confirm their correct operation before you add certificate-based authentication to the devices that require it. - -When you're ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) section. - -## Documenting your design - -After you finish selecting the designs that you'll use, you must assign each of your devices to the appropriate isolation zone and document the assignment for use by the deployment team. - -- [Documenting the Zones](documenting-the-zones.md) - -## Designing groups and GPOs - - -After you've selected a design and assigned your devices to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you'll use to apply the settings and rules to your devices. - -When you're ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. - -**Next:** [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos.md b/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos.md deleted file mode 100644 index 8ac3b50872..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: Server Isolation GPOs -description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Server Isolation GPOs - -Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The *Woodgrove Bank* example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. *Woodgrove Bank* copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. - -All of the device accounts for devices in the SQL Server server isolation zone are added to the group *CG_SRVISO_WGBANK_SQL*. This group is granted **Read** and **Apply Group Policy** permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client devices aren't expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone. - -## GPO_SRVISO - -This GPO is identical to the *GPO_DOMISO_Encryption* GPO with the following changes: - -- The firewall rule that enforces encryption is modified to include the NAGs on the **Users and Computers** tab of the rule. The NAGs-granted permissions include *CG_NAG_SQL_Users* and *CG_NAG_SQL_Computers*. - -## Next steps - -> [!div class="nextstepaction"] -> Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory. -> -> -> [Plan GPO Deployment >](planning-gpo-deployment.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md b/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md deleted file mode 100644 index 2a049a459f..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -title: Server Isolation Policy Design Example -description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Server Isolation Policy Design Example - -This design example continues to use the fictitious company *Woodgrove Bank*, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section. - -In addition to the protections provided by the firewall and domain isolation, *Woodgrove Bank* wants to provide extra protection to the devices that are running Microsoft SQL Server for the WGBank program. They contain personal data, including each customer's financial history. Government and industry rules and regulations specify that access to this information must be restricted to only those users who have a legitimate business need. These rules and regulations include a requirement to prevent interception of and access to the information when it is in transit over the network. - -The information presented by the WGBank front-end servers to the client devices, and the information presented by the WGPartner servers to the remote partner devices, aren't considered sensitive for the purposes of the government regulations, because they're processed to remove sensitive elements before transmitting the data to the client devices. - -In this guide, the examples show server isolation layered on top of a domain isolation design. If you have an isolated domain, the client devices are already equipped with GPOs that require authentication. You only have to add settings to the isolated server(s) to require authentication on inbound connections, and to check for membership in the NAG. The connection attempt succeeds only if NAG membership is confirmed. - -## Server isolation without domain isolation - -Server isolation can also be deployed by itself, to only the devices that must participate. The GPO on the server is no different from the one discussed in the previous paragraph for a server in an existing isolated domain. The difference is that you must also deploy a GPO with supporting connection security rules to the clients that must be able to communicate with the isolated server. Because those devices must be members of the NAG, that group can also be used in a security group filter on the client GPO. That GPO must contain rules that support the authentication requirements of the isolated server. - -In short, instead of applying the client GPO to all clients in the domain, you apply the GPO to only the members of the NAG. - -If you don't have an Active Directory domain, you can manually apply the connection security rules, use a netsh command-line script, or use a Windows PowerShell script to help automate the configuration of the rules on larger numbers of devices. If you don't have an Active Directory domain, you can't use the Kerberos V5 protocol, but instead must provide the clients and the isolated servers with certificates that are referenced in the connection security rules. - -## Design requirements - -In addition to the protection provided by the firewall rules and domain isolation described in the previous design examples, the network administrators want to implement server isolation to help protect the sensitive data stored on the devices that run SQL Server. - -The following illustration shows the traffic protection needs for this design example. - -![isolated server example.](images/wfas-design3example1.gif) - -1. Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. These accounts include the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it's sent from an authorized computer. Authorization is determined by membership in a network access group (NAG) -1. All network traffic to and from the SQL Server devices must be encrypted -1. Client devices or users whose accounts aren't members of the NAG can't access the isolated servers - -### Other traffic notes - -- All of the design requirements shown in the [Firewall Policy Design Example](firewall-policy-design-example.md) section are still enforced -- All of the design requirements shown in the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section are still enforced - -## Design details - -*Woodgrove Bank* uses Active Directory groups and GPOs to deploy the server isolation settings and rules to the devices on its network. - -As in the previously described policy design examples, GPOs to implement the domain isolation environment are linked to the domain container in Active Directory, and then WMI filters and security group filters are attached to GPOs to ensure that the correct GPO is applied to each computer. The following groups were created by using the Active Directory Users and Computers snap-in, and all devices that run Windows were added to the correct groups. - -- **CG_SRVISO_WGBANK_SQL**. This group contains the computer accounts for the devices that run SQL Server. Members of this group receive a GPO with firewall and connections security rules that require that only users who are members of the group CG_NAG_SQL_USERS can access the server, and only when they're using a computer that is a member of the group CG_NAG_SQL_COMPUTERS. - - > [!NOTE] - > You can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group. - - Network access groups (NAGs) aren't used to determine which GPOs are applied to a computer. Instead, these groups determine which users and devices can access the services on the isolated server. - -- **CG_NAG_SQL_COMPUTERS**. This network access group contains the computer accounts that are able to access the devices running SQL Server hosting the WGBank data. Members of this group include the WGBank front-end servers, and some client devices from which SQL Server administrators are permitted to work on the servers. -- **CG_NAG_SQL_USERS**. This network access group contains the user accounts of users who are permitted to access the SQL Server devices that host the WGBank data. Members of this group include the service account that the WGBank front-end program uses to run on its devices, and the user accounts for the SQL Server administration team members. - -> [!NOTE] -> You can use a single group for both user and computer accounts. Woodgrove Bank chose to keep them separate for clarity. - -If Woodgrove Bank wants to implement server isolation without domain isolation, the *CG_NAG_SQL_COMPUTERS* group can also be attached as a security group filter on the GPOs that apply connection security rules to the client devices. By doing this task, all the devices that are authorized to access the isolated server also have the required connection security rules. - -You don't have to include the encryption-capable rules on all devices. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contains connection security rules to support encryption. - -> [!div class="nextstepaction"] -> -> [Certificate-based Isolation Policy Design Example >](certificate-based-isolation-policy-design-example.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design.md deleted file mode 100644 index c3a7d7762f..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Server Isolation Policy Design -description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Server Isolation Policy Design - -In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG). - -This design typically begins with a network configured as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. For this design, you then create zones for servers that have more security requirements. The zones can limit access to the server to only members of authorized groups, and can optionally require the encryption of all traffic in or out of these servers. These restrictions and requirements can be done on a per-server basis, or for a group of servers that share common security requirements. - -You can implement a server isolation design without using domain isolation. To do this implementation, you use the same principles as domain isolation, but instead of applying them to an Active Directory domain, you apply them only to the devices that must be able to access the isolated servers. The GPO contains connection security and firewall rules that require authentication when communicating with the isolated servers. In this case, the NAGs that determine which users and devices can access the isolated server are also used to determine which devices receive the GPO. - -The design is shown in the following illustration, with arrows that show the permitted communication paths. - -![isolated domain with isolated server.](images/wfas-domainisohighsec.gif) - -Characteristics of this design include: - -- Isolated domain (area A) - The same isolated domain described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. If the isolated domain includes a boundary zone, then devices in the boundary zone behave just like other members of the isolated domain in the way that they interact with devices in server isolation zones. -- Isolated servers (area B) - Devices in the server isolation zones restrict access to devices, and optionally users, that authenticate as a member of a network access group (NAG) authorized to gain access. -- Encryption zone (area C) - If the data being exchanged is sufficiently sensitive, the connection security rules for the zone can also require that the network traffic be encrypted. Encryption zones are most often implemented as rules that are part of a server isolation zone, instead of as a separate zone. The diagram illustrates the concept as a subset for conceptual purposes only. - -To add support for server isolation, you must ensure that the authentication methods are compatible with the requirements of the isolated server. For example, if you want to authorize user accounts that are members of a NAG in addition to authorizing computer accounts, you must enable both user and computer authentication in your connection security rules. - -> [!IMPORTANT] -> This design builds on the [Domain Isolation Policy Design](domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented. - -This design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. - -For more info about this design: - -- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). -- To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). -- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). -- To help you make the decisions required in this design, see [Planning Server Isolation Zones](planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md). -- For a list of tasks that you can use to deploy your server isolation policy design, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). - -> [!div class="nextstepaction"] -> -> [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) From 12135b28d4417998cde72ed92f9fbd50f5cf1ab9 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 10 Nov 2023 16:55:06 -0500 Subject: [PATCH 078/114] batch1 redirects --- ...blishing.redirection.windows-security.json | 179 +++++++++++++++++- 1 file changed, 177 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index e573ac4d0a..e2ccdbad58 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -7479,6 +7479,181 @@ "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md", "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker#device-encryption", "redirect_document_id": false - } + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/basic-firewall-policy-design.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj721530(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/boundary-zone.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725978(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/boundary-zone-gpos.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770729(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731463(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771822(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/documenting-the-zones.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753825(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725818(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design-example.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732933(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/encryption-zone.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753367(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/encryption-zone-gpos.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770426(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/exemption-list.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732202(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/firewall-gpos.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771233(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/firewall-policy-design-example.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731164(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-boundary.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770565(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-encryption.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754085(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-firewall.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731123(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-clients.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770836(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-servers.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731908(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/isolated-domain.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731788(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/isolated-domain-gpos.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731447(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj721532(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-certificate-based-authentication.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc730835(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-domain-isolation-zones.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771044(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-gpo-deployment.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771733(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732752(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-isolation-groups-for-the-zones.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725693(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-network-access-groups.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771664(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-server-isolation-zones.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732615(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-settings-for-a-basic-firewall-policy.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754986(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-the-gpos.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771716(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947826(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc730841(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732486(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj721528(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732413(v=ws.10)", + "redirect_document_id": false + } ] -} \ No newline at end of file +} From 54a3c8ed3933bfeb0c5a2046d78f70f84d904829 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Sat, 11 Nov 2023 07:23:01 -0500 Subject: [PATCH 079/114] batch 2 --- ...blishing.redirection.windows-security.json | 122 +++++++++++++++++- .../network-security/windows-firewall/TOC.yml | 64 --------- ...e-files-for-settings-used-in-this-guide.md | 87 ------------- ...ist-configuring-basic-firewall-settings.md | 17 --- ...uring-rules-for-an-isolated-server-zone.md | 32 ----- ...rs-in-a-standalone-isolated-server-zone.md | 31 ----- ...configuring-rules-for-the-boundary-zone.md | 23 ---- ...nfiguring-rules-for-the-encryption-zone.md | 24 ---- ...nfiguring-rules-for-the-isolated-domain.md | 27 ---- ...checklist-creating-group-policy-objects.md | 34 ----- ...ecklist-creating-inbound-firewall-rules.md | 19 --- ...cklist-creating-outbound-firewall-rules.md | 20 --- ...ts-of-a-standalone-isolated-server-zone.md | 24 ---- ...ementing-a-basic-firewall-policy-design.md | 28 ---- ...rtificate-based-isolation-policy-design.md | 22 ---- ...enting-a-domain-isolation-policy-design.md | 26 ---- ...andalone-server-isolation-policy-design.md | 25 ---- ...with-advanced-security-deployment-goals.md | 24 ---- ...wall-with-advanced-security-design-plan.md | 41 ------ ...t-devices-from-unwanted-network-traffic.md | 36 ------ ...n-accessing-sensitive-network-resources.md | 34 ----- ...cess-to-only-specified-users-or-devices.md | 38 ------ ...restrict-access-to-only-trusted-devices.md | 49 ------- ...l-with-advanced-security-design-process.md | 24 ---- ...with-advanced-security-deployment-guide.md | 50 ------- ...all-with-advanced-security-design-guide.md | 93 ------------- 26 files changed, 121 insertions(+), 893 deletions(-) delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/protect-devices-from-unwanted-network-traffic.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-specified-users-or-devices.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-trusted-devices.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide.md diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index e2ccdbad58..835e7d0d31 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -7654,6 +7654,126 @@ "source_path": "windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732413(v=ws.10)", "redirect_document_id": false - } + } + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770289(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947845(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947794(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947848(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947836(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947800(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947783(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947791(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947799(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947827(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947819(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717261(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717238(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717284(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717277(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732023(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717256(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/protect-devices-from-unwanted-network-traffic", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc772556(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/require-encryption-when-accessing-sensitive-network-resources", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770865(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-specified-users-or-devices", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753064(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-trusted-devices", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725659(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731951(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-deployment-guide", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717241(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732024(v=ws.10)", + "redirect_document_id": false + } ] } diff --git a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml index ab921f1437..7645d9d0ab 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml +++ b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml @@ -1,46 +1,6 @@ items: - name: Overview href: windows-firewall-with-advanced-security.md - - name: Plan deployment - items: - - name: Design guide - href: windows-firewall-with-advanced-security-design-guide.md - - name: Design process - href: understanding-the-windows-firewall-with-advanced-security-design-process.md - - name: Implementation goals - items: - - name: Identify implementation goals - href: identifying-your-windows-firewall-with-advanced-security-deployment-goals.md - - name: Protect devices from unwanted network traffic - href: protect-devices-from-unwanted-network-traffic.md - - name: Restrict access to only trusted devices - href: restrict-access-to-only-trusted-devices.md - - name: Require encryption - href: require-encryption-when-accessing-sensitive-network-resources.md - - name: Restrict access - href: restrict-access-to-only-specified-users-or-devices.md - - name: Deployment guide - items: - - name: Deployment overview - href: windows-firewall-with-advanced-security-deployment-guide.md - - name: Implement your plan - href: implementing-your-windows-firewall-with-advanced-security-design-plan.md - - name: Basic firewall deployment - items: - - name: "Checklist: Implement a basic firewall policy design" - href: checklist-implementing-a-basic-firewall-policy-design.md - - name: Domain isolation deployment - items: - - name: "Checklist: Implement a Domain Isolation Policy Design" - href: checklist-implementing-a-domain-isolation-policy-design.md - - name: Server isolation deployment - items: - - name: "Checklist: Implement a Standalone Server Isolation Policy Design" - href: checklist-implementing-a-standalone-server-isolation-policy-design.md - - name: Certificate-based authentication - items: - - name: "Checklist: Implement a Certificate-based Isolation Policy Design" - href: checklist-implementing-a-certificate-based-isolation-policy-design.md - name: Best practices items: - name: Configure the firewall @@ -131,30 +91,6 @@ items: href: turn-on-windows-firewall-and-configure-default-behavior.md - name: Verify Network Traffic href: verify-that-network-traffic-is-authenticated.md - - name: References - items: - - name: "Checklist: Create Group Policy objects" - href: checklist-creating-group-policy-objects.md - - name: "Checklist: Create inbound firewall rules" - href: checklist-creating-inbound-firewall-rules.md - - name: "Checklist: Create outbound firewall rules" - href: checklist-creating-outbound-firewall-rules.md - - name: "Checklist: Configure basic firewall settings" - href: checklist-configuring-basic-firewall-settings.md - - name: "Checklist: Configure rules for the isolated domain" - href: checklist-configuring-rules-for-the-isolated-domain.md - - name: "Checklist: Configure rules for the boundary zone" - href: checklist-configuring-rules-for-the-boundary-zone.md - - name: "Checklist: Configure rules for the encryption zone" - href: checklist-configuring-rules-for-the-encryption-zone.md - - name: "Checklist: Configure rules for an isolated server zone" - href: checklist-configuring-rules-for-an-isolated-server-zone.md - - name: "Checklist: Configure rules for servers in a standalone isolated server zone" - href: checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md - - name: "Checklist: Create rules for clients of a standalone isolated server zone" - href: checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md - - name: "Appendix A: Sample GPO template files for settings used in this guide" - href: appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md - name: Troubleshooting items: - name: Troubleshoot UWP app connectivity issues in Windows Firewall diff --git a/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md deleted file mode 100644 index 03fe642a1d..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ /dev/null @@ -1,87 +0,0 @@ ---- -title: Appendix A Sample GPO Template Files for Settings Used in this Guide -description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO). -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Appendix A: sample GPO template files for settings used in this guide - -You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). - -To manually create the file, build the settings under **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry**. After you create the settings, drag the container to the desktop. An .xml file is created there. - -To import an .xml file to GPMC, drag it and drop it on the **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry** node. If you copy the following sample XML code to a file, and then drag and drop it on the **Registry** node, it creates a **Server and Domain Isolation** collection with the six registry keys discussed in this guide. - -The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply. - -> [!NOTE] -> The file shown here is for sample use only. It should be customized to meet the requirements of your organization's deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization. - -```xml - - - - - - - - - - - - - - - - - -``` diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md deleted file mode 100644 index 9b1d50eb96..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Checklist Configuring Basic Firewall Settings -description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Checklist: configure basic firewall settings - -This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules: - -| Task | Reference | -| - | - | -| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)| -| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) | -| Configure the firewall to record a log file. | [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md deleted file mode 100644 index eeacecbac9..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Checklist Configuring Rules for an Isolated Server Zone -description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Checklist: configure rules for an isolated server zone - -The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that isn't part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). - -In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or devices who are authenticated members of a network access group (NAG). If you include user accounts in the NAG, then the restrictions can still apply; they're enforced at the application layer, rather than the IP layer. - -The GPOs for an isolated server or group of servers are similar to those GPOs for the isolated domain itself or the encryption zone, if you require encryption to your isolated servers. This checklist refers you to procedures for creating rules and restrictions that allow only members of the NAG to connect to the server. - -| Task | Reference | -| - | - | -| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.
    Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO's element to make sure it's constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| -| Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone's membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | -| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| -| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| -| Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| -| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| -| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| -| Create a rule that requests authentication for all network traffic.
    **Important:** As in an isolated domain, don't set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules don't work as expected, communications aren't affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| -| Create the NAG to contain the device or user accounts that are allowed to access the servers in the isolated server zone. | [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| -| Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG. | [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| -| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | - -Don't change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md deleted file mode 100644 index e9eccb33bf..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone -description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Checklist: configure rules for servers in a standalone isolated server zone - -This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that isn't part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). - -The GPOs for isolated servers are similar to those GPOs for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server. - -| Task | Reference | -| - | - | -| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
    [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| -| If you're working on a copy of a GPO, modify the group memberships and WMI filters so that they're correct for the devices for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | -| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| -| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) | -| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| -| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| -| Configure the authentication methods to be used. This procedure sets the default settings for the device. If you want to set authentication on a per-rule basis, this procedure is optional.| [Configure Authentication Methods](configure-authentication-methods.md) | -| Create a rule that requests authentication for all inbound network traffic.

    **Important:** As in an isolated domain, don't set the rules to require authentication until your testing is complete. That way, if the rules don't work as expected, communications aren't affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| -| If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| -| Create the NAG to contain the device or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client devices, then create a NAG for each set of servers.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) | -| Create a firewall rule that allows inbound network traffic only if it's authenticated from a user or device that is a member of the zone's NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| -| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| - -Don't change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md deleted file mode 100644 index 2196325d31..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -title: Checklist Configuring Rules for the Boundary Zone -description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Checklist: configure rules for the boundary zone - -The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. - -Rules for the boundary zone are typically the same as those rules for the isolated domain, with the exception that the final rule is left to only request, not require, authentication. - -This checklist assumes that you've already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you don't change the rule from request authentication to require authentication when you create the other GPOs. - -| Task | Reference | -| - | - | -| Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy isn't changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) | -| If you're working on a copy of a GPO, modify the group memberships and WMI filters so that they're correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | -| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| -| Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md deleted file mode 100644 index 8916500bda..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Checklist Configuring Rules for the Encryption Zone -description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Checklist: configure rules for the encryption zone - -This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. - -Rules for the encryption zone are typically the same as those rules for the isolated domain, with the exception that the main rule requires encryption in addition to authentication. - -This checklist assumes that you've already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. - -| Task | Reference | -| - | - | -| Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| -| Modify the group memberships and WMI filters so that they're correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | -| Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| -| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| -| Verify that the connection security rules are protecting network traffic.| [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md deleted file mode 100644 index 51f6cb3c93..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: Checklist Configuring Rules for the Isolated Domain -description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Checklist: configure rules for the isolated domain - -The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. - -| Task | Reference | -| - | - | -| Create a GPO for the computers in the isolated domain running one of the operating systems. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
    [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| -| If you're working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they're correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | -| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| -| Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| -| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| -| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| -| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| -| Create the rule that requests authentication for all inbound network traffic. | [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| -| Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| -| Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| - -Don't change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md deleted file mode 100644 index c9a715cfbc..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Checklist Creating Group Policy Objects -description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Checklist: Create group policy objects (GPOs) - -To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the end by making GPO assignments as easy as dropping a device into a membership group. - -The checklists for firewall, domain isolation, and server isolation include a link to this checklist. - -## About membership groups - -For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied. - -## About exclusion groups - -A Windows Defender Firewall with Advanced Security design must often take into account domain-joined devices on the network that can't or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it's easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers. - -You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To use the group as an exclusion group, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones. - -| Task | Reference | -| - | - | -| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
    [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| -| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| -| Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) | -| Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) | -| Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) | -| If you're working on a GPO that was copied from another, modify the group memberships and WMI filters so that they're correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | -| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) | -| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md deleted file mode 100644 index 5afd360e1a..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Checklist Creating Inbound Firewall Rules -description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Checklist: create inbound firewall rules - -This checklist includes tasks for creating firewall rules in your GPOs. - -| Task | Reference | -| - | - | -| Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires. | [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)| -| Create a rule that allows inbound network traffic on a specified port number. | [Create an Inbound Port Rule](create-an-inbound-port-rule.md)| -| Create a rule that allows inbound ICMP network traffic. | [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)| -| Create rules that allow inbound RPC network traffic. | [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)| -| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md deleted file mode 100644 index d6d1525053..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -title: Checklist Creating Outbound Firewall Rules -description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Checklist: create outbound firewall rules - -This checklist includes tasks for creating outbound firewall rules in your GPOs. - -> [!IMPORTANT] -> By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization's network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create. - -| Task | Reference | -| - | - | -| Create a rule that allows a program to send any outbound network traffic on any port it requires. | [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)| -| Create a rule that allows outbound network traffic on a specified port number. | [Create an Outbound Port Rule](create-an-outbound-port-rule.md)| -| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md deleted file mode 100644 index 4d8a44fecc..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Create Rules for Standalone Isolated Server Zone Clients -description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Checklist: Create rules for clients of a standalone isolated server zone - -This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone. - -| Task | Reference | -| - | - | -| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you've finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
    [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| -| To determine which devices receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | -| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| -| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| -| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| -| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| -| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| -| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior has no delay when communicating with devices that can't use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| -| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md deleted file mode 100644 index 3d970485cf..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: Checklist Implementing a Basic Firewall Policy Design -description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Checklist: implement a basic firewall policy design - -This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. - -> [!NOTE] -> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. - -The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). - -| Task | Reference | -| - | - | -| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
    [Basic Firewall Policy Design](basic-firewall-policy-design.md)
    [Firewall Policy Design Example](firewall-policy-design-example.md)
    [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| -| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 11, Windows 10, and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10 or Windows 11, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
    [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| -| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| -| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| -| Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)| -| Create one or more outbound firewall rules to block unwanted outbound network traffic. | [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)| -| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add test devices to the membership group, and then confirm that the devices receive the firewall rules from the GPOs as expected.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| -| According to the testing and roll-out schedule in your design plan, add device accounts to the membership group to deploy the completed firewall policy settings to your devices. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md deleted file mode 100644 index edbfae8e7f..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: Checklist Implementing a Certificate-based Isolation Policy Design -description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Checklist: implement a certificate-based isolation policy design - -This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design. - -> [!NOTE] -> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist - -| Task | Reference | -| - | - | -| Review important concepts and examples for certificate-based authentication to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
    [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
    [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
    [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) | -| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you haven't already deployed a CA on your network.| | -| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)| -| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| -| On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md deleted file mode 100644 index 46079fc693..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Checklist Implementing a Domain Isolation Policy Design -description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Checklist: implementing a domain isolation policy design - -This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. - -> [!NOTE] -> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. - -The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). - -| Task | Reference | -| - | - | -| Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security implementation goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
    [Domain Isolation Policy Design](domain-isolation-policy-design.md)
    [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
    [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) | -| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)| -| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)| -| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)| -| Create the GPOs and connection security rules for the isolated server zone.| [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)| -| According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.| [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| -| After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.| [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| diff --git a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md deleted file mode 100644 index 7596ee7611..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: Checklist Implementing a Standalone Server Isolation Policy Design -description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 11/10/2023 ---- - -# Checklist: implementing a standalone server isolation policy design - -This checklist contains procedures for creating a server isolation policy design that isn't part of an isolated domain. For information on the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). - -This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. - -> [!NOTE] -> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. - -| Task | Reference | -| - | - | -| Review important concepts and examples for the server isolation policy design to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
    [Server Isolation Policy Design](server-isolation-policy-design.md)
    [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
    [Planning Server Isolation Zones](planning-server-isolation-zones.md) | -| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)| -| Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)| -| Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| -| After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it. | [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| -| According to the testing and roll-out schedule in your design plan, add device accounts for the client devices to the membership group so that you can deploy the settings. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) | diff --git a/windows/security/operating-system-security/network-security/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/operating-system-security/network-security/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md deleted file mode 100644 index c36d7effdf..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment -description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Identifying Windows Defender Firewall with Advanced Security implementation goals - -Correctly identifying your Windows Defender Firewall with Advanced Security implementation goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your implementation goals. Prioritize and, if possible, combine your implementation goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall implementation goals presented in this guide that are relevant to your scenarios. - -The following table lists the three main tasks for articulating, refining, and later documenting your Windows Defender Firewall implementation goals: - - -| Deployment goal tasks | Reference links | -|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Evaluate predefined Windows Defender Firewall with Advanced Security implementation goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined implementation goals:

    • [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)

    • [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)

    • [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)

    • [Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
    | -| Map one goal or a combination of the predefined implementation goals to an existing Windows Defender Firewall with Advanced Security design. |
    • [Mapping Your implementation goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
    | -| Based on the status of your current infrastructure, document your implementation goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. |
    • [Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)

    • [Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)
    | - -
    - -**Next:** [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/operating-system-security/network-security/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md deleted file mode 100644 index 8f0342581b..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan -description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Implementing Your Windows Defender Firewall with Advanced Security Design Plan - - -The following are important factors in the implementation of your Windows Defender Firewall design plan: - -- **Group Policy**. The Windows Defender Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the devices on your network. - -- **Perimeter firewall**. Most organizations use a perimeter firewall to help protect the devices on the network from potentially malicious network traffic from outside of the organization's network boundaries. If you plan a deployment that includes a boundary zone to enable external devices to connect to devices in that zone, then you must allow that traffic through the perimeter firewall to the devices in the boundary zone. - -- **Devices running operating systems other than Windows**. If your network includes devices that aren't running the Windows operating system, then you must make sure that required communication with those devices isn't blocked by the restrictions put in place by your design. You must implement one of the following steps: - - - Include those devices in the isolated domain or zone by adding certificate-based authentication to your design. Many other operating systems can participate in an isolated domain or isolated server scenario, as long as certificate-based authentication is used. - - - Include the device in the authentication exemption list included in your design. You can choose this option if for any reason the device can't participate in the isolated domain design. - -## How to implement your Windows Defender Firewall with Advanced Security design using this guide - - -The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design. - -![wfas implementation.](images/wfas-implement.gif) - -Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Defender Firewall with Advanced Security design. - -- [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md) - -- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md) - -- [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md) - -- [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md) - -The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md). diff --git a/windows/security/operating-system-security/network-security/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/operating-system-security/network-security/windows-firewall/protect-devices-from-unwanted-network-traffic.md deleted file mode 100644 index ee0412021e..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/protect-devices-from-unwanted-network-traffic.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Protect devices from unwanted network traffic -description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 01/18/2022 ---- - -# Protect devices from unwanted network traffic - - -Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall can't protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable devices are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats. - -Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](https://www.microsoft.com/security/business/security-intelligence-report). - -Running a host-based firewall on every device that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide extra protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable device to provide protection when it's away from the organization's network. - -A host-based firewall helps secure a device by dropping all network traffic that doesn't match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](basic-firewall-policy-design.md), provides the following benefits: - -- Network traffic that is a reply to a request from the local device is permitted into the device from the network. - -- Network traffic that is unsolicited, but that matches a rule for allowed network traffic, is permitted into the device from the network. - - For example, Woodgrove Bank wants a device that is running SQL Server to be able to receive the SQL queries sent to it by client devices. The firewall policy deployed to the device that is running SQL Server includes firewall rules that specifically allow inbound network traffic for the SQL Server program. - -- Outbound network traffic that isn't blocked is allowed on the network. - - For example, Woodgrove Bank has a corporate policy that prohibits the use of certain peer-to-peer file sharing programs. The firewall policy deployed to the computers on the network includes firewall rules that block both inbound and outbound network traffic for the prohibited programs. All other outbound traffic is permitted. - -The following component is recommended for this deployment goal: - -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more Group Policy objects (GPOs) that can be automatically applied to all relevant computers in the domain. - -Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to large organizations. - -**Next:** [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/operating-system-security/network-security/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md deleted file mode 100644 index 1070cb1a65..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Require Encryption When Accessing Sensitive Network Resources -description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Require Encryption When Accessing Sensitive Network Resources - - -The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it doesn't prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets aren't encrypted. - -For devices that share sensitive information over the network, Windows Defender Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it. - -The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory. - -![encryption zone in an isolated domain.](images/wfas-domainisoencrypt.gif) - -This goal provides the following benefits: - -- Devices in the encryption zone require authentication to communicate with other devices. This rule works no differently from the domain isolation goal and design. For more information, see [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md). - -- Devices in the encryption zone require that all inbound and outbound network traffic be encrypted. - - For example, Woodgrove Bank processes sensitive customer data on a device that must be protected from eavesdropping by devices on the network. Connection security rules specify that all traffic must be encrypted by a sufficiently complex encryption algorithm to help protect the data. - -- Devices in the encryption zone are often good candidates for server isolation, where access is limited to only computer accounts and user accounts that are members of an authorized access group. In many organizations, the encryption zone and the server isolation zone are one and the same. For more info, see [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md). - -The following components are required for this deployment goal: - -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain. - -**Next:** [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-specified-users-or-devices.md deleted file mode 100644 index 28c8049c79..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Restrict Access to Only Specified Users or Devices -description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Restrict Access to Only Specified Users or Computers - - -Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. - -Windows Defender Firewall with Advanced Security enables you to restrict access to devices and users that are members of domain groups authorized to access that device. These groups are called *network access groups (NAGs)*. When a device authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple devices in a single secure zone, and it's likely that you'll create a separate zone for each set of servers that have specific security access needs. Devices that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)). - -Restricting access to only users and devices that have a business requirement can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. - -You can restrict access by specifying either computer or user credentials. - -The following illustration shows an isolated server, and examples of devices that can and can't communicate with it. Devices that are outside the Woodgrove corporate network, or computers that are in the isolated domain but aren't members of the required NAG, can't communicate with the isolated server. - -![isolated domain with network access groups.](images/wfas-domainnag.gif) - -This goal, which corresponds to [Server Isolation Policy Design](server-isolation-policy-design.md), provides the following features: - -- Isolated servers accept unsolicited inbound network traffic only from devices or users that are members of the NAG. - -- Isolated servers can be implemented as part of an isolated domain, and treated as another zone. Members of the zone group receive a GPO with rules that require authentication, and that specify that only network traffic authenticated as coming from a member of the NAG is allowed. - -- Server isolation can also be configured independently of an isolated domain. To do so, configure only the devices that must communicate with the isolated server with connection security rules to implement authentication and check NAG membership. - -- A server isolation zone can be simultaneously configured as an encryption zone. To do so, configure the GPO with rules that force encryption in addition to requiring authentication and restricting access to NAG members. For more information, see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). - -The following components are required for this deployment goal: - -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain. - -**Next:** [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-trusted-devices.md deleted file mode 100644 index f02e9c5708..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-trusted-devices.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Restrict access to only trusted devices -description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Restrict access to only trusted devices - - -Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that aren't owned by your organization to your network. Because you don't manage those devices, you can't trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it's truly required. - -To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Defender Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method. - -> [!NOTE] -> Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain. - -The protection provided by domain isolation can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. - -The following illustration shows an isolated domain, with one of the zones that are optionally part of the design. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory. - -![domain isolation.](images/wfas-domainiso.gif) - -These goals, which correspond to [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md), provide the following benefits: - -- Devices in the isolated domain accept unsolicited inbound network traffic only when it can be authenticated as coming from another device in the isolated domain. Exemption rules can be defined to allow inbound traffic from trusted computers that for some reason can't perform IPsec authentication. - - For example, Woodgrove Bank wants all of its devices to block all unsolicited inbound network traffic from any device that it doesn't manage. The connection security rules deployed to domain member devices require authentication as a domain member or by using a certificate before an unsolicited inbound network packet is accepted. - -- Devices in the isolated domain can still send outbound network traffic to untrusted devices and receive the responses to the outbound requests. - - For example, Woodgrove Bank wants its users at client devices to be able to access Web sites on the Internet. The default Windows Defender Firewall settings for outbound network traffic allow this access. No other rules are required. - -These goals also support optional zones that can be created to add customized protection to meet the needs of subsets of an organization's devices: - -- Devices in the "boundary zone" are configured to use connection security rules that request but don't require authentication. This configuration enables them to receive unsolicited inbound network traffic from untrusted devices, and also to receive traffic from the other members of the isolated domain. - - For example, Woodgrove Bank has a server that must be accessed by its partners' devices through the Internet. The rules applied to devices in the boundary zone use authentication when the client device can support it, but don't block the connection if the client device can't authenticate. - -- Devices in the "encryption zone" require that all network traffic in and out must be encrypted to secure potentially sensitive material when it's sent over the network. - - For example, Woodgrove Bank wants the devices running SQL Server to only transmit data that is encrypted to help protect the sensitive data stored on those devices. - -The following components are required for this deployment goal: - -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain. - -**Next:** [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/operating-system-security/network-security/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md deleted file mode 100644 index e397c3d8a7..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Understand WFAS Deployment -description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Understanding the Windows Defender Firewall with Advanced Security Design Process - -Designing any deployment starts by performing several important tasks: - -- [Identifying your windows defender firewall with advanced security design goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) - -- [Mapping your implementation goals to a Windows Defender Firewall with Advanced Security design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) - - -After you identify your implementation goals and map them to a Windows Defender Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics: - -- [Designing A Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) - -- [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) - -**Next:** [Identifying Your Windows Defender Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md deleted file mode 100644 index 7e97506932..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Windows Defender Firewall with Advanced Security deployment overview -description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Windows Defender Firewall with Advanced Security deployment overview - - -You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network. - -You can use Windows Defender Firewall to control access to the device from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from device to device. - -## About this guide - -This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Defender Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected. - -Begin by reviewing the information in [Planning to Deploy Windows Defender Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md). - -If you haven't yet selected a design, we recommend that you wait to follow the instructions in this guide until after you've reviewed the design options in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization. - -After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Defender Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide: - -- [Basic Firewall Policy Design](basic-firewall-policy-design.md) - -- [Domain Isolation Policy Design](domain-isolation-policy-design.md) - -- [Server Isolation Policy Design](server-isolation-policy-design.md) - -- [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) - -Use the checklists in [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design. -> [!CAUTION] -> We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies. - -In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or device accounts that are members of an excessive number of groups; this creation of accounts can result in network connectivity problems if network protocol limits are exceeded. -  -## What this guide doesn't provide - -This guide doesn't provide: - -- Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) in the Windows Defender Firewall with Advanced Security Design Guide. - -- Guidance for setting up Active Directory Domain Services (AD DS) to support Group Policy. - -- Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication. - -For more information about Windows Defender Firewall with Advanced Security, see [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md). diff --git a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide.md deleted file mode 100644 index 02d6c56ae0..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide.md +++ /dev/null @@ -1,93 +0,0 @@ ---- -title: Windows Defender Firewall with Advanced Security design guide -description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Windows Defender Firewall with Advanced Security design guide - - -Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Defender Firewall supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that can't authenticate can't communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices. - -The interface for Windows Defender Firewall is much more capable and flexible than the consumer-friendly interface found in the Windows Defender Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel meets the needs for protecting a single device in a home environment, it doesn't provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. - -For more overview information, see [Windows Defender Firewall with Advanced Security](windows-firewall-with-advanced-security.md). - -## About this guide - -This guide provides recommendations to help you to choose or create a design for deploying Windows Defender Firewall in your enterprise environment. The guide describes some of the common goals for using Windows Defender Firewall, and then helps you map the goals that apply to your scenario to the designs that are presented in this guide. - -This guide is intended for the IT professional who has been assigned the task of deploying firewall and IPsec technologies on an organization's network to help meet the organization's security goals. - -Windows Defender Firewall should be part of a comprehensive security solution that implements various security technologies, such as perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and IPsec connection security rules. - -To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Defender Firewall, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory. - -You can use the implementation goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those goals presented here: - -- **Basic firewall policy design**. Restricts network traffic in and out of your devices to only that which is needed and authorized. - -- **Domain isolation policy design**. Prevents devices that are domain members from receiving unsolicited network traffic from devices that aren't domain members. More "zones" can be established to support the special requirements of some devices, such as: - - - A "boundary zone" for devices that must be able to receive requests from non-isolated devices. - - - An "encryption zone" for devices that store sensitive data that must be protected during network transmission. - -- **Server isolation policy design**. Restricts access to a server to only a limited group of authorized users and devices. This server can be commonly configured as a zone in a domain isolation design, but can also be configured as a stand-alone design, providing many of the benefits of domain isolation to a small set of devices. - -- **Certificate-based isolation policy design**. This design is a complement to either of the previous two designs, and supports any of their capabilities. It uses cryptographic certificates that are deployed to clients and servers for authentication, instead of the Kerberos V5 authentication used by default in Active Directory. This design enables devices that aren't part of an Active Directory domain, such as devices running operating systems other than Windows, to participate in your isolation solution. - -In addition to descriptions and example for each design, you'll find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Defender Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization's requirements, you have the information that you need to begin deploying Windows Defender Firewall using the guidance in the Windows Defender Firewall with Advanced Security Deployment Guide. - -You can find the Windows Defender Firewall with Advanced Security -Deployment Guide at these locations: - -- [Windows Defender Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) - -- (Downloadable Word document) - -## In this section - -| Topic | Description -| - | - | -| [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) | Learn how to get started with the Windows Defender Firewall with Advanced Security design process. | -| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Defender Firewall with Advanced Security implementation goals. | -| [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Defender Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. | -| [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. | -| [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you've gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. | -| [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) | You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). | - -## Terminology used in this guide - -The following table identifies and defines terms used throughout this guide. - -| Term | Definition | -| - | - | -| Active Directory domain | A group of devices and users managed by an administrator by using Active Directory Domain Services (AD DS). Devices in a domain share a common directory database and security policies. Multiple domains can co-exist in a "forest," with trust relationships that establish the forest as the security boundary. | -| Authentication | A process that enables the sender of a message to prove its identity to the receiver. For connection security in Windows, authentication is implemented by the IPsec protocol suite.| -| Boundary zone | A subset of the devices in an isolated domain that must be able to receive unsolicited and non-authenticated network traffic from devices that aren't members of the isolated domain. Devices in the boundary zone request but don't require authentication. They use IPsec to communicate with other devices in the isolated domain.| -| Connection security rule | A rule in Windows Defender Firewall that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this rule was called an *IPsec rule*.| -| Certificate-based isolation | A way to add devices that can't use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that can't use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).| -| Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that can't authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.| -| Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.| -| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
    By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 11, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. | -| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).| -| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.| -| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).
    In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.| -| Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The extra protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.| -| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Defender Firewall allows all solicited network traffic through.| -| Unsolicited network traffic | Network traffic that isn't a response to an earlier request, and that the receiving device can't necessarily anticipate. By default, Windows Defender Firewall blocks all unsolicited network traffic. | -| Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted.
    This term zone isn't related to the one used by Domain Name System (DNS). | - -**Next:** [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) - -  - -  - - - - - From 7711542e211161971f4ff62deb479b60281121a6 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Sat, 11 Nov 2023 07:34:19 -0500 Subject: [PATCH 080/114] redirects --- ...blishing.redirection.windows-security.json | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index 835e7d0d31..6e7cd36647 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -7654,124 +7654,124 @@ "source_path": "windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732413(v=ws.10)", "redirect_document_id": false - } + }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770289(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947845(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947794(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947848(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947836(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947800(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947783(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947791(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947799(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947827(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947819(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717261(v=ws.11)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717238(v=ws.11)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717284(v=ws.11)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717277(v=ws.11)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732023(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717256(v=ws.11)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/protect-devices-from-unwanted-network-traffic", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/protect-devices-from-unwanted-network-traffic.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc772556(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/require-encryption-when-accessing-sensitive-network-resources", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770865(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-specified-users-or-devices", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-specified-users-or-devices.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753064(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-trusted-devices", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-trusted-devices.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725659(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731951(v=ws.10)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-deployment-guide", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717241(v=ws.11)", "redirect_document_id": false }, { - "source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide", + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732024(v=ws.10)", "redirect_document_id": false } From 0d442a31d6c500787849fa970112a109667876be Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Sat, 11 Nov 2023 08:30:01 -0500 Subject: [PATCH 081/114] batch 3 --- ...blishing.redirection.windows-security.json | 15 ++ .../network-security/windows-firewall/TOC.yml | 118 ++++------------ ...ices-to-the-membership-group-for-a-zone.md | 55 -------- ...ices-to-the-membership-group-for-a-zone.md | 51 ------- ...ssign-security-group-filters-to-the-gpo.md | 49 ------- ...ange-rules-from-request-to-require-mode.md | 42 ------ .../configure-authentication-methods.md | 58 -------- ...ure-data-protection-quick-mode-settings.md | 56 -------- ...y-to-autoenroll-and-deploy-certificates.md | 32 ----- ...nfigure-key-exchange-main-mode-settings.md | 56 -------- ...nfigure-the-rules-to-require-encryption.md | 50 ------- ...ion-authentication-certificate-template.md | 42 ------ ...notifications-when-a-program-is-blocked.md | 40 ------ ...hat-certificates-are-deployed-correctly.md | 39 ----- .../copy-a-gpo-to-create-a-new-gpo.md | 46 ------ ...ate-a-group-account-in-active-directory.md | 36 ----- .../create-a-group-policy-object.md | 43 ------ ...e-an-authentication-exemption-list-rule.md | 56 -------- .../create-an-authentication-request-rule.md | 78 ---------- .../create-wmi-filters-for-the-gpo.md | 99 ------------- ...ining-the-trusted-state-of-your-devices.md | 133 ------------------ .../enable-predefined-inbound-rules.md | 30 ---- .../enable-predefined-outbound-rules.md | 32 ----- .../exempt-icmp-from-authentication.md | 24 ---- ...-about-your-active-directory-deployment.md | 26 ---- ...out-your-current-network-infrastructure.md | 107 -------------- ...athering-information-about-your-devices.md | 48 ------- .../gathering-other-relevant-information.md | 69 --------- .../gathering-the-information-you-need.md | 22 --- .../link-the-gpo-to-the-domain.md | 32 ----- ...-a-different-zone-or-version-of-windows.md | 68 --------- ...agement-console-to-ip-security-policies.md | 20 --- ...windows-firewall-with-advanced-security.md | 24 ---- ...-management-console-to-windows-firewall.md | 18 --- ...windows-firewall-with-advanced-security.md | 34 ----- ...erver-access-to-members-of-a-group-only.md | 38 ----- ...firewall-and-configure-default-behavior.md | 43 ------ ...y-that-network-traffic-is-authenticated.md | 59 -------- 38 files changed, 42 insertions(+), 1846 deletions(-) delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/configure-data-protection-quick-mode-settings.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/configure-key-exchange-main-mode-settings.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/configure-the-rules-to-require-encryption.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/configure-the-workstation-authentication-certificate-template.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/confirm-that-certificates-are-deployed-correctly.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/create-a-group-account-in-active-directory.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-exemption-list-rule.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-request-rule.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/determining-the-trusted-state-of-your-devices.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-inbound-rules.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-outbound-rules.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/exempt-icmp-from-authentication.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-active-directory-deployment.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-current-network-infrastructure.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-devices.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/gathering-other-relevant-information.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/gathering-the-information-you-need.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/link-the-gpo-to-the-domain.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/open-windows-firewall-with-advanced-security.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/restrict-server-access-to-members-of-a-group-only.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/verify-that-network-traffic-is-authenticated.md diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index 6e7cd36647..3a9d25e18f 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -7774,6 +7774,21 @@ "source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732024(v=ws.10)", "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717262(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717263(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717260(v=ws.11)", + "redirect_document_id": false } ] } diff --git a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml index 7645d9d0ab..e0fa759b89 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml +++ b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml @@ -1,97 +1,33 @@ items: - name: Overview href: windows-firewall-with-advanced-security.md - - name: Best practices - items: - - name: Configure the firewall - href: best-practices-configuring.md - - name: Secure IPsec - href: securing-end-to-end-ipsec-connections-by-using-ikev2.md - - name: PowerShell - href: windows-firewall-with-advanced-security-administration-with-windows-powershell.md - - name: Isolate Microsoft Store Apps on Your Network - href: isolating-apps-on-your-network.md - - name: How-to - items: - - name: Add Production devices to the membership group for a zone - href: add-production-devices-to-the-membership-group-for-a-zone.md - - name: Add test devices to the membership group for a zone - href: add-test-devices-to-the-membership-group-for-a-zone.md - - name: Assign security group filters to the GPO - href: assign-security-group-filters-to-the-gpo.md - - name: Change rules from request to require mode - href: Change-Rules-From-Request-To-Require-Mode.Md - - name: Configure authentication methods - href: Configure-authentication-methods.md - - name: Configure data protection (Quick Mode) settings - href: configure-data-protection-quick-mode-settings.md - - name: Configure Group Policy to autoenroll and deploy certificates - href: configure-group-policy-to-autoenroll-and-deploy-certificates.md - - name: Configure Hyper-V firewall - href: hyper-v-firewall.md - - name: Configure key exchange (main mode) settings - href: configure-key-exchange-main-mode-settings.md - - name: Configure the rules to require encryption - href: configure-the-rules-to-require-encryption.md - - name: Configure the Windows Firewall log - href: configure-the-windows-firewall-log.md - - name: Configure the workstation authentication certificate template - href: configure-the-workstation-authentication-certificate-template.md - - name: Configure Windows Firewall to suppress notifications when a program is blocked - href: configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md - - name: Confirm that certificates are deployed correctly - href: confirm-that-certificates-are-deployed-correctly.md - - name: Copy a GPO to create a new GPO - href: copy-a-gpo-to-create-a-new-gpo.md - - name: Create a Group Account in Active Directory - href: create-a-group-account-in-active-directory.md - - name: Create a Group Policy Object - href: create-a-group-policy-object.md - - name: Create an authentication exemption list rule - href: create-an-authentication-exemption-list-rule.md - - name: Create an authentication request rule - href: create-an-authentication-request-rule.md - - name: Create an inbound ICMP rule - href: create-an-inbound-icmp-rule.md - - name: Create an inbound port rule - href: create-an-inbound-port-rule.md - - name: Create an inbound program or service rule - href: create-an-inbound-program-or-service-rule.md - - name: Create an outbound port rule - href: create-an-outbound-port-rule.md - - name: Create an outbound program or service rule - href: create-an-outbound-program-or-service-rule.md - - name: Create inbound rules to support RPC - href: create-inbound-rules-to-support-rpc.md - - name: Create WMI filters for the GPO - href: create-wmi-filters-for-the-gpo.md - - name: Create Windows Firewall rules in Intune - href: create-windows-firewall-rules-in-intune.md - - name: Enable predefined inbound rules - href: enable-predefined-inbound-rules.md - - name: Enable predefined outbound rules - href: enable-predefined-outbound-rules.md - - name: Exempt ICMP from authentication - href: exempt-icmp-from-authentication.md - - name: Link the GPO to the domain - href: link-the-gpo-to-the-domain.md - - name: Modify GPO filters - href: modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md - - name: Open IP security policies - href: open-the-group-policy-management-console-to-ip-security-policies.md - - name: Open Group Policy - href: open-the-group-policy-management-console-to-windows-firewall.md - - name: Open Group Policy - href: open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md - - name: Open Windows Firewall - href: open-windows-firewall-with-advanced-security.md - - name: Restrict server access - href: restrict-server-access-to-members-of-a-group-only.md - - name: Enable Windows Firewall - href: turn-on-windows-firewall-and-configure-default-behavior.md - - name: Verify Network Traffic - href: verify-that-network-traffic-is-authenticated.md - - name: Troubleshooting + - name: Configure Hyper-V firewall + href: hyper-v-firewall.md + - name: Configure the Windows Firewall log + href: configure-the-windows-firewall-log.md + - name: Create an inbound ICMP rule + href: create-an-inbound-icmp-rule.md + - name: Create an inbound port rule + href: create-an-inbound-port-rule.md + - name: Create an inbound program or service rule + href: create-an-inbound-program-or-service-rule.md + - name: Create an outbound port rule + href: create-an-outbound-port-rule.md + - name: Create an outbound program or service rule + href: create-an-outbound-program-or-service-rule.md + - name: Create inbound rules to support RPC + href: create-inbound-rules-to-support-rpc.md + - name: Create Windows Firewall rules in Intune + href: create-windows-firewall-rules-in-intune.md + - name: Configure the firewall + href: best-practices-configuring.md + - name: Secure IPsec + href: securing-end-to-end-ipsec-connections-by-using-ikev2.md + - name: PowerShell + href: windows-firewall-with-advanced-security-administration-with-windows-powershell.md + - name: Isolate Microsoft Store Apps on Your Network + href: isolating-apps-on-your-network.md + - name: Troubleshoot items: - name: Troubleshoot UWP app connectivity issues in Windows Firewall href: troubleshooting-uwp-firewall.md diff --git a/windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md deleted file mode 100644 index 7bfb1addfd..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Add Production Devices to the Membership Group for a Zone -description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group. -ms.prod: windows-client -ms.topic: how-to -ms.date: 11/10/2023 ---- - -# Add Production Devices to the Membership Group for a Zone - -After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices. - -> [!CAUTION] -> For GPOs that contain connection security rules that prevent unauthenticated connections, ensure you set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Don't change the boundary zone GPO to require mode. - -The method discussed in this guide uses the *Domain Computers* built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To define this setting successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the *CG_DOMISO_NOIPSEC* example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md). - -Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you. - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO. - -In this topic: - -- [Add the group Domain Devices to the GPO membership group](#to-add-domain-devices-to-the-gpo-membership-group) -- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device) -- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device) - -## To add domain devices to the GPO membership group - -1. Open Active Directory Users and Computers -1. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group -1. In the details pane, double-click the GPO membership group to which you want to add computers -1. Select the **Members** tab, and then click **Add** -1. Type **Domain Computers** in the text box, and then click **OK** -1. Click **OK** to close the group properties dialog box - -After a computer is a member of the group, you can force a Group Policy refresh on the computer. - -## To refresh Group Policy on a device - -From an elevated command prompt, type the following command: - -``` cmd -gpupdate.exe /target:computer /force -``` - -After Group Policy is refreshed, you can see which GPOs are currently applied to the computer. - -## To see which GPOs are applied to a device - -From an elevated command prompt, type the following command: - -``` cmd -gpresult.exe /r /scope:computer -``` diff --git a/windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md deleted file mode 100644 index 2ed1c1a950..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Add Test Devices to the Membership Group for a Zone -description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected. -ms.prod: windows-client -ms.topic: how-to -ms.date: 11/10/2023 ---- - -# Add Test Devices to the Membership Group for a Zone - -Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete. We also recommend that you initially deploy the rules to a few devices only to be sure that the correct GPOs are being processed by each device. - -Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the `gpresult.exe` command to confirm that each device is receiving only the GPOs it's supposed to receive. - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO. - -In this topic: - -- [Add the test devices to the GPO membership groups](#to-add-test-devices-to-the-gpo-membership-groups) -- [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device) -- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device) - -## To add test devices to the GPO membership groups - -1. Open Active Directory Users and Computers -1. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account -1. In the details pane, double-click the GPO membership group to which you want to add devices -1. Select the **Members** tab, and then click **Add** -1. Type the name of the device in the text box, and then click **OK** -1. Repeat steps 5 and 6 for each extra device account or group that you want to add -1. Click **OK** to close the group properties dialog box - -After a device is a member of the group, you can force a Group Policy refresh on the device. - -## To refresh Group Policy on a device - -From an elevated command prompt, run the following command: - -``` cmd -gpupdate /target:device /force -``` - -After Group Policy is refreshed, you can see which GPOs are currently applied to the device. - -## To see which GPOs are applied to a device - -From an elevated command prompt, run the following command: - -``` cmd -gpresult /r /scope:computer -``` diff --git a/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md deleted file mode 100644 index f708e6a031..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Assign Security Group Filters to the GPO -description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers. -ms.prod: windows-client -ms.topic: how-to -ms.date: 11/10/2023 ---- - -# Assign Security Group Filters to the GPO - -To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO. - ->[!IMPORTANT] ->This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones. - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs. - -In this topic: - -- [Allow members of a group to apply a GPO](#to-allow-members-of-a-group-to-apply-a-gpo) -- [Prevent members of a group from applying a GPO](#to-prevent-members-of-a-group-from-applying-a-gpo) - -## To allow members of a group to apply a GPO - -Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO. - -1. Open the Group Policy Management console -1. In the navigation pane, find and then select the GPO that you want to modify -1. In the details pane, under **Security Filtering**, select **Authenticated Users**, and then select **Remove** - - >[!NOTE] - >You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. - -1. Select **Add** -1. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then select **OK**. If you do not know the name, you can select **Advanced** to browse the list of groups available in the domain - -## To prevent members of a group from applying a GPO - -Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain. - -1. Open the Group Policy Management console -1. In the navigation pane, find and then select the GPO that you want to modify -1. In the details pane, select the **Delegation** tab -1. Select **Advanced** -1. Under the **Group or user names** list, select **Add** -1. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then select **OK**. If you do not know the name, you can select **Advanced** to browse the list of groups available in the domain -1. Select the group in the **Group or user names** list, and then select the box in the **Deny** column for both **Read** and **Apply group policy** -1. Select **OK**, and then in the **Windows Security** dialog box, select **Yes** -1. The group appears in the list with **Custom** permissions diff --git a/windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md deleted file mode 100644 index cbfaffb255..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Change Rules from Request to Require Mode -description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices. -ms.prod: windows-client -ms.topic: how-to -ms.date: 11/10/2023 ---- - -# Change Rules from Request to Require Mode - -After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Don't change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that aren't part of the isolated domain. - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -In this topic: - -- [Convert a rule from request to require mode](#to-convert-a-rule-from-request-to-require-mode) -- [Apply the modified GPOs to the client devices](#to-apply-the-modified-gpos-to-the-client-devices) - -## To convert a rule from request to require mode - -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) -1. In the right navigation pane, click **Connection Security Rules** -1. In the details pane, double-click the connection security rule that you want to modify -1. Click the **Authentication** tab -1. In the **Requirements** section, change **Authenticated mode** to **Require inbound and request outbound**, and then click **OK** - -## To apply the modified GPOs to the client devices - -1. The next time each device refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, run the following command from an elevated command prompt: - - ``` cmd - gpupdate.exe /force - ``` - -1. To verify that the modified GPO is correctly applied to the client devices, you can run the following command: - - ``` cmd - gpresult.exe /r /scope computer - ``` - -1. Examine the command output for the list of GPOs that are applied to the device, and make sure that the list contains the GPOs you expect to see on that device. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods.md deleted file mode 100644 index 96a9db2d70..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: Configure Authentication Methods -description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Configure Authentication Methods - - -This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone. - ->**Note:**  If you follow the steps in the procedure in this topic, you alter the system-wide default settings. Any connection security rule can use these settings by specifying **Default** on the **Authentication** tab. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -**To configure authentication methods** - -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**. - -3. On the **IPsec Settings** tab, click **Customize**. - -4. In the **Authentication Method** section, select the type of authentication that you want to use from among the following: - - 1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Defender Firewall or by Group Policy as the default. - - 2. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication extended key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule. - - 3. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. - - The first authentication method can be one of the following methods: - - - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1. - - - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used. - - - **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method isn't recommended, and is included only for backward compatibility and testing purposes. - - If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. - - The second authentication method can be one of the following methods: - - - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1. - - - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups. - - - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication EKU typically provided in a NAP infrastructure can be used for this rule. - - If you select **Second authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. - - >**Important:** Make sure that you do not select the check boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. - -5. Click **OK** on each dialog box to save your changes and return to the Group Policy Management Editor. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-data-protection-quick-mode-settings.md deleted file mode 100644 index a8f2bc0f33..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-data-protection-quick-mode-settings.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -title: Configure Data Protection (Quick Mode) Settings -description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Configure Data Protection (Quick Mode) Settings - - -This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -**To configure quick mode settings** - -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**. - -3. On the **IPsec Settings** tab, click **Customize**. - -4. In the **Data protection (Quick Mode)** section, click **Advanced**, and then click **Customize**. - -5. If you require encryption for all network traffic in the specified zone, then check **Require encryption for all connection security rules that use these settings**. Selecting this option disables the **Data integrity** section, and forces you to select only integrity algorithms that are combined with an encryption algorithm. If you do not select this option, then you can use only data integrity algorithms. Before selecting this option, consider the performance impact and the increase in network traffic that will result. We recommend that you use this setting only on network traffic that truly requires it, such as to and from computers in the encryption zone. - -6. If you did not select **Require encryption**, then select the data integrity algorithms that you want to use to help protect the data sessions between the two computers. If the data integrity algorithms displayed in the list are not what you want, then do the following: - - 1. From the left column, remove any of the data integrity algorithms that you do not want by selecting the algorithm and then clicking **Remove**. - - 2. Add any required data integrity algorithms by clicking **Add**, selecting the appropriate protocol (ESP or AH) and algorithm (SHA1 or MD5), selecting the key lifetime in minutes or sessions, and then clicking **OK**. We recommend that you do not include MD5 in any combination. It is included for backward compatibility only. We also recommend that you use ESP instead of AH if you have any devices on your network that use network address translation (NAT). - - 3. In **Key lifetime (in sessions)**, type the number of times that the quick mode session can be rekeyed. After this number is reached, the quick mode SA must be renegotiated. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent renegotiating of the quick mode SA. We recommend that you use the default value unless your risk analysis indicates the need for a different value. - - 4. Click **OK** to save your algorithm combination settings. - - 5. After the list contains only the combinations you want, use the up and down arrows to the right of the list to rearrange them in the correct order for your design. The algorithm combination that is first in the list is tried first, and so on. - -7. Select the data integrity and encryption algorithms that you want to use to help protect the data sessions between the two computers. If the algorithm combinations displayed in the list are not what you want, then do the following: - - 1. From the second column, remove any of the data integrity and encryption algorithms that you do not want by selecting the algorithm combination and then clicking **Remove**. - - 2. Add any required integrity and encryption algorithm combinations by clicking **Add**, and then doing the following: - - 3. Select the appropriate protocol (ESP or AH). We recommend that you use ESP instead of AH if you have any devices on your network that use NAT. - - 4. Select the appropriate encryption algorithm. The choices include, in order of decreasing security: AES-256, AES-192, AES-128, 3DES, and DES. We recommend that you do not include DES in any combination. It is included for backward compatibility only. - - 5. Select the appropriate integrity algorithm (SHA1 or MD5). We recommend that you do not include MD5 in any combination. It is included for backward compatibility only. - - 6. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operations between the two computers that negotiated this key will require a new key. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent rekeying. We recommend that you use the default value unless your risk analysis indicates the need for a different value. - -8. Click **OK** three times to save your settings. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md deleted file mode 100644 index f049b2e663..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Configure Group Policy to Autoenroll and Deploy Certificates -description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Configure Group Policy to Autoenroll and Deploy Certificates - - -You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate. - -**Administrative credentials** - -To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest and a member of the Enterprise Admins group. - -**To configure Group Policy to autoenroll certificates** - -1. Open the Group Policy Management console. - -2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. - -3. In the navigation pane, expand the following path: **Computer Configuration**, **Policies**, **Windows Settings**, **Security Settings**, **Public Key Policies**. - -4. Double-click **Certificate Services Client - Auto-Enrollment**. - -5. In the **Properties** dialog box, change **Configuration Model** to **Enabled**. - -6. Select both **Renew expired certificates, update pending certificates, and remove revoked certificates** and **Update certificates that use certificate templates**. - -7. Click **OK** to save your changes. Computers apply the GPO and download the certificate the next time Group Policy is refreshed. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-key-exchange-main-mode-settings.md deleted file mode 100644 index 02ffc24817..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-key-exchange-main-mode-settings.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -title: Configure Key Exchange (Main Mode) Settings -description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Configure Key Exchange (Main Mode) Settings - - -This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -**To configure key exchange settings** - -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**. - -3. On the **IPsec Settings** tab, click **Customize**. - -4. In the **Key exchange (Main Mode)** section, click **Advanced**, and then click **Customize**. - -5. Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list aren't what you want, then do the following steps: - - **Important**   - In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This rule means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices. - - Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method is used in the negotiation. Ensure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected. - - **Note**   - When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This event happens no matter which Diffie-Hellman key exchange protocol you select. - - 1. Remove any of the security methods that you don't want by selecting the method and then clicking **Remove**. - - 2. Add any required security method combinations by clicking **Add**, selecting the appropriate encryption algorithm and integrity algorithm from the lists, and then clicking **OK**. - - >**Caution:**  We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only. - - 3. After the list contains only the combinations you want, use the "up" and "down" arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on. - -6. From the list on the right, select the key exchange algorithm that you want to use. - - >**Caution:**  We recommend that you do not use Diffie-Hellman Group 1. It is included for backward compatibility only.  - -7. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operation between the two devices requires a new key. - - >**Note:**  You need to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance. - -8. In **Key lifetime (in sessions)**, type the number of sessions. After the specified number of quick mode sessions have been created within the security association protected by this key, IPsec requires a new key. - -9. Click **OK** three times to save your settings. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-rules-to-require-encryption.md deleted file mode 100644 index ce9b0f15ce..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-rules-to-require-encryption.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Configure the Rules to Require Encryption -description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that don't use encryption for zones that require encryption. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Configure the Rules to Require Encryption - -If you're creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that don't use encryption. - -**Administrative credentials** - -To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -**To modify an authentication request rule to also require encryption** - -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. In the navigation pane, click **Connection Security Rules**. - -3. In the details pane, double-click the connection security rule you want to modify. - -4. On the **Name** page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click **OK**. - -5. In the navigation pane, right-click **Windows Defender Firewall – LDAP://CN={**guid**}**, and then click **Properties**. - -6. Click the **IPsec Settings** tab. - -7. Under **IPsec defaults**, click **Customize**. - -8. Under **Data protection (Quick Mode)**, click **Advanced**, and then click **Customize**. - -9. Click **Require encryption for all connection security rules that use these settings**. - - This setting disables the data integrity rules section. Ensure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone won't be able to connect to devices in this zone. - -10. If you need to add an algorithm combination, click **Add** and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md). - - **Note**   - Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Defender Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell. - - Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Defender Firewall user interface. Instead, you can create or modify the rules by using Windows PowerShell. - - For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) - -11. During negotiation, algorithm combinations are proposed in the order shown in the list. Ensure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support. - -12. Click **OK** three times to save your changes. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-workstation-authentication-certificate-template.md deleted file mode 100644 index fe9d417849..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-workstation-authentication-certificate-template.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Configure the Workstation Authentication Template -description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations. -ms.prod: windows-client -ms.date: 09/07/2021 -ms.topic: conceptual ---- - -# Configure the Workstation Authentication Certificate Template - - -This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements. - -**Administrative credentials** - -## To configure the workstation authentication certificate template and autoenrollment -To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest, and a member of the Enterprise Admins group. - - -1. On the device where AD CS is installed, open the Certification Authority console. - -2. In the navigation pane, right-click **Certificate Templates**, and then click **Manage**. - -3. In the details pane, click the **Workstation Authentication** template. - -4. On the **Action** menu, click **Duplicate Template**. In the **Duplicate Template** dialog box, select the template version that is appropriate for your deployment, and then click **OK**. For the resulting certificates to have maximum compatibility with the available versions of Windows, we recommended that you select **Windows Server 2003**. - -5. On the **General** tab, in **Template display name**, type a new name for the certificate template, such as **Domain Isolation Workstation Authentication Template**. - -6. Click the **Subject Name** tab. Make sure that **Build from this Active Directory information** is selected. In **Subject name format**, select **Fully distinguished name**. - -7. Click the **Cryptography** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048. - -8. Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**. - - >**Note:**  If you want do not want to deploy the certificate to every device in the domain, then specify a different group or groups that contain the device accounts that you want to receive the certificate. - -9. Close the Certificate Templates Console. - -10. In the Certification Authority MMC snap-in, in the left pane, right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**. - -11. In the **Enable Certificate Templates** dialog box, click the name of the certificate template you configured, and then click **OK**. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md deleted file mode 100644 index fe75296fec..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked -description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Blocked -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked - - -To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console. - ->**Caution:**  If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users’ programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail. - -We recommend that you don't enable these settings until you've created and tested the required rules. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -## To configure Windows Defender Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules - -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**. - -3. For each network location type (Domain, Private, Public), perform the following steps. - - 1. Click the tab that corresponds to the network location type. - - 2. Under **Settings**, click **Customize**. - - 3. Under **Firewall settings**, change **Display a notification** to **No**. - - 4. Under **Rule merging**, change **Apply local firewall rules** to **No**. - - 5. Although a connection security rule isn't a firewall setting, you can also use this tab to prohibit locally defined connection security rules if you're planning to deploy IPsec rules as part of a server or domain isolation environment. Under **Rule merging**, change **Apply local connection security rules** to **No**. - - 6. Click **OK** twice. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/operating-system-security/network-security/windows-firewall/confirm-that-certificates-are-deployed-correctly.md deleted file mode 100644 index dcca043129..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/confirm-that-certificates-are-deployed-correctly.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Confirm That Certificates Are Deployed Correctly -description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 01/24/2023 ---- - -# Confirm That Certificates Are Deployed Correctly - -After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices. - -In these procedures, you refresh Group Policy on a client device, and then confirm that the certificate is deployed correctly. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -In this topic: - -- [Refresh Group Policy on a device](#to-refresh-group-policy-on-a-device) -- [Verify that a certificate is installed](#to-verify-that-a-certificate-is-installed) - -## To refresh Group Policy on a device - - From an elevated command prompt, run the following command: - -``` cmd -gpupdate /target:computer /force -``` - -After Group Policy is refreshed, you can see which GPOs are currently applied to the device. - -## To verify that a certificate is installed - -1. Open the Certificates console -1. In the navigation pane, expand **Trusted Root Certification Authorities**, and then click **Certificates** - - The CA that you created appears in the list. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/operating-system-security/network-security/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md deleted file mode 100644 index 2493780e6b..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Copy a GPO to Create a New GPO -description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Copy a GPO to Create a New GPO - - -To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in. - -**Administrative credentials** - -To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs. - -**To make a copy of a GPO** - -1. Open the Group Policy Management console. - -2. In the navigation pane, expand **Forest:**YourForestName, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**. - -3. In the details pane, right-click the GPO you want to copy, and then click **Copy**. - -4. In the navigation pane, right-click **Group Policy Objects** again, and then click **Paste**. - - :::image type="content" alt-text="Screenshot that shows Copy Paste GPO." source="images/grouppolicy-paste.png"::: - -5. In the **Copy GPO** dialog box, click **Preserve the existing permissions**, and then click **OK**. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler. - -6. After the copy is complete, click **OK**. The new GPO is named **Copy of** *original GPO name*. - -7. To rename it, right-click the GPO, and then click **Rename**. - -8. Type the new name, and then press ENTER. - -9. You must change the security filters to apply the policy to the correct group of devices. To change the security filters, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**. - -10. In the confirmation dialog box, click **OK**. - -11. Click **Add**. - -12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**. - -13. If necessary, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10 or Windows 11, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-account-in-active-directory.md deleted file mode 100644 index e323d44596..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-account-in-active-directory.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Create a Group Account in Active Directory -description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Create a Group Account in Active Directory - - -To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console. - -**Administrative credentials** - -To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new group accounts. - -**To add a new membership group in Active Directory** - -1. Open the Active Directory Users and Computers console. - -2. In the navigation pane, select the container in which you want to store your group. This is typically the **Users** container under the domain. - -3. Click **Action**, click **New**, and then click **Group**. - -4. In the **Group name** text box, type the name for your new group. - - >**Note:**  Be sure to use a name that clearly indicates its purpose. Check to see if your organization has a naming convention for groups. - -5. In the **Description** text box, enter a description of the purpose of this group. - -6. In the **Group scope** section, select either **Global** or **Universal**, depending on your Active Directory forest structure. If your group must include computers from multiple domains, then select **Universal**. If all of the members are from the same domain, then select **Global**. - -7. In the **Group type** section, click **Security**. - -8. Click **OK** to save your group. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md b/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md deleted file mode 100644 index 11638e864b..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Create a Group Policy Object -description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group. -ms.prod: windows-client -ms.collection: - - highpri - - tier3 - - must-keep -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Create a Group Policy Object - - -To create a new GPO, use the Active Directory Users and Computers MMC snap-in. - -**Administrative credentials** - -To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs. - -To create a new GPO - -1. Open the Group Policy Management console. - -2. In the navigation pane, expand **Forest:**YourForestName, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**. - -3. Click **Action**, and then click **New**. - -4. In the **Name** text box, type the name for your new GPO. - - > [!NOTE] - > Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs. - -5. Leave **Source Starter GPO** set to **(none)**, and then click **OK**. - -6. If your GPO will not contain any user settings, then you can improve performance by disabling the **User Configuration** section of the GPO. To do this, perform these steps: - - 1. In the navigation pane, click the new GPO. - - 2. In the details pane, click the **Details** tab. - - 3. Change the **GPO Status** to **User configuration settings disabled**. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-exemption-list-rule.md deleted file mode 100644 index 76f020233e..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-exemption-list-rule.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -title: Create an Authentication Exemption List Rule -description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Create an Authentication Exemption List Rule - - -In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies. - -**Important**   -Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Defender Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list. - - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -**To create a rule that exempts specified hosts from authentication** - -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. In the navigation pane, click **Connection Security Rules**. - -3. Click **Action**, and then click **New Rule**. - -4. On the **Rule Type** page of the New Connection Security Rule Wizard, click **Authentication exemption**, and then click **Next**. - -5. On the **Exempt Computers** page, to create a new exemption, click **Add**. To modify an existing exemption, click it, and then click **Edit**. - -6. In the **IP Address** dialog box, do one of the following: - - - To add a single IP address, click **This IP address or subnet**, type the IP address of the host in the text box, and then click **OK**. - - - To add an entire subnet by address, click **This IP address or subnet**, and then type the IP address of the subnet, followed by a forward slash (/) and the number of bits in the corresponding subnet mask. For example, **10.50.0.0/16** represents the class B subnet that begins with address 10.50.0.1, and ends with address **10.50.255.254**. Click **OK** when you are finished. - - - To add the local device’s subnet, click **Predefined set of computers**, select **Local subnet** from the list, and then click **OK**. - - >**Note:**  If you select the local subnet from the list rather than typing the subnet address in manually, the device automatically adjusts the active local subnet to match the device’s current IP address. - - - To add a discrete range of addresses that do not correspond to a subnet, click **This IP address range**, type the beginning and ending IP addresses in the **From** and **To** text boxes, and then click **OK**. - - - To exempt all of the remote hosts that the local device uses for a specified network service, click **Predefined set of computers**, select the network service from the list, and then click **OK**. - -7. Repeat steps 5 and 6 for each exemption that you need to create. - -8. Click **Next** when you have created all of the exemptions. - -9. On the **Profile** page, check the profile for each network location type to which this set of exemptions applies, and then click **Next**. - - >**Caution:**  If all of the exemptions are on the organization’s network and that network is managed by an Active Directory domain, then consider restricting the rule to the Domain profile only. Selecting the wrong profile can reduce the protection for your computer because any computer with an IP address that matches an exemption rule will not be required to authenticate. - -10. On the **Name** page, type the name of the exemption rule, type a description, and then click **Finish**. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-request-rule.md b/windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-request-rule.md deleted file mode 100644 index 488578107f..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-request-rule.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Create an Authentication Request Rule -description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Create an Authentication Request Rule - -**Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - -After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate. - -**Administrative credentials** - -To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the (Group Policy Objects) GPOs. - -To create the authentication request rule: - -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**. - -3. On the **Rule Type** page, select **Isolation**, and then click **Next**. - -4. On the **Requirements** page, select **Request authentication for inbound and outbound connections**. - - > [!CAUTION] - > Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network. - -5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are attempted in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP). - - 1. **Default**. Selecting this option tells the device to request authentication by using the method currently defined as the default on the device. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods](configure-authentication-methods.md) procedure. - - 2. **Advanced**. Selecting this option enables you to specify a custom combination of authentication methods required for your scenario. - -6. Optional: If you selected **Advanced** in the previous step, then Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. - - The **First authentication method** can be one of the following: - - - **Computer (NTLMv2)**. Selecting this option tells the device to use and require authentication of the device by using its domain credentials. This option works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. - - - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. - - - **Preshared key (not recommended)**. Selecting this method and entering a pre-shared key tells the device to authenticate by exchanging the pre-shared keys. If the keys match, then the authentication succeeds. This method is not recommended, and is included for backward compatibility and testing purposes only. - - If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. - - The **Second authentication method** can be one of the following: - - - **User (NTLMv2)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other devices that can use AuthIP. User-based authentication using NTLMv2 is not supported by IKE v1. - - - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to certain users or user groups. - - - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. - - If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails. - - > [!IMPORTANT] - > Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. - -7. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**. - -8. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies. - - - On portable devices, consider clearing the **Private** and **Public** boxes to enable the device to communicate without authentication when it is away from the domain network. - - - On devices that do not move from network to network, consider selecting all the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule. - - Click **Next**. - -9. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**. - - The new rule appears in the list of connection security rules. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md deleted file mode 100644 index a2cad4e58d..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md +++ /dev/null @@ -1,99 +0,0 @@ ---- -title: Create WMI Filters for the GPO -description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows. -ms.prod: windows-client -ms.collection: - - highpri - - tier3 - - must-keep -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Create WMI Filters for the GPO - - -To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device. - -- [Create WMI Filters for the GPO](#create-wmi-filters-for-the-gpo) - - [To create a WMI filter that queries for a specified version of Windows](#to-create-a-wmi-filter-that-queries-for-a-specified-version-of-windows) - - [To link a WMI filter to a GPO](#to-link-a-wmi-filter-to-a-gpo) - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -First, create the WMI filter and configure it to look for a specified version (or versions) of the Windows operating system. - -## To create a WMI filter that queries for a specified version of Windows - -1. Open the Group Policy Management console. - -2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, and then select **WMI Filters**. - -3. Select **Action**, and then select **New**. - -4. In the **Name** text box, type the name of the WMI filter. Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention. - -5. In the **Description** text box, type a description for the WMI filter. For example, if the filter excludes domain controllers, you might consider stating that in the description. - -6. Select **Add**. - -7. Leave the **Namespace** value set to **root\\CIMv2**. - -8. In the **Query** text box, type: - - ``` syntax - select * from Win32_OperatingSystem where Version like "6.%" - ``` - - This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". For Windows 11, Windows 10, and Windows Server 2016, use "10.%". To specify multiple versions, combine them with or, as shown in the following: - - ``` syntax - ... where Version like "6.1%" or Version like "6.2%" - ``` - - To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers and for Windows 10 and Windows 11 multi-session, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network. - - The following clause returns **true** for all devices that are not domain controllers: - - ``` syntax - ... where ProductType="1" or ProductType="3" - ``` - - The following complete query returns **true** for all devices running Windows 10 and Windows 11, and returns **false** for any server operating system or any other client operating system. - - ``` syntax - select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1" - ``` - - Specific versions of Windows 10 can be targeted by including the *major build version* in the query. The following query returns **true** for all devices running Windows 10 20H2 (which has a *major build version* of `19042`), and returns **false** for any server operating system or any other client operating system. Additional information about Windows 10 build versions can be found at [Windows 10 release information](/windows/release-health/release-information). - - ```syntax - select * from Win32_OperatingSystem where Version like "10.0.19042" and ProductType="1" - ``` - - The following query returns **true** for any device running Windows Server 2016, except domain controllers: - - ``` syntax - select * from Win32_OperatingSystem where Version like "10.%" and ProductType="3" - ``` - -9. Select **OK** to save the query to the filter. - -10. Select **Save** to save your completed filter. - -> [!NOTE] -> If you're using multiple queries in the same WMI filter, these queries must all return **TRUE** for the filter requirements to be met and for the GPO to be applied. - -## To link a WMI filter to a GPO - -After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs. - -1. Open the Group Policy Management console. - -2. In the navigation pane, find and then select the GPO that you want to modify. - -3. Under **WMI Filtering**, select the correct WMI filter from the list. - -4. Select **Yes** to accept the filter. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/operating-system-security/network-security/windows-firewall/determining-the-trusted-state-of-your-devices.md deleted file mode 100644 index 62d1fcb8d8..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/determining-the-trusted-state-of-your-devices.md +++ /dev/null @@ -1,133 +0,0 @@ ---- -title: Determining the Trusted State of Your Devices -description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Determining the Trusted State of Your Devices - - -After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this communication can lead to problems with the security of the trusted environment, because the overall security can't exceed the level of security set by the least secure client that achieves trusted status. - ->**Note:**  In this context, the term *trust* has nothing to do with an Active Directory trust relationship between domains. The trusted state of your devices just indicates the level of risk that you believe the device brings to the network. Trusted devices bring little risk whereas untrusted devices can potentially bring great risk. - -## Trust states - - -To understand this concept, consider the four basic states that apply to devices in a typical IT infrastructure. These states are (in order of risk, lowest risk first): - -- Trusted - -- Trustworthy - -- Known, untrusted - -- Unknown, untrusted - -The remainder of this section defines these states and how to determine which devices in your organization belong in each state. - -### Trusted state - -Classifying a device as trusted means that the device's security risks are managed, but it doesn't imply that it's perfectly secure or invulnerable. The responsibility for this managed state falls to the IT and security administrators, in addition to the users who are responsible for the configuration of the device. A trusted device that is poorly managed will likely become a point of weakness for the network. - -When a device is considered trusted, other trusted devices can reasonably assume that the device won't initiate a malicious act. For example, trusted devices can expect that other trusted devices won't run a virus that attacks them, because all trusted devices are required to use mechanisms (such as antivirus software) to mitigate the threat of viruses. - -Spend some time defining the goals and technology requirements that your organization considers appropriate as the minimum configuration for a device to obtain trusted status. - -A possible list of technology requirements might include: - -- **Operating system.** A trusted client device should run at least Windows Vista. A trusted server should run at least Windows Server 2008. - -- **Domain membership.** A trusted device will belong to a managed Active Directory domain, which means that the IT department has security management rights and can configure member devices by using Group Policy. - -- **Management client.** All trusted devices must run a specific network management client to allow for centralized management and control of security policies, configurations, and software. Configuration Manager is one such management system with an appropriate client. - -- **Antivirus software.** All trusted devices will run antivirus software that is configured to check for and automatically update the latest virus signature files daily. - -- **File system.** All trusted devices will be configured to use the NTFS file system. - -- **BIOS settings.** All trusted portable devices will be configured to use a BIOS-level password that is under the management of the IT support team. - -- **Password requirements.** Trusted clients must use strong passwords. - -It's important to understand that the trusted state isn't constant; it's a transient state that is subject to changing security standards and compliance with those standards. New threats and new defenses emerge constantly. For this reason, the organization's management systems must continually check the trusted devices to ensure ongoing compliance. Additionally, the management systems must be able to issue updates or configuration changes if they're required to help maintain the trusted status. - -A device that continues to meet all these security requirements can be considered trusted. However it's possible that most devices that were identified in the discovery process discussed earlier don't meet these requirements. Therefore, you must identify which devices can be trusted and which ones can't. To help with this process, you use the intermediate *trustworthy* state. The remainder of this section discusses the different states and their implications. - -### Trustworthy state - -It's useful to identify as soon as possible those devices in your current infrastructure that can achieve a trusted state. A *trustworthy state* can be assigned to indicate that the current device can physically achieve the trusted state with required software and configuration changes. - -For each device that is assigned a trustworthy status, make an accompanying configuration note that states what is required to enable the device to achieve trusted status. This information is especially important to both the project design team (to estimate the costs of adding the device to the solution) and the support staff (to enable them to apply the required configuration). - -Generally, trustworthy devices fall into one of the following two groups: - -- **Configuration required.** The current hardware, operating system, and software enable the device to achieve a trustworthy state. However, more configuration changes are required. For example, if the organization requires a secure file system before a device can be considered trusted, a device that uses a FAT32-formatted hard disk doesn't meet this requirement. - -- **Upgrade required.** These devices require upgrades before they can be considered trusted. The following list provides some examples of the type of upgrade these devices might require: - - - **Operating system upgrade required.** If the device's current operating system can't support the security needs of the organization, an upgrade would be required before the device could achieve a trusted state. - - - **Software required.** A device that is missing a required security application, such as an antivirus scanner or a management client, can't be considered trusted until these applications are installed and active. - - - **Hardware upgrade required.** In some cases, a device might require a specific hardware upgrade before it can achieve trusted status. This type of device usually needs an operating system upgrade or another software that forces the required hardware upgrade. For example, security software might require more hard disk space on the device. - - - **Device replacement required.** This category is reserved for devices that can't support the security requirements of the solution because their hardware can't support the minimum acceptable configuration. For example, a device that can't run a secure operating system because it has an old processor (such as a 100 megahertz \[MHz\] x86-based device). - -Use these groups to assign costs for implementing the solution on the devices that require upgrades. - -### Known, untrusted state - -During the process of categorizing an organization's devices, you'll identify some devices that can't achieve trusted status for specific well-understood and well-defined reasons. These reasons might include the following types: - -- **Financial.** The funding isn't available to upgrade the hardware or software for this device. - -- **Political.** The device must remain in an untrusted state because of a political or business situation that doesn't enable it to comply with the stated minimum security requirements of the organization. It's highly recommended that you contact the business owner or independent software vendor (ISV) for the device to discuss the added value of server and domain isolation. - -- **Functional.** The device must run a nonsecure operating system or must operate in a nonsecure manner to perform its role. For example, the device might be required to run an older operating system because a specific line of business application will only work on that operating system. - -There can be multiple functional reasons for a device to remain in the known untrusted state. The following list includes several examples of functional reasons that can lead to a classification of this state: - -- **Devices that run unsupported versions of Windows.** These versions include Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Devices that run these versions of the Windows operating system can't be classified as trustworthy because these operating systems don't support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it doesn't support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of device configurations (although limited central management of user configurations is supported). - -- **Stand-alone devices.** Devices running any version of Windows which are configured as stand-alone devices or as members of a workgroup usually can't achieve a trustworthy state. Although these devices fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the device isn't a part of a trusted domain. - -- **Devices in an untrusted domain.** A device that is a member of a domain that isn't trusted by an organization's IT department can't be classified as trusted. An untrusted domain is a domain that can't provide the required security capabilities to its members. Although the operating systems of devices that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities can't be fully guaranteed when devices aren't in a trusted domain. - -### Unknown, untrusted state - -The unknown, untrusted state should be considered the default state for all devices. Because devices in this state have a configuration that is unknown, you can assign no trust to them. All planning for devices in this state must assume that the device is an unacceptable risk to the organization. Designers of the solution should strive to minimize the impact that the devices in this state can have on their organizations. - -## Capturing upgrade costs for current devices - - -The final step in this part of the process is to record the approximate cost of upgrading the devices to a point that they can participate in the server and domain isolation design. You must make several key decisions during the design phase of the project that require answers to the following questions: - -- Does the device meet the minimum hardware requirements necessary for isolation? - -- Does the device meet the minimum software requirements necessary for isolation? - -- What configuration changes must be made to integrate this device into the isolation solution? - -- What is the projected cost or impact of making the proposed changes to enable the device to achieve a trusted state? - -By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular device or group of devices into the scope of the project. It's important to remember that the state of a device is transitive, and that by performing the listed remedial actions you can change the state of a device from untrusted to trusted. After you decide whether to place a device in a trusted state, you're ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) discusses. - -The following table is an example of a data sheet that you could use to help capture the current state of a device and what would be required for the device to achieve a trusted state. - -| Device name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | -| - | - | - | - | - | - | -| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware isn't compatible with newer versions of Windows.| $??| -| SERVER001 | Yes| No| Join trusted domain and upgrade from Windows Server 2003 to Windows Server 2012.| No antivirus software present.| $??| - -In the previous table, the device CLIENT001 is currently "known, untrusted" because its hardware must be upgraded. However, it could be considered trustworthy if the required upgrades are possible. However, if many devices require the same upgrades, the overall cost of the solution would be much higher. - -The device SERVER001 is "trustworthy" because it meets the hardware requirements but its operating system must be upgraded. It also requires antivirus software. The projected cost is the amount of effort that is required to upgrade the operating system and install antivirus software, along with their purchase costs. - -With the other information that you've gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. - -The costs identified in this section only capture the projected cost of the device upgrades. Many more design, support, test, and training costs should be accounted for in the overall project plan. - -**Next:** [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-inbound-rules.md deleted file mode 100644 index 68f91e5710..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-inbound-rules.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: Enable Predefined Inbound Rules -description: Learn the rules for Windows Defender Firewall with Advanced Security for common networking roles and functions. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Enable Predefined Inbound Rules - - -Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Using this advantage helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -To deploy predefined firewall rules that allow inbound network traffic for common network functions - -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. In the navigation pane, click **Inbound Rules**. - -3. Click **Action**, and then click **New rule**. - -4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**. - -5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. By default, they're all selected. For rules that you don't want to deploy, clear the check boxes next to the rules, and then click **Next**. - -6. On the **Action** page, select **Allow the connection**, and then click **Finish**. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-outbound-rules.md deleted file mode 100644 index 69eaebf470..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-outbound-rules.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Enable Predefined Outbound Rules -description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/07/2021 ---- - -# Enable Predefined Outbound Rules - - -By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically doesn't enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Using this advantage helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -To deploy predefined firewall rules that block outbound network traffic for common network functions - -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. In the navigation pane, click **Outbound Rules**. - -3. Click **Action**, and then click **New rule**. - -4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**. - -5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. They're all selected by default. For rules that you don't want to deploy, clear the check boxes next to the rules, and then click **Next**. - -6. On the **Action** page, select **Block the connection**, and then click **Finish**. - - The selected rules are added to the GPO. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/operating-system-security/network-security/windows-firewall/exempt-icmp-from-authentication.md deleted file mode 100644 index 572b3283f3..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/exempt-icmp-from-authentication.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Exempt ICMP from Authentication -description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Exempt ICMP from Authentication - - -This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol. - -**Administrative credentials** - -To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -To exempt ICMP network traffic from authentication - -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. On the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**. - -3. On the **IPsec settings** tab, change **Exempt ICMP from IPsec** to **Yes**, and then click **OK**. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-active-directory-deployment.md deleted file mode 100644 index b030f3c63a..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-active-directory-deployment.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Gathering Information about Your Active Directory Deployment -description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Gathering Information about Your Active Directory Deployment - - -Active Directory is another important item about which you must gather information. You must understand the forest structure. This structure includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed: - -- **Names and number of forests**. The forest (not the domain) is the security boundary in an Active Directory implementation. You must understand the current Active Directory architecture to determine the most effective strategy for deploying your firewall and connection security rules using Group Policy. It also enables you to understand which devices can be isolated and how best to accomplish the required degree of isolation. - -- **Names and number of domains**. Authentication in server and domain isolation uses the IKE negotiation process with the Kerberos V5 protocol. This protocol assumes that devices are domain members. - -- **Number and types of trusts**. Trusts affect the logical boundaries of domain isolation and define whether IKE negotiation can occur between devices in different Active Directory domains. - -- **Names and number of sites**. Site architecture is aligned with the network topology. Understanding how sites are defined in Active Directory will help provide insight into replication and other details. Site architecture can provide a better understanding of the current Active Directory deployment. - -- **OU structure**. OUs are logical constructs and can therefore be molded to fit many different requirements and goals. The OU structure is an ideal place to examine how Group Policy is currently used and how the OUs are laid out. You don't have to redesign an already implemented OU structure in order to effectively deploy firewall and connection security policy, but an understanding of the structure helps you know what WMI or group filtering is required to apply each GPO to the correct devices. - -- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Defender Firewall connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 aren't compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other. - -**Next:** [Gathering Information about Your Devices](gathering-information-about-your-devices.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-current-network-infrastructure.md deleted file mode 100644 index 13cb71d95b..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ /dev/null @@ -1,107 +0,0 @@ ---- -title: Gathering Info about Your Network Infrastructure -description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Gathering Information about Your Current Network Infrastructure - - -Perhaps the most important aspect of planning for Windows Defender Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Defender Firewall solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project: - -- **Network segmentation**. This component includes IP addressing maps, showing how your routers separate each network segment. It includes information about how the routers are configured, and what security filters they impose on network traffic flowing through them. - -- Network address translation (NAT). NAT is a means of separating network segments by using a device that maps all of the IP addresses on one side of the device to a single IP address accessible on the other side. - -- Network infrastructure devices. These devices include the routers, switches, hubs, and other network equipment that makes communications between the devices on the network possible. - -- **Current network traffic model.** This component includes the quantity and the characteristics of the network traffic flowing through your network. - -- Intrusion Detection System (IDS) devices. You'll need to identify if you have any IDS devices on your network that might be negatively impacted by any encryption introduced in an Encryption Zone. - -The goal is to have enough information to be able to identify an asset by its network location, in addition to its physical location. - -Don't use a complex and poorly documented network as a starting point for the design, because it can leave too many unidentified areas that are likely to cause problems during implementation. - -This guidance helps obtain the most relevant information for planning Windows Defender Firewall implementation, but it doesn't try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation. - -## Network segmentation - - -If your organization doesn't have its current network architecture documented and available for reference, such documentation should be obtained as soon as possible before you continue with the design and deployment. If the documented information isn't current or hasn't been validated recently, you have two options: - -- Accept that the lack of accurate information can cause risk to the project. - -- Undertake a discovery project, either through manual processes or with network analysis tools that can provide the information you need to document the current network topology. - -Although the required information can be presented in many different ways, a series of schematic diagrams is often the most effective method of illustrating and understanding the current network configuration. When creating network diagrams, don't include too much information. If necessary, use multiple diagrams that show different layers of detail. Use a top-level diagram that illustrates the major sites that make up your organization's network, and then break out each site into a more detailed diagram that captures a deeper level of detail. Continue until you reach the individual IP subnet level, and so have the means to identify the network location of every device in your organization. - -During this process, you might discover some network applications and services that aren't compatible with IPsec. For example, IPsec breaks network-based prioritization and port/protocol-based traffic management. If traffic management or prioritization must be based on ports or protocol, the host itself must be able to perform any traffic management or prioritization. - -Other examples of incompatibility include: - -- Cisco NetFlow on routers can't analyze packets between IPsec members based on protocol or port. - -- Router-based Quality of Service (QoS) can't use ports or protocols to prioritize traffic. However, using firewall rules that specify IP addresses to prioritize traffic aren't affected by this limitation of QoS. For example, a rule that says "From anyone to anyone using port 80 prioritize" doesn't work, but a rule that says "From anyone to 10.0.1.10 prioritize" works. - -- Weighted Fair Queuing and other flow-based router traffic priority methods might fail. - -- Devices that don't support or allow IP protocol 50, the port that is used by Encapsulating Security Payload (ESP). - -- Router access control lists (ACLs) can't examine protocol and port fields in ESP-encrypted packets, and therefore the packets are dropped. ACLs based only on IP address are forwarded as usual. If the device can't parse ESP, any ACLs that specify port or protocol rules won't be processed on the ESP packets. If the device has an ESP parser and uses encryption, ACLs that specify port or protocol rules won't be processed on the ESP packets. - -- Network monitoring tools might be unable to parse ESP packets that aren't encrypted (ESP-Null). - - >**Note:**  Microsoft Message Analyzer can help in troubleshooting of unencrypted IPsec packets. The latest version of Message Analyzer is available on the [Microsoft Download Center](/message-analyzer/microsoft-message-analyzer-operating-guide). -   -## Network address translation (NAT) - -IPsec NAT traversal (NAT-T) enables IPsec peers that are behind NATs to detect the presence of NATs, negotiate IPsec security associations (SAs), and send ESP-protected data even though the addresses in the IPsec-protected IPv4 packets change. IPsec NAT-T doesn't support the use of AH across NAT devices. - -## Network infrastructure devices - -The devices that make up the network infrastructure (routers, switches, load balancers, and firewalls) must be able communicate using IPsec after the solution is implemented. For this reason, you have to examine the following characteristics of these network devices to ensure that they can handle the technical and physical requirements of the design: - -- **Make/model**. You can use this information to determine the features that the device supports. In addition, check the BIOS version or software running on the device to ensure that IPsec is supported. - -- **Amount of RAM**. This information is useful when you're analyzing capacity or the impact of IPsec on the device. - -- **Traffic analysis**. Information, such as peak usage and daily or weekly trends, is helpful to have. The information helps provide a baseline snapshot of the device and how it's used over time. If problems occur after IPsec is implemented, the information can help determine whether the root cause is related to greater usage of the device. - -- **Router ACLs that affect IPsec directly**. ACLs directly affect the ability of specific protocols to function. For example, blocking the Kerberos V5 protocol (UDP and TCP port 88) or IP protocol 50 or 51 prevents IPsec from working. Devices must also be configured to allow IKE traffic (UDP port 500) if using NAT-T (UDP port 4500). - -- **Networks/subnets connected to device interfaces**. This information provides the best picture of what the internal network looks like. Defining the boundary of subnets based on an address range is straightforward and helps identify whether other addresses are either unmanaged or foreign to the internal network (such as IP addresses on the Internet). - -- **VLAN segmentation**. Determining how VLANs are implemented on the network can help you understand traffic patterns and security requirements, and then help to determine how IPsec might augment or interfere with these requirements. - -- **The maximum transmission unit (MTU) size on device interface(s)**. The MTU defines the largest datagram that can be transmitted on a particular interface without being divided into smaller pieces for transmission (a process also known as *fragmentation*). In IPsec communications, the MTU is necessary to anticipate when fragmentation occurs. Packet fragmentation must be tracked for Internet Security Association and Key Management Protocol (ISAKMP) by the router. IPsec configures the MTU size on the session to the minimum-discovered MTU size along the communication path being used, and then set the Don't Fragment bit (DF bit) to 1. - - >**Note:**  If Path MTU (PMTU) discovery is enabled and functioning correctly, you do not have to gather the MTU size on device interfaces. Although sources, such as the Windows Server 2003 Hardening Guide, recommend disabling PMTU discovery, it must be enabled for IPsec to function correctly. - -- **Intrusion detection system (IDS) in use**. Your IDS must have an IPsec-compatible parser to detect ESP packets. If the IDS doesn't have such a parser, it can't determine if data in those packets is encrypted. - -After you obtain this information, you can quickly determine whether you must upgrade the devices to support the requirements of the project, change the ACLs, or take other measures to ensure that the devices can handle the loads needed. - -## Current network traffic model - -After you gather the addressing and network infrastructure information, the next step is to examine the communications flow. For example, if a department such as Human Resources (HR) spans several buildings, and you want to use server isolation with encryption to help protect information in that department, you must know how those buildings are connected to determine the level of "trust" to place in the connection. A highly secured building that is connected by an unprotected cable to another building that isn't secured can be compromised by an eavesdropping or information replay attack. If such an attack is considered a threat, IPsec can help by providing strong mutual authentication and traffic encryption for trusted hosts. IPsec allows you to more securely communicate across untrusted links such as the Internet. - -When you examine traffic flow, look closely at how all managed and unmanaged devices interact. These devices include non-Windows-based devices running Linux, UNIX, and Macintosh. Ask yourself such questions as: - -- Do specific communications occur at the port and protocol level, or are there many sessions between the same hosts across many protocols? - -- How do servers and clients communicate with each other? - -- Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Defender Firewall on your devices to "lock down" specific ports, such as UDP 500, IKE negotiations fail. - -Some of the more common applications and protocols are as follows: - -- **NetBIOS over TCP/IP (NetBT) and server message block (SMB)**. On a LAN, it's common to have ports 137, 138, and 139 enabled for NetBT and port 445 enabled for SMB. These ports provide NetBIOS name resolution services and other features. Unfortunately, they also allow the creation of *null sessions*. A null session is a session that is established on a host that doesn't use the security context of a known user or entity. Frequently, these sessions are anonymous. - -- **Remote procedure call (RPC)**. RPC operates by listening on a port known as the *endpoint mapper*, TCP port 135. The response to a query on this port is an instruction to begin communication on another port in the ephemeral range (ports numbered over 1024). In a network that is segmented by firewalls, RPC communication presents a configuration challenge because it means to open the RPC listener port, and all ports greater than 1024. Opening so many ports increases the attack surface of the whole network and reduces the effectiveness of the firewalls. Because many applications depend on RPC for basic functionality, any firewall and connection security policy must take RPC requirements into account. - -- **Other traffic**. Windows Defender Firewall can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured. - -**Next:** [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-devices.md b/windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-devices.md deleted file mode 100644 index d650107dd8..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-devices.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: Gathering Information about Your Devices -description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Gathering Information about Your Devices - - -One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned. - -Capture the following information from each device: - -- **Computer name**. This name is the device's NetBIOS or DNS name that identifies the device on the network. Because a device can have more than one media access control (MAC) or IP address, the device's name is one of the criteria that can be used to determine uniqueness on the network. Because device names can be duplicated under some circumstances, the uniqueness shouldn't be considered absolute. - -- **IP address for each network adapter**. The IP address is the address that is used with the subnet mask to identify a host on the network. An IP address isn't an effective way to identify an asset because it's often subject to change. - -- **Operating system, service pack, and hotfix versions**. The operating system version is a key factor in determining the ability of a host to communicate by using IPsec. It's also important to track the current state of service packs and updates that might be installed, because these packs and updates are often used to determine that minimum security standards have been met. - -- **Domain membership**. This information is used to determine whether a device can obtain IPsec policy from Active Directory or whether it must use a local IPsec policy. - -- **Physical location**. This information is just the location of the device in your organization. It can be used to determine whether a device can participate in a specific isolation group based on its location or the location of the devices that it communicates with regularly. - -- **Hardware type or role**. Some tools that perform host discovery can provide this information by querying the hardware information and running applications to determine its type, such as server, workstation, or portable device. You can use this information to determine the appropriate IPsec policy to assign, whether a specific device can participate in isolation, and in which isolation group to include the device. - -After collecting all this information and consolidating it into a database, perform regular discovery efforts periodically to keep the information current. You need the most complete and up-to-date picture of the managed hosts on their networks to create a design that matches your organization's requirements. - -You can use various methods to gather data from the hosts on the network. These methods range from high-end, fully automated systems to manual data collection. Generally, the use of automated methods to gather data is preferred over manual methods for reasons of speed and accuracy. - -## Automated Discovery - -Using an automated auditing network management system provides valuable information about the current state of the IT infrastructure. - - -## Manual Discovery - - -The biggest difference between manual discovery methods and automated methods is time. - -You can use Windows PowerShell to create a script file that can collect the system configuration information. For more information, see [Windows PowerShell Scripting](https://go.microsoft.com/fwlink/?linkid=110413). - -Whether you use an automatic, manual, or hybrid option to gather the information, one of the biggest issues that can cause problems to the design is capturing the changes between the original inventory scan and the point at which the implementation is ready to start. After the first scan has been completed, make support staff aware that all other changes must be recorded and the updates noted in the inventory. - -This inventory will be critical for planning and implementing your Windows Defender Firewall design. - -**Next:** [Gathering Other Relevant Information](gathering-other-relevant-information.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/gathering-other-relevant-information.md b/windows/security/operating-system-security/network-security/windows-firewall/gathering-other-relevant-information.md deleted file mode 100644 index f57dfc3116..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/gathering-other-relevant-information.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -title: Gathering Other Relevant Information -description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Gathering Other Relevant Information - - -This topic discusses several other things that you should examine to see whether they'll cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization. - -## Capacity considerations - -Because IPsec uses mathematically intensive cryptographic techniques, it can consume significant overhead on a device. Areas to watch: - -- **Encryption.** You might use 256-bit Advanced Encryption Standard (AES-256) and 384-bit Secure Hash Algorithm (SHA-384) to check integrity in situations that require the strongest available encryption and key exchange protection. If you have NICs that support IPsec Task Offload, you can reduce the effect that encryption has on network throughput. For more information, see [IPsec Task Offload](/previous-versions/windows/it-pro/windows-server-2003/cc776369(v=ws.10)). - -- **Security association (SA) negotiation.** You can use a shorter lifetime for the main mode SA, such as three hours, but then you might need to make tradeoffs. Because each main mode SA occupies approximately 5  KB of RAM, situations in which a server brokers tens of thousands of concurrent connections can lead to overutilization. - -- **NAT devices.** As discussed earlier, NAT doesn't allow Authentication Header (AH) conversations between hosts. If NAT devices exist on the internal network, ESP must be selected instead of AH. - -- **Switches and routers.** Proper capacity planning for the implementation of IPsec is more about thorough testing and expected traffic loads than exact calculations. You might have to upgrade or reconfigure switches or routers that currently exceed 75 percent usage to allow for increased traffic on the device and still provide some extra usage for bursts of traffic. - -- **Other factors.** These include CPU usage on network infrastructure servers, increased overhead on servers and workstations running IPsec (especially servers, because they usually contain more main mode SAs than clients), and increased network latency because of IPsec negotiation. - - >**Note:**  When Microsoft deployed its own domain isolation solution, it found a one to three percent increase in usage on the network as a direct result of IPsec. - -## Group Policy deployment groups and WMI filters - -You don't have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Defender Firewall GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It's not necessary to use this technique if your network consists of devices. - -## Different Active Directory trust environments - -When you design a domain isolation policy, consider any logical boundaries that might affect IPsec-secured communications. For example, the trust relationships between your domains and forests are critical in determining an appropriate IKE authentication method. - -Kerberos V5 authentication is recommended for use in a two-way (mutual) domain and forest trust environment. You can use Kerberos V5 for IKE authentication across domains that have two-way trusts established, if the domains are in the same forest or different forests. If the two domains are in different forests, you must configure two external trusts, one for each direction, between the domains. The external trusts must use the fully qualified domain name (FQDN) of the domains, and IPsec policy must allow an IKE initiator in one domain to communicate with any domain controller in the forest domain hierarchy, so that the initiator can obtain a Kerberos V5 ticket from a domain controller in the responder’s domain. If firewalls separate the domains, then you must configure the firewall to allow Kerberos V5 traffic over UDP destination port 88, TCP destination port 88, and UDP destination port 389. - -If the use of Kerberos V5 authentication isn't possible because two-way trusts across forests can't be established as in some large enterprise environments, you can use a public key infrastructure (PKI) and digital certificates to establish IPsec-trusted communication. - -## Creating firewall rules to permit IKE, AH, and ESP traffic - - -In some cases, IPsec-secured traffic might have to pass through a router, perimeter firewall, or other filtering device. If there's a router, unless the router filters TCP and UDP traffic or other upper-level protocol headers, no special configuration is required to allow the IPsec traffic to be forwarded. - -If there's a filtering router or a firewall, you must configure these devices to allow IPsec traffic to be forwarded. Configure the firewall to allow IPsec traffic on UDP source and destination port 500 (IKE), UDP source and destination port 4500 (IPsec NAT-T), and IP Protocol 50 (ESP). You might also have to configure the firewall to allow IPsec traffic on IP protocol 51 (AH) to allow troubleshooting by IPsec administrators and to allow the IPsec traffic to be inspected. - -## Network load balancing and server clusters - -There are challenges implementing connection security for network traffic going to and from network load balancing (NLB) clusters and server clusters. NLB enables multiple servers to be clustered together to provide high availability for a service by providing automatic failover to other nodes in the cluster. Because IPsec matches a security association to a specific device, it prevents different devices from handling the same client connection. If a different node in the cluster responds to an IPsec connection that was originally established by another node, the traffic will be dropped by the client device as untrusted. - -This dropping of traffic means that NLB in "no affinity" mode isn't supported by IPsec at all. If you must use "no affinity" mode in the cluster, then consider including the servers that make up the cluster in your IPsec exemption group, and allowing clients to communicate with the servers without IPsec. - -When a TCP connection is dropped because of a cluster node failover, IPsec detects the TCP connection failure and removes the IPsec SAs for that connection. When the new TCP connection is established to another node, IPsec can negotiate new SAs immediately without having to wait for the obsolete SAs to time out. - -## Network inspection technologies - -Within a TCP/IP packet, IPsec without encryption changes the offsets for the destination ports and protocols. These changes can adversely affect applications that are running on network devices such as routers that monitor and manage traffic on the network. While some network applications have been updated to support IPsec, some aren't yet compatible. Check with the vendor of your device to see whether the changes in the protocol and port fields caused by IPsec are compatible with the device. - -Any device designed to view network traffic, such as hardware protocol analyzers or Microsoft Network Monitor, can't parse ESP-encrypted traffic. Only the destination device, with which the originating device negotiated the connection, can decrypt the traffic. - -In general, IPsec defeats network-based prioritization and port- or protocol-based traffic management. For encrypted packets, there's no workaround; the host itself must handle any traffic management functions. For unencrypted, authenticated-only packets, the devices and applications must be aware of how IPsec changes packets to be able to do anything with them other than route them to the correct host. If you can't upgrade monitoring or management devices to support IPsec, it's important that you record this information and figure it into your domain or server isolation design. - -Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Network Monitor parsers for ESP can parse inside the ESP packet only if ESP null-encryption is being used. Network Monitor can't parse the encrypted parts of IPsec ESP traffic when encryption is performed in software. However, if encryption is performed by an IPsec hardware offload network adapter, the ESP packets can be decrypted when Network Monitor captures them on either the source or the destination and, therefore, they can be parsed. To diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPsec policy or connection security rule on both devices. - -Message Analyzer is available on the [Microsoft Download Center](/message-analyzer/microsoft-message-analyzer-operating-guide). - -**Next:** [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md) \ No newline at end of file diff --git a/windows/security/operating-system-security/network-security/windows-firewall/gathering-the-information-you-need.md b/windows/security/operating-system-security/network-security/windows-firewall/gathering-the-information-you-need.md deleted file mode 100644 index b82d977445..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/gathering-the-information-you-need.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: Gathering the Information You Need -description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Gathering the Information You Need - - -Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information isn't accurate, problems can occur when devices and devices that weren't considered during the planning phase are encountered during implementation. - -Review each of the following articles for guidance about the kinds of information that you must gather: - -- [Gathering Information about Your Conversational Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md) - -- [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md) - -- [Gathering Information about Your Devices](gathering-information-about-your-devices.md) - -- [Gathering Other Relevant Information](gathering-other-relevant-information.md) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/operating-system-security/network-security/windows-firewall/link-the-gpo-to-the-domain.md deleted file mode 100644 index ca38900f59..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/link-the-gpo-to-the-domain.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Link the GPO to the Domain -description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Link the GPO to the Domain - - -After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices. - -If the filters comprehensively control the application of the GPO to only the correct devices, then you can link the GPO to the domain container. Alternatively, you can link the GPO to a site container or organizational unit if you want to limit application of the GPO to that subset of devices. - -**Administrative credentials** - -To complete this procedure, you must be a member of the Domain Admins group, or otherwise be delegated permissions to modify the GPOs. - -To link the GPO to the domain container in Active Directory - -1. Open the Group Policy Management console. - -2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, and then expand *YourDomainName*. - -3. Right-click *YourDomainName*, and then click **Link an Existing GPO**. - -4. In the **Select GPO** dialog box, select the GPO that you want to deploy, and then click **OK**. - -5. The GPO appears in the **Linked Group Policy Objects** tab in the details pane and as a linked item under the domain container in the navigation pane. - -6. You can adjust the order of the linked GPOs to ensure that the higher priority GPOs are processed last. Select a GPO and click the up or down arrows to move it. The GPOs are processed by the client device from the highest link order number to the lowest. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/operating-system-security/network-security/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md deleted file mode 100644 index 90d89139a8..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Modify GPO Filters -description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Modify GPO Filters to Apply to a Different Zone or Version of Windows - - -You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -In this topic: - -- [Change the security group filter for a GPO](#to-change-the-security-group-filter-for-a-gpo) - -- [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) - -- [Remove a block for members of a group from applying a GPO](#to-remove-a-block-for-members-of-group-from-applying-a-gpo) - -## To change the security group filter for a GPO - -1. Open the Group Policy Management console. - -2. In the navigation pane, find and then click the GPO that you want to modify. - -3. In the details pane, under **Security Filtering**, click the currently assigned security group, and then click **Remove**. - -4. Now you can add the appropriate security group to this GPO. Under **Security Filtering**, click **Add**. - -5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain. - -## To block members of a group from applying a GPO - -1. Open the Group Policy Management console. - -2. In the navigation pane, find and then click the GPO that you want to modify. - -3. In the details pane, click the **Delegation** tab. - -4. Click **Advanced**. - -5. Under the **Group or user names** list, click **Add**. - -6. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain. - -7. Select the group in the **Group or user names** list, and then select the boxes in the **Deny** column for both **Read** and **Apply group policy**. - -8. Click **OK**, and then in the **Windows Security** dialog box, click **Yes**. - -9. The group appears in the list with custom permissions. - -## To remove a block for members of group from applying a GPO - -1. Open the Group Policy Management console. - -2. In the navigation pane, find and then click the GPO that you want to modify. - -3. In the details pane, click the **Delegation** tab. - -4. In the **Groups and users** list, select the group that should no longer be blocked, and then click **Remove**. - -5. In the message box, click **OK**. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md deleted file mode 100644 index a9137e37d3..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -title: Open the Group Policy Management Console to IP Security Policies -description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Open the Group Policy Management Console to IP Security Policies - - -Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC). - -**To open a GPO to the IP Security Policies section** - -1. Open the Group Policy Management console. - -2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. - -3. In the navigation pane of the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, and then click **IP Security Policies on Active Directory (**YourDomainName**)**. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md deleted file mode 100644 index 49aee564d3..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Group Policy Management of Windows Firewall with Advanced Security -description: Group Policy Management of Windows Firewall with Advanced Security -ms.prod: windows-client -ms.collection: - - highpri - - tier3 - - must-keep -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Group Policy Management of Windows Firewall with Advanced Security - - -Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security. - -To open a GPO to Windows Firewall with Advanced Security - -1. Open the Group Policy Management console. - -2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. - -3. In the navigation pane of the Group Policy Management Editor, navigate to **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - LDAP://cn={**GUID**},cn=…**. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md deleted file mode 100644 index 9ba7d78ace..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: Group Policy Management of Windows Defender Firewall -description: Group Policy Management of Windows Defender Firewall with Advanced Security -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Group Policy Management of Windows Defender Firewall - - -To open a GPO to Windows Defender Firewall: - -1. Open the Group Policy Management console. - -2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. - -3. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Defender Firewall**. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/operating-system-security/network-security/windows-firewall/open-windows-firewall-with-advanced-security.md deleted file mode 100644 index 8440460338..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/open-windows-firewall-with-advanced-security.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Open Windows Defender Firewall with Advanced Security -description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Open Windows Defender Firewall with Advanced Security - - -This procedure shows you how to open the Windows Defender Firewall with Advanced Security console. - -**Administrative credentials** - -To complete this procedure, you must be a member of the Administrators group. For more information, see Additional considerations. - -## To open Windows Defender Firewall using the UI - -Click Start, type **Windows Defender Firewall**, and then press ENTER. - -## To open Windows Defender Firewall from a command prompt - -1. Open a command prompt window. - -2. At the command prompt, type: - - ``` syntax - wf.msc - ``` - -**Additional considerations** - -Although standard users can start the Windows Defender Firewall MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/operating-system-security/network-security/windows-firewall/restrict-server-access-to-members-of-a-group-only.md deleted file mode 100644 index 70a23e653f..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Restrict Server Access to Members of a Group Only -description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Restrict Server Access to Members of a Group Only - - -After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group. - -In this topic: - -- [Create a firewall rule to access isolated servers running Windows Server 2008 or later](#to-create-a-firewall-rule-that-grants-access-to-an-isolated-server) - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -## To create a firewall rule that grants access to an isolated server - -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone. - -2. In the navigation pane, right-click **Inbound Rules**, and then click **New Rule**. - -3. On the **Rule Type** page, click **Custom**, and then click **Next**. - -4. If you must restrict access to a single network program, then you can select **This program path**, and specify the program or service to which to grant access. Otherwise, click **All programs**, and then click **Next**. - -5. If you must restrict access to only some TCP or UDP port numbers, then enter the port numbers on the **Protocol and Ports** page. Otherwise, set **Protocol type** to **Any**, and then click **Next**. - -6. On the **Scope** page, select **Any IP address** for both local and remote addresses, and then click **Next**. - -7. On the **Action** page, click **Allow the connection if it is secure**. If required by your design, you can also click **Customize** and select **Require the connections to be encrypted**. Click **Next**. - -8. On the **Users and Computers** page, select the check box for the type of accounts (computer or user) you want to allow, click **Add**, and then enter the group account that contains the device and user accounts permitted to access the server. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/operating-system-security/network-security/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md deleted file mode 100644 index 91091b431c..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior -description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior - - -To enable Windows Defender Firewall with Advanced Security and configure its default behavior, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -## To enable Windows Defender Firewall and configure the default behavior - -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**. - -3. For each network location type (Domain, Private, Public), perform the following steps. - - >**Note:**  The steps shown here indicate the recommended values for a typical deployment. Use the settings that are appropriate for your firewall design. - - 1. Click the tab that corresponds to the network location type. - - 2. Change **Firewall state** to **On (recommended)**. - - 3. Change **Inbound connections** to **Block (default)**. - - 4. Change **Outbound connections** to **Allow (default)**. - -  - -  - - - - - diff --git a/windows/security/operating-system-security/network-security/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/operating-system-security/network-security/windows-firewall/verify-that-network-traffic-is-authenticated.md deleted file mode 100644 index 686e2d1efc..0000000000 --- a/windows/security/operating-system-security/network-security/windows-firewall/verify-that-network-traffic-is-authenticated.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Verify That Network Traffic Is Authenticated -description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication. -ms.prod: windows-client -ms.topic: conceptual -ms.date: 09/08/2021 ---- - -# Verify That Network Traffic Is Authenticated - - -After you've configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot. - -In these procedures, you confirm that the rules you deployed are working correctly. Your next steps depend on which zone you're working on: - -- **Main domain isolation zone.** Before you convert your main domain isolation IPsec rule from request mode to require mode, you must make sure that the network traffic is protected according to your design. By configuring your rules to request and not require authentication at the beginning of operations, devices on the network can continue to communicate even when the main mode authentication or quick mode integrity and encryption rules aren't working correctly. For example, if your encryption zone contains rules that require a certain encryption algorithm, but that algorithm isn't included in a security method combination on the clients, then those clients can't successfully negotiate a quick mode security association, and the server refuses to accept network traffic from the client. By first using request mode only, you have the opportunity to deploy your rules and then examine the network traffic to see if they're working as expected without risking a loss of communications. - -- **Boundary zone.** Confirming correct operation of IPsec is the last step if you're working on the boundary zone GPO. You don't convert the GPO to require mode at any time. - -- **Encryption zone.** Similar to the main isolation zone, after you confirm that the network traffic to zone members is properly authenticated and encrypted, you must convert your zone rules from request mode to require mode. - -> [!NOTE] -> In addition to the steps shown in this procedure, you can also use network traffic capture tools such as [Microsoft Network Monitor](https://www.microsoft.com/download/4865). Network Monitor and similar tools allow you to capture, parse, and display the network packets received by the network adapter on your device. Current versions of these tools include full support for IPsec. They can identify encrypted network packets, but they cannot decrypt them. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -## To verify that network connections are authenticated by using the Windows Defender Firewall with Advanced Security console - -1. Open the Windows Defender Firewall with Advanced Security -console. - -2. In the navigation pane, expand **Monitoring**, and then click **Connection Security Rules**. - - The details pane displays the rules currently in effect on the device. - -3. **To display the Rule Source column** - - 1. In the **Actions** pane, click **View**, and then click **Add/Remove Columns**. - - 2. In the **Available columns** list, select **Rule Source**, and then click **Add**. - - 3. Use the **Move up** and **Move down** buttons to rearrange the order. Click **OK** when you're finished. - - It can take a few moments for the list to be refreshed with the newly added column. - -4. Examine the list for the rules from GPOs that you expect to be applied to this device. - - >**Note:**  If the rules do not appear in the list, then troubleshoot the GPO security group and the WMI filters that are applied to the GPO. Make sure that the local device is a member of the appropriate groups and meets the requirements of the WMI filters. -5. In the navigation pane, expand **Security Associations**, and then click **Main Mode**. - - The current list of main mode associations that have been negotiated with other devices appears in the details column. - -6. Examine the list of main mode security associations for sessions between the local device and the remote device. Make sure that the **1st Authentication Method** and **2nd Authentication Method** columns contain expected values. If your rules specify only a first authentication method, then the **2nd Authentication Method** column displays **No authentication**. If you double-click the row, then the **Properties** dialog box appears with more details about the security association. - -7. In the navigation pane, click **Quick mode**. - -8. Examine the list of quick mode security associations for sessions between the local device and the remote device. Make sure that the **AH Integrity**, **ESP integrity**, and **ESP Confidentiality** columns contain expected values. From e13bdf3e4a587c204d02f3989af03a33e18ad973 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Sat, 11 Nov 2023 08:39:18 -0500 Subject: [PATCH 082/114] redirect --- ...blishing.redirection.windows-security.json | 165 ++++++++++++++++++ 1 file changed, 165 insertions(+) diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index 3a9d25e18f..5cda27e549 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -7789,6 +7789,171 @@ "source_path": "windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md", "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717260(v=ws.11)", "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717237(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods.md", + "redirect_url": "previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717279(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-data-protection-quick-mode-settings.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717293(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717253(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-key-exchange-main-mode-settings.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717249(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-the-rules-to-require-encryption.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717270(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-the-workstation-authentication-certificate-template.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717275(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717278(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/confirm-that-certificates-are-deployed-correctly.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717245(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717246(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-a-group-account-in-active-directory.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717247(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717274(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-exemption-list-rule.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717243(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-request-rule.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717283(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717288(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-inbound-rules.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717281(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-outbound-rules.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717259(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/exempt-icmp-from-authentication.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717292(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/link-the-gpo-to-the-domain.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717264(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717265(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717290(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717269(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717266(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-windows-firewall-with-advanced-security.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717254(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-server-access-to-members-of-a-group-only.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717267(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717251(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/verify-that-network-traffic-is-authenticated.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717273(v=ws.11)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-the-information-you-need.md", + "redirect_url": "previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731454(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-current-network-infrastructure.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770899(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-active-directory-deployment.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771366(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-devices.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc726039(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-other-relevant-information.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771791(v=ws.10)", + "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/determining-the-trusted-state-of-your-devices.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753540(v=ws.10)", + "redirect_document_id": false } ] } From 9feb387af3bae7aecb9f0de59509e51d8673dd92 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Sat, 11 Nov 2023 08:47:48 -0500 Subject: [PATCH 083/114] toc updates --- .../operating-system-security/network-security/toc.yml | 4 ++-- .../network-security/windows-firewall/{TOC.yml => toc.yml} | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename windows/security/operating-system-security/network-security/windows-firewall/{TOC.yml => toc.yml} (100%) diff --git a/windows/security/operating-system-security/network-security/toc.yml b/windows/security/operating-system-security/network-security/toc.yml index 9745213bd4..713ead1e6c 100644 --- a/windows/security/operating-system-security/network-security/toc.yml +++ b/windows/security/operating-system-security/network-security/toc.yml @@ -7,8 +7,8 @@ items: href: https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09 - name: Extensible Authentication Protocol (EAP) for network access href: /windows-server/networking/technologies/extensible-authentication-protocol/network-access - - name: Windows Firewall 🔗 - href: windows-firewall/windows-firewall-with-advanced-security.md + - name: Windows Firewall + href: windows-firewall/toc.yml - name: Virtual Private Network (VPN) href: vpn/toc.yml - name: Always On VPN 🔗 diff --git a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml b/windows/security/operating-system-security/network-security/windows-firewall/toc.yml similarity index 100% rename from windows/security/operating-system-security/network-security/windows-firewall/TOC.yml rename to windows/security/operating-system-security/network-security/windows-firewall/toc.yml From 8997f49f7efbcd4d58a57bf77fac8e88f5c768f8 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Sat, 11 Nov 2023 09:01:16 -0500 Subject: [PATCH 084/114] update TOC --- .../network-security/windows-firewall/toc.yml | 44 ++++++++++--------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/toc.yml b/windows/security/operating-system-security/network-security/windows-firewall/toc.yml index e0fa759b89..417a72d9a2 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/toc.yml +++ b/windows/security/operating-system-security/network-security/windows-firewall/toc.yml @@ -1,32 +1,34 @@ items: - name: Overview href: windows-firewall-with-advanced-security.md - - name: Configure Hyper-V firewall - href: hyper-v-firewall.md + - name: Configure Windows firewall + href: best-practices-configuring.md - name: Configure the Windows Firewall log href: configure-the-windows-firewall-log.md - - name: Create an inbound ICMP rule - href: create-an-inbound-icmp-rule.md - - name: Create an inbound port rule - href: create-an-inbound-port-rule.md - - name: Create an inbound program or service rule - href: create-an-inbound-program-or-service-rule.md - - name: Create an outbound port rule - href: create-an-outbound-port-rule.md - - name: Create an outbound program or service rule - href: create-an-outbound-program-or-service-rule.md - - name: Create inbound rules to support RPC - href: create-inbound-rules-to-support-rpc.md - - name: Create Windows Firewall rules in Intune - href: create-windows-firewall-rules-in-intune.md - - name: Configure the firewall - href: best-practices-configuring.md - - name: Secure IPsec + - name: Secure connections with IPsec href: securing-end-to-end-ipsec-connections-by-using-ikev2.md - - name: PowerShell + - name: Configure Windows Firewall with PowerShell href: windows-firewall-with-advanced-security-administration-with-windows-powershell.md - - name: Isolate Microsoft Store Apps on Your Network + - name: Isolate Microsoft Store apps on your network href: isolating-apps-on-your-network.md + - name: Configure Hyper-V firewall + href: hyper-v-firewall.md + - name: Firewall rules + items: + - name: Create firewall rules with Microsoft Intune + href: create-windows-firewall-rules-in-intune.md + - name: Create an inbound ICMP rule + href: create-an-inbound-icmp-rule.md + - name: Create an inbound port rule + href: create-an-inbound-port-rule.md + - name: Create an inbound program or service rule + href: create-an-inbound-program-or-service-rule.md + - name: Create an outbound port rule + href: create-an-outbound-port-rule.md + - name: Create an outbound program or service rule + href: create-an-outbound-program-or-service-rule.md + - name: Create inbound rules to support RPC + href: create-inbound-rules-to-support-rpc.md - name: Troubleshoot items: - name: Troubleshoot UWP app connectivity issues in Windows Firewall From 2f07f758cb0cc347f7ee73eba65839be8d31cd3f Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Sat, 11 Nov 2023 11:23:15 -0500 Subject: [PATCH 085/114] updates --- .../network-security/windows-firewall/toc.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/toc.yml b/windows/security/operating-system-security/network-security/windows-firewall/toc.yml index 417a72d9a2..28a9741aa4 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/toc.yml +++ b/windows/security/operating-system-security/network-security/windows-firewall/toc.yml @@ -1,8 +1,10 @@ items: - name: Overview href: windows-firewall-with-advanced-security.md - - name: Configure Windows firewall + - name: Configure Windows Firewall href: best-practices-configuring.md + - name: Configure Hyper-V firewall + href: hyper-v-firewall.md - name: Configure the Windows Firewall log href: configure-the-windows-firewall-log.md - name: Secure connections with IPsec @@ -11,8 +13,6 @@ items: href: windows-firewall-with-advanced-security-administration-with-windows-powershell.md - name: Isolate Microsoft Store apps on your network href: isolating-apps-on-your-network.md - - name: Configure Hyper-V firewall - href: hyper-v-firewall.md - name: Firewall rules items: - name: Create firewall rules with Microsoft Intune From 34facc6fca60d1f5b06ee7fca462cfdd99599ed1 Mon Sep 17 00:00:00 2001 From: Office Content Publishing 5 <87502544+officedocspr5@users.noreply.github.com> Date: Sat, 11 Nov 2023 23:32:30 -0800 Subject: [PATCH 086/114] Uploaded file: education-content-updates.md - 2023-11-11 23:32:30.2537 --- .../includes/education-content-updates.md | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index bae8eba426..dc91fc136e 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,20 +2,13 @@ -## Week of September 11, 2023 +## Week of November 06, 2023 | Published On |Topic title | Change | |------|------------|--------| -| 9/11/2023 | [Configure education themes for Windows 11](/education/windows/edu-themes) | modified | -| 9/11/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified | - - -## Week of September 04, 2023 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 9/5/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified | -| 9/5/2023 | [Windows for Education documentation](/education/windows/index) | modified | -| 9/5/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified | +| 11/7/2023 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified | +| 11/9/2023 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified | +| 11/9/2023 | What's new in the Windows Set up School PCs app | removed | +| 11/9/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified | +| 11/9/2023 | [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) | modified | From f151ac735d140b5ce04bc25f840544ad34db3434 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 13 Nov 2023 07:16:08 -0500 Subject: [PATCH 087/114] fixed redirect --- .openpublishing.redirection.windows-security.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index 5cda27e549..2d8efa4060 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -7797,7 +7797,7 @@ }, { "source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods.md", - "redirect_url": "previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717279(v=ws.11)", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717279(v=ws.11)", "redirect_document_id": false }, { From 4ae3910efea1cfc8eefb2e303aa53d4e137142c3 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 13 Nov 2023 10:25:14 -0500 Subject: [PATCH 088/114] metadata updates --- education/windows/autopilot-reset.md | 6 +----- education/windows/index.yml | 1 - education/windows/windows-11-se-overview.md | 1 - windows/application-management/index.yml | 1 - windows/client-management/mdm/index.yml | 1 - windows/configuration/configure-windows-10-taskbar.md | 8 -------- .../configuration/customize-and-export-start-layout.md | 1 - .../customize-start-menu-layout-windows-11.md | 7 ------- windows/configuration/customize-taskbar-windows-11.md | 1 - ...mize-windows-10-start-screens-by-using-group-policy.md | 7 ------- ...d-the-application-user-model-id-of-an-installed-app.md | 7 ------- .../configuration/guidelines-for-assigned-access-app.md | 6 ------ windows/configuration/index.yml | 1 - windows/configuration/kiosk-single-app.md | 5 ----- .../lock-down-windows-10-to-specific-apps.md | 7 ------- .../diagnose-provisioning-packages.md | 1 - .../provisioning-packages/provisioning-install-icd.md | 7 ------- .../provisioning-packages/provisioning-packages.md | 7 ------- .../stop-employees-from-using-microsoft-store.md | 8 -------- .../windows-10-start-layout-options-and-policies.md | 8 -------- windows/configuration/windows-spotlight.md | 7 ------- windows/hub/index.yml | 1 - .../user-account-control/how-it-works.md | 3 --- .../application-control/user-account-control/index.md | 3 --- .../applocker/applocker-overview.md | 1 - .../design/microsoft-recommended-driver-block-rules.md | 1 - .../windows-defender-application-control/wdac.md | 1 - .../install-md-app-guard.md | 3 --- .../md-app-guard-overview.md | 4 ---- .../windows-sandbox-configure-using-wsb-file.md | 3 --- .../windows-sandbox/windows-sandbox-overview.md | 3 --- ...e-virtualization-based-protection-of-code-integrity.md | 4 ---- .../kernel-dma-protection-for-thunderbolt.md | 1 - .../tpm/initialize-and-configure-ownership-of-the-tpm.md | 1 - .../security/hardware-security/tpm/tpm-recommendations.md | 1 - .../tpm/trusted-platform-module-overview.md | 1 - .../tpm/trusted-platform-module-top-node.md | 1 - .../identity-protection/credential-guard/configure.md | 3 --- .../identity-protection/credential-guard/index.md | 1 - .../hello-cert-trust-policy-settings.md | 1 - .../identity-protection/hello-for-business/hello-faq.yml | 1 - .../hello-for-business/hello-feature-pin-reset.md | 1 - .../hello-for-business/hello-manage-in-organization.md | 1 - .../hello-why-pin-is-better-than-password.md | 1 - .../identity-protection/hello-for-business/index.md | 1 - windows/security/identity-protection/passkeys/index.md | 1 - .../identity-protection/passwordless-experience/index.md | 1 - .../identity-protection/remote-credential-guard.md | 1 - windows/security/identity-protection/web-sign-in/index.md | 1 - windows/security/index.yml | 1 - .../data-protection/bitlocker/index.md | 1 - .../data-protection/bitlocker/preboot-recovery-screen.md | 1 - .../data-protection/bitlocker/recovery-overview.md | 1 - .../data-protection/bitlocker/recovery-process.md | 1 - .../security-compliance-toolkit-10.md | 1 - .../windows-security-baselines.md | 1 - .../system-security/secure-the-windows-10-boot-process.md | 1 - .../windows-defender-security-center.md | 3 --- .../microsoft-defender-smartscreen/index.md | 6 +----- .../certification/fips-140-validation.md | 1 - 60 files changed, 2 insertions(+), 160 deletions(-) diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 7b14deeb86..bb0223c8fc 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -5,10 +5,6 @@ ms.date: 08/10/2022 ms.topic: how-to appliesto: - ✅ Windows 10 -ms.collection: - - highpri - - tier2 - - education --- # Reset devices with Autopilot Reset @@ -60,7 +56,7 @@ You can set the policy using one of these methods: ## Trigger Autopilot Reset Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use. -] + To trigger Autopilot Reset: 1. From the Windows device lock screen, enter the keystroke: CTRL + WIN + R. diff --git a/education/windows/index.yml b/education/windows/index.yml index 0c159bd537..3c3dfae79b 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -10,7 +10,6 @@ metadata: ms.technology: itpro-edu ms.collection: - education - - highpri - tier1 author: paolomatarazzo ms.author: paoloma diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 2fd353ae04..e82eb8a227 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -6,7 +6,6 @@ ms.date: 11/02/2023 appliesto: - ✅ Windows 11 SE ms.collection: - - highpri - education - tier1 --- diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index b08cd77d57..46ff46e15f 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -14,7 +14,6 @@ metadata: ms.prod: windows-client ms.collection: - tier1 - - highpri # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml index 2e6a1b1f54..7944d29d03 100644 --- a/windows/client-management/mdm/index.yml +++ b/windows/client-management/mdm/index.yml @@ -10,7 +10,6 @@ metadata: ms.technology: itpro-manage ms.prod: windows-client ms.collection: - - highpri - tier1 author: vinaypamnani-msft ms.author: vinpa diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index e80c753918..65937f4400 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -1,18 +1,10 @@ --- title: Configure Windows 10 taskbar description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. -ms.prod: windows-client author: lizgt2000 ms.author: lizlong ms.topic: how-to -ms.localizationpriority: medium ms.date: 08/18/2023 -ms.reviewer: -manager: aaroncz -ms.collection: - - highpri - - tier2 -ms.technology: itpro-configure --- # Configure Windows 10 taskbar diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index c7298fc1d3..2173e2ee20 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -10,7 +10,6 @@ ms.topic: how-to ms.localizationpriority: medium ms.date: 08/18/2023 ms.collection: - - highpri - tier1 ms.technology: itpro-configure --- diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md index 7ef410564c..2e959a035a 100644 --- a/windows/configuration/customize-start-menu-layout-windows-11.md +++ b/windows/configuration/customize-start-menu-layout-windows-11.md @@ -1,16 +1,9 @@ --- title: Add or remove pinned apps on the Start menu in Windows 11 description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices. -manager: aaroncz author: lizgt2000 ms.author: lizlong ms.reviewer: ericpapa -ms.prod: windows-client -ms.localizationpriority: medium -ms.collection: - - highpri - - tier1 -ms.technology: itpro-configure ms.date: 01/10/2023 ms.topic: article --- diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md index a38e34c05c..72a4298b7c 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -8,7 +8,6 @@ ms.prod: windows-client author: lizgt2000 ms.localizationpriority: medium ms.collection: - - highpri - tier1 ms.technology: itpro-configure ms.date: 08/17/2023 diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 40b7d5daac..94641458ae 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -3,15 +3,8 @@ title: Customize Windows 10 Start and taskbar with group policy description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.reviewer: manager: aaroncz -ms.prod: windows-client author: lizgt2000 -ms.localizationpriority: medium ms.author: lizlong -ms.topic: article -ms.collection: - - highpri - - tier2 -ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index ee9ad89242..5b78101494 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -1,17 +1,10 @@ --- title: Find the Application User Model ID of an installed app ms.reviewer: sybruckm -manager: aaroncz description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. author: lizgt2000 ms.author: lizlong ms.topic: article -ms.localizationpriority: medium -ms.prod: windows-client -ms.collection: - - highpri - - tier2 -ms.technology: itpro-configure ms.date: 12/31/2017 --- # Find the Application User Model ID of an installed app diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index f1159c1544..95bcd1a788 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,16 +1,10 @@ --- title: Guidelines for choosing an app for assigned access description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. -ms.prod: windows-client author: lizgt2000 -ms.localizationpriority: medium ms.author: lizlong ms.topic: article ms.reviewer: sybruckm -manager: aaroncz -ms.collection: - - highpri - - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index 0eace6a656..6eff88270a 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -9,7 +9,6 @@ metadata: ms.topic: landing-page # Required ms.prod: windows-client ms.collection: - - highpri - tier1 author: aczechowski ms.author: aaroncz diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index e74ea773a1..0218a198e2 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -2,16 +2,11 @@ title: Set up a single-app kiosk on Windows description: A single-use device is easy to set up in Windows Pro, Enterprise, and Education editions. ms.reviewer: sybruckm -manager: aaroncz ms.author: lizlong -ms.prod: windows-client author: lizgt2000 -ms.localizationpriority: medium ms.topic: article ms.collection: - - highpri - tier1 -ms.technology: itpro-configure ms.date: 07/12/2023 --- diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 82a54e8848..a32e707e87 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -1,17 +1,10 @@ --- title: Set up a multi-app kiosk on Windows 10 description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps. -ms.prod: windows-client -ms.technology: itpro-configure author: lizgt2000 ms.author: lizlong -manager: aaroncz ms.reviewer: sybruckm -ms.localizationpriority: medium ms.topic: how-to -ms.collection: - - highpri - - tier2 ms.date: 11/08/2023 appliesto: - ✅ Windows 10 Pro diff --git a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md index 5a71baac61..4000de4867 100644 --- a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md +++ b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md @@ -9,7 +9,6 @@ ms.prod: windows-client ms.technology: itpro-manage author: lizgt2000 ms.date: 01/18/2023 -ms.collection: highpri --- # Diagnose Provisioning Packages diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index 22b8f9ad65..2f6782646c 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -1,17 +1,10 @@ --- title: Install Windows Configuration Designer description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. -ms.prod: windows-client author: lizgt2000 ms.author: lizlong ms.topic: article -ms.localizationpriority: medium ms.reviewer: kevinsheehan -manager: aaroncz -ms.collection: - - highpri - - tier2 -ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 96dce6d256..aed5ec0d4a 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -2,16 +2,9 @@ title: Provisioning packages overview description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do. ms.reviewer: kevinsheehan -manager: aaroncz -ms.prod: windows-client author: lizgt2000 ms.author: lizlong ms.topic: article -ms.localizationpriority: medium -ms.collection: - - highpri - - tier2 -ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index 9d33ff603e..416187989e 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -1,18 +1,10 @@ --- title: Configure access to Microsoft Store description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization. -ms.reviewer: -manager: aaroncz -ms.prod: windows-client author: lizgt2000 ms.author: lizlong ms.topic: conceptual -ms.localizationpriority: medium ms.date: 11/29/2022 -ms.collection: - - highpri - - tier2 -ms.technology: itpro-configure --- # Configure access to Microsoft Store diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index a3d8dd29c1..2603aa56ac 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -1,18 +1,10 @@ --- title: Customize and manage the Windows 10 Start and taskbar layout description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more. -ms.reviewer: -manager: aaroncz -ms.prod: windows-client author: lizgt2000 ms.author: lizlong ms.topic: article -ms.localizationpriority: medium ms.date: 08/05/2021 -ms.collection: - - highpri - - tier2 -ms.technology: itpro-configure --- # Customize the Start menu and taskbar layout on Windows 10 and later devices diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index 33bd24bcc8..b80b7b3a66 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -1,17 +1,10 @@ --- title: Configure Windows Spotlight on the lock screen description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. -ms.reviewer: -manager: aaroncz -ms.prod: windows-client author: lizgt2000 ms.author: lizlong ms.topic: article -ms.localizationpriority: medium ms.date: 04/30/2018 -ms.collection: - - highpri - - tier2 ms.technology: itpro-configure --- diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 7c0031c1e0..e651c1901d 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -10,7 +10,6 @@ metadata: ms.topic: hub-page ms.prod: windows-client ms.collection: - - highpri - tier1 author: paolomatarazzo ms.author: paoloma diff --git a/windows/security/application-security/application-control/user-account-control/how-it-works.md b/windows/security/application-security/application-control/user-account-control/how-it-works.md index 2e4ec8b5e5..fa5d96ef91 100644 --- a/windows/security/application-security/application-control/user-account-control/how-it-works.md +++ b/windows/security/application-security/application-control/user-account-control/how-it-works.md @@ -1,9 +1,6 @@ --- title: How User Account Control works description: Learn about User Account Control (UAC) components and how it interacts with the end users. -ms.collection: - - highpri - - tier2 ms.topic: concept-article ms.date: 05/24/2023 --- diff --git a/windows/security/application-security/application-control/user-account-control/index.md b/windows/security/application-security/application-control/user-account-control/index.md index aad3fb9eab..3b5e6e8561 100644 --- a/windows/security/application-security/application-control/user-account-control/index.md +++ b/windows/security/application-security/application-control/user-account-control/index.md @@ -1,9 +1,6 @@ --- title: User Account Control description: Learn how User Account Control (UAC) helps to prevent unauthorized changes to Windows devices. -ms.collection: - - highpri - - tier2 ms.topic: overview ms.date: 05/24/2023 --- diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md index 7c130ac1f2..8bc7a51202 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md @@ -2,7 +2,6 @@ title: AppLocker description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. ms.collection: -- highpri - tier3 - must-keep ms.topic: conceptual diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md index 3eac346b20..615226657c 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md @@ -3,7 +3,6 @@ title: Microsoft recommended driver block rules description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community. ms.localizationpriority: medium ms.collection: -- highpri - tier3 - must-keep ms.date: 06/06/2023 diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md index 22e5196913..500f4c397b 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md @@ -3,7 +3,6 @@ title: Application Control for Windows description: Application Control restricts which applications users are allowed to run and the code that runs in the system core. ms.localizationpriority: medium ms.collection: -- highpri - tier3 - must-keep ms.date: 08/30/2023 diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md index ac710efb7a..5deab8192a 100644 --- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md @@ -3,9 +3,6 @@ title: Enable hardware-based isolation for Microsoft Edge description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise. ms.date: 07/11/2023 ms.topic: how-to -ms.collection: - - highpri - - tier2 --- # Prepare to install Microsoft Defender Application Guard diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md index d1547ce21e..8b2235111a 100644 --- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md @@ -1,11 +1,7 @@ --- title: Microsoft Defender Application Guard description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet. -ms.localizationpriority: medium ms.date: 07/11/2023 -ms.collection: - - highpri - - tier2 ms.topic: conceptual --- diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 888bca39ce..b33a5b9f67 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -1,9 +1,6 @@ --- title: Windows Sandbox configuration description: Windows Sandbox configuration -ms.collection: - - highpri - - tier2 ms.topic: article ms.date: 05/25/2023 --- diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md index 928d31e27b..676b2a8179 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md @@ -1,9 +1,6 @@ --- title: Windows Sandbox description: Windows Sandbox overview -ms.collection: - - highpri - - tier2 ms.topic: article ms.date: 05/25/2023 --- diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md index a3404e644a..2748c9c816 100644 --- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md @@ -1,10 +1,6 @@ --- title: Enable memory integrity description: This article explains the steps to opt in to using memory integrity on Windows devices. -ms.localizationpriority: medium -ms.collection: - - highpri - - tier2 ms.topic: conceptual ms.date: 03/16/2023 appliesto: diff --git a/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md index 8ed52be240..f4092a1bc3 100644 --- a/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md @@ -2,7 +2,6 @@ title: Kernel DMA Protection description: Learn how Kernel DMA Protection protects Windows devices against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices. ms.collection: - - highpri - tier1 ms.topic: conceptual ms.date: 07/31/2023 diff --git a/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md index e9374612fe..6eab697f4d 100644 --- a/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -4,7 +4,6 @@ description: Learn how to view and troubleshoot the Trusted Platform Module (TPM ms.topic: conceptual ms.date: 02/02/2023 ms.collection: -- highpri - tier1 --- diff --git a/windows/security/hardware-security/tpm/tpm-recommendations.md b/windows/security/hardware-security/tpm/tpm-recommendations.md index 1190a55d46..d9a7ce1a95 100644 --- a/windows/security/hardware-security/tpm/tpm-recommendations.md +++ b/windows/security/hardware-security/tpm/tpm-recommendations.md @@ -4,7 +4,6 @@ description: This topic provides recommendations for Trusted Platform Module (TP ms.topic: conceptual ms.date: 02/02/2023 ms.collection: -- highpri - tier1 --- diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md index 8d35f5065b..55f111a138 100644 --- a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md +++ b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md @@ -4,7 +4,6 @@ description: Learn about the Trusted Platform Module (TPM) and how Windows uses ms.topic: conceptual ms.date: 02/22/2023 ms.collection: -- highpri - tier1 --- diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md b/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md index c19e762bdf..7befac5b61 100644 --- a/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md +++ b/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md @@ -4,7 +4,6 @@ description: This topic for the IT professional provides links to information ab ms.topic: conceptual ms.date: 02/02/2023 ms.collection: -- highpri - tier1 --- diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md index 21c87bfeeb..e6e9d95ed6 100644 --- a/windows/security/identity-protection/credential-guard/configure.md +++ b/windows/security/identity-protection/credential-guard/configure.md @@ -2,9 +2,6 @@ title: Configure Credential Guard description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry. ms.date: 08/31/2023 -ms.collection: - - highpri - - tier2 ms.topic: how-to --- diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md index 710f148343..2827301105 100644 --- a/windows/security/identity-protection/credential-guard/index.md +++ b/windows/security/identity-protection/credential-guard/index.md @@ -4,7 +4,6 @@ description: Learn about Credential Guard and how it isolates secrets so that on ms.date: 08/31/2023 ms.topic: overview ms.collection: - - highpri - tier1 --- diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 8a414df385..a9ac0c22ae 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -2,7 +2,6 @@ title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario ms.collection: -- highpri - tier1 ms.date: 09/07/2023 ms.topic: tutorial diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 661971662b..67399ad857 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -5,7 +5,6 @@ metadata: author: paolomatarazzo ms.author: paoloma ms.collection: - - highpri - tier1 ms.topic: faq ms.date: 08/03/2023 diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index bf642eef73..0f28986895 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -2,7 +2,6 @@ title: PIN reset description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN. ms.collection: - - highpri - tier1 ms.date: 08/15/2023 ms.topic: how-to diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index 999b35f45b..747447147e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -2,7 +2,6 @@ title: Manage Windows Hello in your organization description: Learn how to create a Group Policy or mobile device management (MDM) policy to configure and deploy Windows Hello for Business. ms.collection: - - highpri - tier1 ms.date: 9/25/2023 ms.topic: reference diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index f137de379f..220d17aff0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -2,7 +2,6 @@ title: Why a PIN is better than an online password description: Windows Hello enables users to sign in to their devices using a PIN. Learn how is a PIN different from (and better than) an online password. ms.collection: - - highpri - tier1 ms.date: 03/15/2023 ms.topic: conceptual diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md index 953074993d..78c5cb451b 100644 --- a/windows/security/identity-protection/hello-for-business/index.md +++ b/windows/security/identity-protection/hello-for-business/index.md @@ -2,7 +2,6 @@ title: Windows Hello for Business Overview description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices. ms.collection: - - highpri - tier1 ms.topic: overview ms.date: 04/24/2023 diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md index 9ca4657426..44f695a852 100644 --- a/windows/security/identity-protection/passkeys/index.md +++ b/windows/security/identity-protection/passkeys/index.md @@ -2,7 +2,6 @@ title: Support for passkeys in Windows description: Learn about passkeys and how to use them on Windows devices. ms.collection: -- highpri - tier1 ms.topic: overview ms.date: 11/07/2023 diff --git a/windows/security/identity-protection/passwordless-experience/index.md b/windows/security/identity-protection/passwordless-experience/index.md index 7ea73c4603..37dc49c775 100644 --- a/windows/security/identity-protection/passwordless-experience/index.md +++ b/windows/security/identity-protection/passwordless-experience/index.md @@ -2,7 +2,6 @@ title: Windows passwordless experience description: Learn how Windows passwordless experience enables your organization to move away from passwords. ms.collection: - - highpri - tier1 ms.date: 09/27/2023 ms.topic: how-to diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 5c99653fe4..ab2a40a041 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -2,7 +2,6 @@ title: Remote Credential Guard description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device. ms.collection: -- highpri - tier1 ms.topic: how-to ms.date: 09/06/2023 diff --git a/windows/security/identity-protection/web-sign-in/index.md b/windows/security/identity-protection/web-sign-in/index.md index ecf5811f4d..d2d61e204a 100644 --- a/windows/security/identity-protection/web-sign-in/index.md +++ b/windows/security/identity-protection/web-sign-in/index.md @@ -6,7 +6,6 @@ ms.topic: how-to appliesto: - ✅ Windows 11 ms.collection: - - highpri - tier1 --- diff --git a/windows/security/index.yml b/windows/security/index.yml index 40983d837f..7433169832 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -9,7 +9,6 @@ metadata: ms.prod: windows-client ms.technology: itpro-security ms.collection: - - highpri - tier1 author: paolomatarazzo ms.author: paoloma diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md index c831cf49df..ebcd29c477 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/index.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md @@ -2,7 +2,6 @@ title: BitLocker overview description: Learn about BitLocker practical applications and requirements. ms.collection: - - highpri - tier1 ms.topic: overview ms.date: 10/30/2023 diff --git a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md index e694a95993..3f689cd1c4 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md @@ -2,7 +2,6 @@ title: BitLocker preboot recovery screen description: Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status. ms.collection: - - highpri - tier1 ms.topic: concept-article ms.date: 10/30/2023 diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md index d258db515e..80543b6176 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md @@ -2,7 +2,6 @@ title: BitLocker recovery overview description: Learn about BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks. ms.collection: - - highpri - tier1 ms.topic: how-to ms.date: 10/30/2023 diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md index 76c314a7cb..9a83d1ff16 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md @@ -2,7 +2,6 @@ title: BitLocker recovery process description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive. ms.collection: - - highpri - tier1 ms.topic: how-to ms.date: 10/30/2023 diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md index 0376d87c85..7274ec1569 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -3,7 +3,6 @@ title: Microsoft Security Compliance Toolkit Guide description: This article describes how to use Security Compliance Toolkit in your organization. ms.localizationpriority: medium ms.collection: - - highpri - tier3 ms.topic: conceptual ms.date: 10/31/2023 diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md index 63b6cae99b..1463d2af20 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md @@ -3,7 +3,6 @@ title: Security baselines guide description: Learn how to use security baselines in your organization. ms.localizationpriority: medium ms.collection: - - highpri - tier3 ms.topic: conceptual ms.date: 07/11/2023 diff --git a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md index b1bfa3ebb1..3daa0cbf86 100644 --- a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md +++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md @@ -4,7 +4,6 @@ description: This article describes how Windows security features help protect y ms.topic: conceptual ms.date: 08/11/2023 ms.collection: - - highpri - tier1 --- diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md index 1970d566b4..5ff128f685 100644 --- a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md @@ -3,9 +3,6 @@ title: Windows Security description: Windows Security brings together common Windows security features into one place. ms.date: 08/11/2023 ms.topic: article -ms.collection: - - highpri - - tier2 --- # Windows Security diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md index 9b52d9fb84..b5af241045 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md @@ -2,11 +2,7 @@ title: Microsoft Defender SmartScreen overview description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. ms.date: 08/11/2023 -ms.topic: article -ms.localizationpriority: high -ms.collection: - - tier2 - - highpri +ms.topic: conceptual appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/security-foundations/certification/fips-140-validation.md b/windows/security/security-foundations/certification/fips-140-validation.md index 1cb3c7c91f..8c37615928 100644 --- a/windows/security/security-foundations/certification/fips-140-validation.md +++ b/windows/security/security-foundations/certification/fips-140-validation.md @@ -7,7 +7,6 @@ manager: aaroncz ms.author: paoloma author: paolomatarazzo ms.collection: - - highpri - tier3 ms.topic: reference ms.localizationpriority: medium From 7fe9b6b26130a5d2fec157865bff36728e24c950 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 13 Nov 2023 10:42:24 -0500 Subject: [PATCH 089/114] updates --- windows/security/docfx.json | 4 +--- .../identity-protection/credential-guard/index.md | 2 -- .../hello-cert-trust-policy-settings.md | 2 -- .../hello-for-business/hello-deployment-rdp-certs.md | 2 -- .../hello-for-business/hello-faq.yml | 2 -- .../hello-for-business/hello-feature-pin-reset.md | 2 -- .../hello-feature-remote-desktop.md | 2 -- .../hello-for-business/hello-identity-verification.md | 2 -- .../hello-manage-in-organization.md | 2 -- .../hello-why-pin-is-better-than-password.md | 2 -- .../identity-protection/hello-for-business/index.md | 2 -- .../identity-protection/remote-credential-guard.md | 2 -- .../security/licensing-and-edition-requirements.md | 2 -- .../data-protection/bitlocker/faq.yml | 4 +--- .../data-protection/bitlocker/index.md | 2 -- .../data-protection/bitlocker/operations-guide.md | 2 -- .../bitlocker/preboot-recovery-screen.md | 2 -- .../data-protection/bitlocker/recovery-overview.md | 2 -- .../data-protection/bitlocker/recovery-process.md | 2 -- .../security-compliance-toolkit-10.md | 3 --- .../windows-security-baselines.md | 3 --- .../certification/fips-140-validation.md | 11 +---------- 22 files changed, 3 insertions(+), 56 deletions(-) diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 7421416038..4dffa28451 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -222,14 +222,12 @@ "operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck" }, "ms.collection": { - "application-security/application-control/windows-defender-application-control/**/*.md": [ "tier3", "must-keep" ], "identity-protection/hello-for-business/*.md": "tier1", "information-protection/pluton/*.md": "tier1", "information-protection/tpm/*.md": "tier1", "threat-protection/auditing/*.md": "tier3", "operating-system-security/data-protection/bitlocker/*.md": "tier1", - "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1", - "operating-system-security/network-security/windows-firewall/*.md": [ "tier2", "must-keep" ] + "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1" } }, "template": [], diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md index 2827301105..0fe80abdd8 100644 --- a/windows/security/identity-protection/credential-guard/index.md +++ b/windows/security/identity-protection/credential-guard/index.md @@ -3,8 +3,6 @@ title: Credential Guard overview description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them. ms.date: 08/31/2023 ms.topic: overview -ms.collection: - - tier1 --- # Credential Guard overview diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index a9ac0c22ae..830d49e11a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -1,8 +1,6 @@ --- title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario -ms.collection: -- tier1 ms.date: 09/07/2023 ms.topic: tutorial --- diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 315ce4361f..420aee5ed1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -1,8 +1,6 @@ --- title: Deploy certificates for remote desktop sign-in description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials. -ms.collection: - - tier1 ms.topic: how-to ms.date: 07/25/2023 --- diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 67399ad857..4f52648ad3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -4,8 +4,6 @@ metadata: description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business. author: paolomatarazzo ms.author: paoloma - ms.collection: - - tier1 ms.topic: faq ms.date: 08/03/2023 diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 0f28986895..5dda9f66b2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -1,8 +1,6 @@ --- title: PIN reset description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN. -ms.collection: - - tier1 ms.date: 08/15/2023 ms.topic: how-to --- diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 8e7e89b38e..d7d52bf8c8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -3,8 +3,6 @@ title: Remote Desktop description: Learn how Windows Hello for Business supports using biometrics with remote desktop ms.date: 09/01/2023 ms.topic: conceptual -ms.collection: -- tier1 --- # Remote Desktop diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index ea4c5a3119..61dffe9d37 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -3,8 +3,6 @@ ms.date: 10/09/2023 title: Windows Hello for Business Deployment Prerequisite Overview description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models ms.topic: overview -ms.collection: -- tier1 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index 747447147e..896453d0bf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -1,8 +1,6 @@ --- title: Manage Windows Hello in your organization description: Learn how to create a Group Policy or mobile device management (MDM) policy to configure and deploy Windows Hello for Business. -ms.collection: - - tier1 ms.date: 9/25/2023 ms.topic: reference --- diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index 220d17aff0..6be7e8008f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -1,8 +1,6 @@ --- title: Why a PIN is better than an online password description: Windows Hello enables users to sign in to their devices using a PIN. Learn how is a PIN different from (and better than) an online password. -ms.collection: - - tier1 ms.date: 03/15/2023 ms.topic: conceptual --- diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md index 78c5cb451b..e0be2b5b93 100644 --- a/windows/security/identity-protection/hello-for-business/index.md +++ b/windows/security/identity-protection/hello-for-business/index.md @@ -1,8 +1,6 @@ --- title: Windows Hello for Business Overview description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices. -ms.collection: - - tier1 ms.topic: overview ms.date: 04/24/2023 --- diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index ab2a40a041..7fee850283 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -1,8 +1,6 @@ --- title: Remote Credential Guard description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device. -ms.collection: -- tier1 ms.topic: how-to ms.date: 09/06/2023 appliesto: diff --git a/windows/security/licensing-and-edition-requirements.md b/windows/security/licensing-and-edition-requirements.md index 6b192f2171..5f18fd26da 100644 --- a/windows/security/licensing-and-edition-requirements.md +++ b/windows/security/licensing-and-edition-requirements.md @@ -1,8 +1,6 @@ --- title: Windows security features licensing and edition requirements description: Learn about Windows licensing and edition requirements for the features included in Windows. -ms.collection: -- tier2 ms.topic: conceptual ms.date: 06/15/2023 appliesto: diff --git a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml index 3973bbbe52..e67401c81a 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml @@ -1,9 +1,7 @@ ### YamlMime:FAQ metadata: title: BitLocker FAQ - description: Learn more about BitLocker by reviewing the frequently asked questions. - ms.collection: - - tier1 + description: Learn more about BitLocker by reviewing the frequently asked questions. ms.topic: faq ms.date: 10/30/2023 title: BitLocker FAQ diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md index ebcd29c477..9d9ff5daed 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/index.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md @@ -1,8 +1,6 @@ --- title: BitLocker overview description: Learn about BitLocker practical applications and requirements. -ms.collection: - - tier1 ms.topic: overview ms.date: 10/30/2023 --- diff --git a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md index bdbd2a6e80..380ac306c4 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md @@ -1,8 +1,6 @@ --- title: BitLocker operations guide description: Learn how to use different tools to manage and operate BitLocker. -ms.collection: - - tier1 ms.topic: how-to ms.date: 10/30/2023 --- diff --git a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md index 3f689cd1c4..78ab928ae2 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md @@ -1,8 +1,6 @@ --- title: BitLocker preboot recovery screen description: Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status. -ms.collection: - - tier1 ms.topic: concept-article ms.date: 10/30/2023 --- diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md index 80543b6176..a8446d34d2 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md @@ -1,8 +1,6 @@ --- title: BitLocker recovery overview description: Learn about BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks. -ms.collection: - - tier1 ms.topic: how-to ms.date: 10/30/2023 --- diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md index 9a83d1ff16..b002833d87 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md @@ -1,8 +1,6 @@ --- title: BitLocker recovery process description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive. -ms.collection: - - tier1 ms.topic: how-to ms.date: 10/30/2023 --- diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md index 7274ec1569..fa66e1ee5c 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -1,9 +1,6 @@ --- title: Microsoft Security Compliance Toolkit Guide description: This article describes how to use Security Compliance Toolkit in your organization. -ms.localizationpriority: medium -ms.collection: - - tier3 ms.topic: conceptual ms.date: 10/31/2023 --- diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md index 1463d2af20..851c7a72c1 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md @@ -1,9 +1,6 @@ --- title: Security baselines guide description: Learn how to use security baselines in your organization. -ms.localizationpriority: medium -ms.collection: - - tier3 ms.topic: conceptual ms.date: 07/11/2023 --- diff --git a/windows/security/security-foundations/certification/fips-140-validation.md b/windows/security/security-foundations/certification/fips-140-validation.md index 8c37615928..4fe6de6b5f 100644 --- a/windows/security/security-foundations/certification/fips-140-validation.md +++ b/windows/security/security-foundations/certification/fips-140-validation.md @@ -1,17 +1,8 @@ --- title: Federal Information Processing Standard (FIPS) 140 Validation description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140. -ms.prod: windows-client -ms.date: 08/18/2023 -manager: aaroncz -ms.author: paoloma -author: paolomatarazzo -ms.collection: - - tier3 +ms.date: 11/13/2023 ms.topic: reference -ms.localizationpriority: medium -ms.reviewer: -ms.technology: itpro-security --- # FIPS 140-2 Validation From e03b7f1f78149b5a2524627a07cc3193a4eb7b5a Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 13 Nov 2023 10:54:55 -0500 Subject: [PATCH 090/114] updates --- .../certification/fips-140-validation.md | 4 +++- .../certification/windows-platform-common-criteria.md | 6 +----- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/windows/security/security-foundations/certification/fips-140-validation.md b/windows/security/security-foundations/certification/fips-140-validation.md index 4fe6de6b5f..295dd13ce0 100644 --- a/windows/security/security-foundations/certification/fips-140-validation.md +++ b/windows/security/security-foundations/certification/fips-140-validation.md @@ -3,6 +3,8 @@ title: Federal Information Processing Standard (FIPS) 140 Validation description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140. ms.date: 11/13/2023 ms.topic: reference +ms.author: paoloma +author: paolomatarazzo --- # FIPS 140-2 Validation @@ -11,7 +13,7 @@ ms.topic: reference The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. -The [Cryptographic Module Validation Program (CMVP)][HTTP-1]) is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module. +The [Cryptographic Module Validation Program (CMVP)][HTTP-1] is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module. ## Microsoft's approach to FIPS 140-2 validation diff --git a/windows/security/security-foundations/certification/windows-platform-common-criteria.md b/windows/security/security-foundations/certification/windows-platform-common-criteria.md index 0f426874c2..d342773f2c 100644 --- a/windows/security/security-foundations/certification/windows-platform-common-criteria.md +++ b/windows/security/security-foundations/certification/windows-platform-common-criteria.md @@ -1,17 +1,13 @@ --- title: Common Criteria Certifications description: This topic details how Microsoft supports the Common Criteria certification program. -ms.prod: windows-client ms.author: sushmanemali author: s4sush -manager: aaroncz ms.topic: reference -ms.localizationpriority: medium ms.date: 11/4/2022 ms.reviewer: paoloma -ms.technology: itpro-security ms.collection: - - tier3 +- tier3 --- # Common Criteria certifications From 4e62b693a8297392e334cb31a7f6d8d6864dd069 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 13 Nov 2023 11:04:11 -0500 Subject: [PATCH 091/114] Acrolinx --- .../diagnose-provisioning-packages.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md index 4000de4867..e5fbf3eb4f 100644 --- a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md +++ b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md @@ -1,7 +1,6 @@ --- title: Diagnose Provisioning Packages description: Diagnose general failures in provisioning. -ms.reviewer: manager: aaroncz ms.author: lizlong ms.topic: article @@ -25,16 +24,16 @@ To apply the power settings successfully with the [correct security context](/wi ## Unable to perform bulk enrollment in Microsoft Entra ID -When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request will be rejected, if the user requesting a bulk token is not authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent). +When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request is rejected, if the user requesting a bulk token isn't authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent). > [!NOTE] -> When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request may be rejected. +> When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request might be rejected. ## Unable to apply a multivariant provisioning package -When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it may be difficult to diagnose why a certain target did not get applied. There may have been improperly authored conditions that did not evaluate as expected. +When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it might be difficult to diagnose why a certain target didn't get applied. There may have been improperly authored conditions that didn't evaluate as expected. -Starting in Windows 11, version 22H2, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes multivariant condition values to diagnose problems with multivariant packages to determine why the package was not applied. +Starting in Windows 11, version 22H2, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes multivariant condition values to diagnose problems with multivariant packages to determine why the package wasn't applied. You can use the following PowerShell example to review the multivariant conditions in the `MDMDiagReport.xml` report: From 6fb803b85cbfc93cb22b9aed5134f8f00950d653 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 13 Nov 2023 11:58:05 -0500 Subject: [PATCH 092/114] fix broken #line7939 link --- .openpublishing.redirection.windows-security.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index 2d8efa4060..9615d03df7 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -7927,7 +7927,7 @@ }, { "source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-the-information-you-need.md", - "redirect_url": "previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731454(v=ws.10)", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731454(v=ws.10)", "redirect_document_id": false }, { From 9233c19bf30e7555a1c9ab97ea0585caa53bce93 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 14 Nov 2023 09:12:40 -0800 Subject: [PATCH 093/114] remove old broken links --- browsers/edge/microsoft-edge.yml | 8 ------- windows/deployment/windows-10-poc.md | 21 +------------------ .../whats-new-windows-10-version-1909.md | 2 +- 3 files changed, 2 insertions(+), 29 deletions(-) diff --git a/browsers/edge/microsoft-edge.yml b/browsers/edge/microsoft-edge.yml index e95c203c60..addd4468b1 100644 --- a/browsers/edge/microsoft-edge.yml +++ b/browsers/edge/microsoft-edge.yml @@ -40,14 +40,6 @@ landingContent: - text: Evaluate the impact url: ./microsoft-edge-forrester.md - # Card (optional) - - title: Test your site on Microsoft Edge - linkLists: - - linkListType: overview - links: - - text: Test your site on Microsoft Edge for free on BrowserStack - url: https://developer.microsoft.com/microsoft-edge/tools/remote/ - # Card (optional) - title: Improve compatibility with Enterprise Mode linkLists: diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 40769fc671..11b304e822 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -225,26 +225,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf > [!IMPORTANT] > Don't attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, don't start the VM outside the PoC network. -If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM: - -1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page. - - > [!NOTE] - > The above link may not be available in all locales. - -2. Under **Virtual machine**, choose **IE11 on Win7**. - -3. Under **Select platform**, choose **HyperV (Windows)**. - -4. Select **Download .zip**. The download is 3.31 GB. - -5. Extract the zip file. Three directories are created. - -6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory. - -7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx). - -8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**. + If you have a PC available to convert to VM (computer 2): diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index d40de13c9d..5ab89168fd 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -55,7 +55,7 @@ Windows 10, version 1909 also includes two new features called **Key-rolling** a ### Transport Layer Security (TLS) -An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/) +An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. >[!NOTE] >The experiental implementation of TLS 1.3 isn't supported. TLS 1.3 is only supported on Windows 11 and Server 2022. For more information, see [Protocols in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-). From 0cbbc1a73108e256bd5a7a0a587f238e375de191 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 14 Nov 2023 09:44:27 -0800 Subject: [PATCH 094/114] fix MicrosoftDocs/windows-itpro-docs#11815 --- windows/whats-new/temporary-enterprise-feature-control.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md index 122c8a1f8f..ba0ca795c1 100644 --- a/windows/whats-new/temporary-enterprise-feature-control.md +++ b/windows/whats-new/temporary-enterprise-feature-control.md @@ -73,5 +73,5 @@ The following features introduced through the monthly cumulative updates allow p | The **Recommended** section of the **Start Menu** displays personalized website recommendations |[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)| No |**CSP**: ./Device/Vendor/MSFT/Policy/Config/Start/[HideRecoPersonalizedSites](/windows/client-management/mdm/policy-csp-start)

    **Group Policy**: Computer Configuration\Administrative Templates\Start Menu and Taskbar\\**Remove Personalized Website Recommendations from the Recommended section in the Start Menu**| | **Recommended** section added to File Explorer Home for users signed into Windows with an Azure AD account. | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes | **CSP**:./Device/Vendor/MSFT/Policy/Config/FileExplorer/[DisableGraphRecentItems](/windows/client-management/mdm/policy-csp-fileexplorer#disablegraphrecentitems)

    **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\File Explorer\\**Turn off files from Office.com in Quick Access View**

    **Note**: This control disables additional items beyond the **Recommended** items. Review the policy before implementing this control. | | Transfer files to another PC using WiFi direct|[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)|Yes|**CSP**: ./Device/Vendor/MSFT/Policy/Config/Wifi/[AllowWiFiDirect](/windows/client-management/mdm/policy-csp-wifi#allowwifidirect)| -| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot)

    **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**| +| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot)

    **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**| |Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSPs**:
    - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[EnableDevDrive](/windows/client-management/mdm/policy-csp-filesystem#enableeeverive)
    - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[DevDriveAttachPolicy](/windows/client-management/mdm/policy-csp-filesystem#devdriveattachpolicy)

    **Group Policies**:
    - Computer Configuration\Administrative Templates\System\FileSystem\\**Enable dev drive**
    - Computer Configuration\Administrative Templates\System\FileSystem\\**Dev drive filter attach policy**| From 6abb05a5a5df108a3bfe11fdc44daca33dfadee8 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 14 Nov 2023 14:21:46 -0500 Subject: [PATCH 095/114] Remove bad links to PDF --- .../deployment/deploy-enterprise-licenses.md | 4 +- windows/deployment/mbr-to-gpt.md | 163 ++++++++++++------ .../deployment/vda-subscription-activation.md | 4 +- .../windows-10-subscription-activation.md | 4 +- 4 files changed, 116 insertions(+), 59 deletions(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 8ad4658ea1..f94f31723e 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -14,7 +14,7 @@ ms.collection: appliesto: - ✅ Windows 10 - ✅ Windows 11 -ms.date: 11/23/2022 +ms.date: 11/14/2023 --- # Deploy Windows Enterprise licenses @@ -306,6 +306,6 @@ If a device isn't able to connect to Windows Update, it can lose activation stat ## Virtual Desktop Access (VDA) -Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another [qualified multitenant hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). +Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant hoster. Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md). diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 2ab8313425..9b709effc7 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) ms.prod: windows-client author: frankroj ms.author: frankroj -ms.date: 11/23/2022 +ms.date: 10/17/2023 manager: aaroncz ms.localizationpriority: high ms.topic: how-to @@ -12,19 +12,18 @@ ms.collection: - highpri - tier2 ms.technology: itpro-deploy +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 --- # MBR2GPT.EXE -*Applies to:* - -- Windows 10 - **MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option. -MBR2GPT.EXE is located in the **`Windows\System32`** directory on a computer running Windows 10 version 1703 or later. +**MBR2GPT.EXE** is located in the **`Windows\System32`** directory on a computer running Windows. -The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version. +The tool is available in both the full OS environment and Windows PE. See the following video for a detailed description and demonstration of MBR2GPT. @@ -34,12 +33,12 @@ You can use MBR2GPT to: - Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT. - Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them. -- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion. -- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT if your task sequence uses Windows PE version 1703 or later. +- Convert an operating system disk from MBR to GPT using Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT). -Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion. +Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to a currently supported version of Windows, then perform the MBR to GPT conversion. > [!IMPORTANT] +> > After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode. > > Make sure that your device supports UEFI before attempting to convert the disk. @@ -57,9 +56,9 @@ Before any change to the disk is made, MBR2GPT validates the layout and geometry - The disk doesn't have any extended/logical partition - The BCD store on the system partition contains a default OS entry pointing to an OS partition - The volume IDs can be retrieved for each volume that has a drive letter assigned -- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option +- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the `/map` command-line option -If any of these checks fails, the conversion won't proceed, and an error will be returned. +If any of these checks fails, the conversion doesn't proceed, and an error is returned. ## Syntax @@ -72,9 +71,9 @@ If any of these checks fails, the conversion won't proceed, and an error will be |**/validate**| Instructs `MBR2GPT.exe` to perform only the disk validation steps and report whether the disk is eligible for conversion. | |**/convert**| Instructs `MBR2GPT.exe` to perform the disk validation and to proceed with the conversion if all validation tests pass. | |**/disk:*\***| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| -|**/logs:*\***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| +|**/logs:*\***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it isn't automatically created or overwritten.| |**/map:*\*=*\***| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | -|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
    **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.| +|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
    **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new EFI system partition is created by shrinking the OS partition.| ## Examples @@ -83,7 +82,7 @@ If any of these checks fails, the conversion won't proceed, and an error will be In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**. ```cmd -X:\>mbr2gpt.exe /validate /disk:0 +X:\> mbr2gpt.exe /validate /disk:0 MBR2GPT: Attempting to validate disk 0 MBR2GPT: Retrieving layout of disk MBR2GPT: Validating layout, disk sector size is: 512 @@ -94,19 +93,24 @@ MBR2GPT: Validation completed successfully In the following example: -1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. +1. The current disk partition layout is displayed prior to conversion using DiskPart - three partitions are present on the MBR disk (disk 0): -2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type. + - A system reserved partition. + - A Windows partition. + - A recovery partition. + - A DVD-ROM is also present as volume 0. -3. The MBR2GPT tool is used to convert disk 0. +1. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type. -4. The DiskPart tool displays that disk 0 is now using the GPT format. +1. The MBR2GPT tool is used to convert disk 0. -5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). +1. The DiskPart tool displays that disk 0 is now using the GPT format. -6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. +1. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). -As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. +1. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. + +As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly.
    @@ -240,42 +244,44 @@ Offset in Bytes: 524288000 The following steps illustrate high-level phases of the MBR-to-GPT conversion process: 1. Disk validation is performed. -2. The disk is repartitioned to create an EFI system partition (ESP) if one doesn't already exist. -3. UEFI boot files are installed to the ESP. +2. The disk is repartitioned to create an EFI system partition if one doesn't already exist. +3. UEFI boot files are installed to the EFI system partition. 4. GPT metadata and layout information are applied. 5. The boot configuration data (BCD) store is updated. 6. Drive letter assignments are restored. ### Creating an EFI system partition -For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules: +For Windows to remain bootable after the conversion, an EFI system partition must be in place. MBR2GPT creates the EFI system partition using the following rules: 1. The existing MBR system partition is reused if it meets these requirements: - 1. It isn't also the OS or Windows Recovery Environment partition. - 1. It is at least 100 MB (or 260 MB for 4K sector size disks) in size. - 1. It's less than or equal to 1 GB in size. This size is a safety precaution to ensure it isn't a data partition. - 1. The conversion isn't being performed from the full OS. In this case, the existing MBR system partition is in use and can't be repurposed. -2. If the existing MBR system partition can't be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100 MB (or 260 MB for 4K sector size disks) and is formatted FAT32. + - It isn't also the OS or Windows Recovery Environment partition. + - It is at least 100 MB (or 260 MB for 4K sector size disks) in size. + - It's less than or equal to 1 GB in size. This size is a safety precaution to ensure it isn't a data partition. + - The conversion isn't being performed from the full OS. In this case, the existing MBR system partition is in use and can't be repurposed. -If the existing MBR system partition isn't reused for the ESP, it's no longer used by the boot process after the conversion. Other partitions aren't modified. +2. If the existing MBR system partition can't be reused, a new EFI system partition is created by shrinking the OS partition. This new partition has a size of 100 MB (or 260 MB for 4K sector size disks) and is formatted FAT32. ->[!IMPORTANT] ->If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter. +If the existing MBR system partition isn't reused for the EFI system partition, it's no longer used by the boot process after the conversion. Other partitions aren't modified. + +> [!IMPORTANT] +> +> If the existing MBR system partition is not reused for the EFI system partition, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter. ### Partition type mapping and partition attributes Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules: -1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b). -2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used. -3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac). -4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7). +1. The EFI system partition is always set to partition type **PARTITION_SYSTEM_GUID** (**c12a7328-f81f-11d2-ba4b-00a0c93ec93b**). +2. If an MBR partition is of a type that matches one of the entries specified in the `/map` switch, the specified GPT partition type ID is used. +3. If the MBR partition is of type **0x27**, the partition is converted to a GPT partition of type **PARTITION_MSFT_RECOVERY_GUID** (**de94bba4-06d1-4d40-a16a-bfd50179d6ac**). +4. All other MBR partitions recognized by Windows are converted to GPT partitions of type **PARTITION_BASIC_DATA_GUID** (**ebd0a0a2-b9e5-4433-87c0-68b6b72699c7**). In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set: -- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001) -- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000) +- **GPT_ATTRIBUTE_PLATFORM_REQUIRED** (**0x0000000000000001**) +- **GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER** (**0x8000000000000000**) For more information about partition types, see: @@ -284,20 +290,21 @@ For more information about partition types, see: ### Persisting drive letter assignments -The conversion tool will attempt to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. +The conversion tool attempts to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error is displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. > [!IMPORTANT] +> > This code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. -The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following: +The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It then iterates through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry it does the following: 1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk. 2. If found, set the value to be the new unique ID, obtained after the layout conversion. -3. If the new unique ID can't be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment. +3. If the new unique ID can't be set and the value name starts with **\DosDevices**, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment. ## Troubleshooting -The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions don't translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs). +The tool displays status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions don't translate properly, this information is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs). ### Logs @@ -308,16 +315,21 @@ Four log files are created by the MBR2GPT tool: - setupact.log - setuperr.log -These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. +These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The `setupact.log` and `setuperr.log` files have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. > [!NOTE] -> The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory. +> +> The **setupact*.log** files are different than the Windows Setup files that are found in the `%Windir%\Panther` directory. The default location for all these log files in Windows PE is **%windir%**. ### Interactive help -To view a list of options available when using the tool, enter **`mbr2gpt.exe /?`** +To view a list of options available when using the tool, enter the following command in an elevated command prompt: + +```cmd +mbr2gpt.exe /? +``` The following text is displayed: @@ -378,7 +390,21 @@ MBR2GPT has the following associated return codes: ### Determining the partition type -You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown: +The partition type can be determined in one of three ways: + +- Using Windows PowerShell +- Using the Disk Management tool +- Using the DiskPart tool + +#### Windows PowerShell + +You can enter the following command at a Windows PowerShell prompt to display the disk number and partition type: + +```powershell +Get-Disk | ft -Auto +`````` + +Example output: ```powershell PS C:\> Get-Disk | ft -Auto @@ -389,11 +415,43 @@ Number Friendly Name Serial Number HealthStatus OperationalStatus To 1 ST1000DM003-1ER162 Z4Y3GD8F Healthy Online 931.51 GB GPT ``` -You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example: +#### Disk Management tool -:::image type="content" alt-text="Volumes." source="images/mbr2gpt-volume.png"::: +You can view the partition type of a disk by using the Disk Management tool: -If Windows PowerShell and Disk Management aren't available, such as when you're using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example: +1. Right-click on the Start Menu and select **Disk Management**. Alternatively, right-click on the Start Menu and select **Run**. In the **Run** dialog box that appears, enter `diskmgmt.msc` and then select **OK**. + +1. In the **Disk Management** window that appears: + + 1. On the bottom pane, select the disk number of interest. + + 1. Select the **Action** menu and then select **All Tasks > Properties**. Alternatively, right-click on the disk number of interest and select **Properties**. + + 1. In the **Properties** dialog box that appears for the disk, select the **Volumes** tab. + + 1. Under the **Volumes** tab, the partition type is displayed next to **Partition style:**. + +#### DiskPart tool + +The partition type can be determined with the DiskPart tool. The DiskPart tool is useful in scenarios where the Disk Management tool and PowerShell aren't available, such as in WinPE when the PowerShell optional component in WinPE isn't loaded. To use the DiskPart tool to determine the partition type: + +1. Open an elevated command prompt. + +1. In the elevated command prompt that opens enter the following command: + + ```cmd + DiskPart.exe + ``` + +1. The **DISKPART>** prompt is displayed in the command prompt windows. At the **DISKPART>** prompt, enter the following command: + + ```cmd + list disk + ``` + +1. The partition type is displayed in the **Gpt** column. If the partition is GPT, an asterisk (**\***) is displayed in the column. If the partition is MBR, the column will be blank. + +The following shows an example output of the DiskPart tool showing the partition type for two disks: ```cmd X:\>DiskPart.exe @@ -472,6 +530,5 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from ## Related articles -[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
    [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) -
    [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +- [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +- [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index df89fc602d..aefcd10aa4 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -9,7 +9,7 @@ ms.prod: windows-client ms.technology: itpro-fundamentals ms.localizationpriority: medium ms.topic: how-to -ms.date: 11/23/2022 +ms.date: 11/14/2023 --- # Configure VDA for Windows subscription activation @@ -31,7 +31,7 @@ Deployment instructions are provided for the following scenarios: - VMs must be running a supported version of Windows Pro edition. - VMs must be joined to Active Directory or Microsoft Entra ID. -- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). For more information, download the PDF that describes the [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf). +- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). ## Activation diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 6b8718bf68..a5900a5a13 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -11,7 +11,7 @@ ms.collection: - highpri - tier2 ms.topic: conceptual -ms.date: 11/23/2022 +ms.date: 11/14/2023 appliesto: - ✅ Windows 10 - ✅ Windows 11 @@ -239,7 +239,7 @@ For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise ## Virtual Desktop Access (VDA) -Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster (QMTH)](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf). +Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH). Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md). From 031c9b23dbe1011429c4fc8f5a3479f68a618033 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 14 Nov 2023 15:44:04 -0500 Subject: [PATCH 096/114] Add optional cloud app name It appears that the cloud app that needs to be excluded can have one of two names. Adding in the name of the second cloud app for clarify. --- .../deployment/windows-10-subscription-activation.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 6b8718bf68..ffa1ab5454 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -11,7 +11,7 @@ ms.collection: - highpri - tier2 ms.topic: conceptual -ms.date: 11/23/2022 +ms.date: 11/14/2023 appliesto: - ✅ Windows 10 - ✅ Windows 11 @@ -39,7 +39,15 @@ This article covers the following information: For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). > [!NOTE] -> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their Conditional Access policies using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). +> +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps rom their Conditional Access policies using **Select Excluded Cloud Apps**. +> +> - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). +> - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). +> +> Although the app ID is the same in both instances, the name of the cloud app will depend on the tenant. +> +> For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). ## Subscription activation for Enterprise From a5788d4d3c67f852bcea08705092b426fc72c415 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 14 Nov 2023 15:50:16 -0500 Subject: [PATCH 097/114] Fix typo Fix typo --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index ffa1ab5454..8c5131b40e 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -40,7 +40,7 @@ For more information on how to deploy Enterprise licenses, see [Deploy Windows E > [!NOTE] > -> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps rom their Conditional Access policies using **Select Excluded Cloud Apps**. +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**. > > - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). > - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). From 42ccbc771847eb9271afc0e816a6cabb27391c0b Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <123032460+American-Dipper@users.noreply.github.com> Date: Tue, 14 Nov 2023 13:14:30 -0800 Subject: [PATCH 098/114] fix indents/numbering --- windows/deployment/mbr-to-gpt.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 9b709effc7..1b24406aee 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -439,15 +439,15 @@ The partition type can be determined with the DiskPart tool. The DiskPart tool i 1. In the elevated command prompt that opens enter the following command: - ```cmd - DiskPart.exe - ``` + ```cmd + DiskPart.exe + ``` 1. The **DISKPART>** prompt is displayed in the command prompt windows. At the **DISKPART>** prompt, enter the following command: - ```cmd - list disk - ``` + ```cmd + list disk + ``` 1. The partition type is displayed in the **Gpt** column. If the partition is GPT, an asterisk (**\***) is displayed in the column. If the partition is MBR, the column will be blank. From 6e196830b1b82638575f0d0b9089ae0144a33879 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 14 Nov 2023 20:01:42 -0500 Subject: [PATCH 099/114] Add semicolon Add semicolon --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 6c4ec1ff6a..b5fc8eb923 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -40,7 +40,7 @@ For more information on how to deploy Enterprise licenses, see [Deploy Windows E > [!NOTE] > -> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**. +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**: > > - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). > - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). From fa2b73a6f35daee6b487c2e54494374149e8922b Mon Sep 17 00:00:00 2001 From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com> Date: Wed, 15 Nov 2023 14:52:37 +0100 Subject: [PATCH 100/114] Update event-4738.md Actual meaning of Old UAC Value and New UAC Value as defined by SAM. --- .../threat-protection/auditing/event-4738.md | 35 ++----------------- 1 file changed, 3 insertions(+), 32 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index 61cd4e80e6..b35ea56a2e 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -192,39 +192,10 @@ Typical **Primary Group** values for user accounts: > [!NOTE] > **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. -- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of **userAccountControl** attribute of user object. +- **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD). -- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. If the value of **userAccountControl** attribute of user object was changed, you will see the new value here. - -To decode this value, you can go through the property value definitions in the [User’s or Computer’s account UAC flags.](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties) from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag. - -Here's an example: Flags value from event: 0x15 - -Decoding: - -• PASSWD\_NOTREQD 0x0020 - -• LOCKOUT 0x0010 - -• HOMEDIR\_REQUIRED 0x0008 - -• (undeclared) 0x0004 - -• ACCOUNTDISABLE 0x0002 - -• SCRIPT 0x0001 - -0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event - -0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5 - -0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1 - -0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event - -0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done. - -So this UAC flags value decodes to: LOCKOUT and SCRIPT +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. +For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn - **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: [User’s or Computer’s account UAC flags](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties). In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event. From 8a7f8af7275deded025ab20d7d5a64c9e6e0979f Mon Sep 17 00:00:00 2001 From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com> Date: Wed, 15 Nov 2023 14:52:57 +0100 Subject: [PATCH 101/114] Update event-4742.md Actual meaning of Old UAC Value and New UAC Value as defined by SAM. --- .../threat-protection/auditing/event-4742.md | 39 ++----------------- 1 file changed, 3 insertions(+), 36 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index 6d58542822..cffaebcf0d 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -197,43 +197,10 @@ Typical **Primary Group** values for computer accounts: > [!NOTE] > **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. -- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of **userAccountControl** attribute of computer object. +- **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD). -- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. If the value of **userAccountControl** attribute of computer object was changed, you will see the new value here. - -To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag. - -Here's an example: Flags value from event: 0x15 - -Decoding: - -• PASSWD\_NOTREQD 0x0020 - -• LOCKOUT 0x0010 - -• HOMEDIR\_REQUIRED 0x0008 - -• (undeclared) 0x0004 - -• ACCOUNTDISABLE 0x0002 - -• SCRIPT 0x0001 - -0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event - -0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5 - -0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1 - -0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event - -0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done. - -So this UAC flags value decodes to: LOCKOUT and SCRIPT - -- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: “Table 7. User’s or Computer’s account UAC flags.”. In the “User Account Control field text” column, you can see text that will be displayed in the **User Account Control** field in 4742 event. - - +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. +For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn - **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `` in this field. From 10f15ed997d30352cb1a3558f7ead341abad55b7 Mon Sep 17 00:00:00 2001 From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com> Date: Wed, 15 Nov 2023 14:53:07 +0100 Subject: [PATCH 102/114] Update event-4720.md Actual meaning of Old UAC Value and New UAC Value as defined by SAM. --- .../threat-protection/auditing/event-4720.md | 79 +------------------ 1 file changed, 3 insertions(+), 76 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md index 726f71bbbd..56548894f7 100644 --- a/windows/security/threat-protection/auditing/event-4720.md +++ b/windows/security/threat-protection/auditing/event-4720.md @@ -166,83 +166,10 @@ Typically, **Primary Group** field for new user accounts has the following value > **Note**  **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. -- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. **Old UAC value** always **“0x0”** for new user accounts. This parameter contains the previous value of **userAccountControl** attribute of user object. +- **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts. -- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the value of **userAccountControl** attribute of new user object. - -To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag. - -Here's an example: Flags value from event: 0x15 - -Decoding: - -• PASSWD\_NOTREQD 0x0020 - -• LOCKOUT 0x0010 - -• HOMEDIR\_REQUIRED 0x0008 - -• (undeclared) 0x0004 - -• ACCOUNTDISABLE 0x0002 - -• SCRIPT 0x0001 - -0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event - -0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5 - -0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1 - -0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event - -0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done. - -So this UAC flags value decodes to: LOCKOUT and SCRIPT - -- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new user accounts, when the object for this account was created, the **userAccountControl** value was considered to be **“0x0”**, and then it was changed from **“0x0”** to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4720 event. - -| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text | -|------------------------------------|-----------------------------------|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------| -| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4720 events. | -| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled
    Account Enabled | -| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4720 events. | -| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
    'Home Directory Required' - Disabled | -| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4720 events. | -| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
    'Password Not Required' - Disabled | -| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4720 events. | -| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
    Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
    'Encrypted Text Password Allowed' - Enabled | -| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. | -| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
    'Normal Account' - Enabled | -| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. | -| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
    'Workstation Trust Account' - Enabled | -| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
    'Server Trust Account' - Disabled | -| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
    Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
    'Don't Expire Password' - Enabled | -| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
    'MNS Logon Account' - Enabled | -| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
    'Smartcard Required' - Enabled | -| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
    If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
    'Trusted For Delegation' - Disabled | -| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
    Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
    'Not Delegated' - Enabled | -| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
    Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
    'Use DES Key Only' - Enabled | -| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
    Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
    'Don't Require Preauth' - Enabled | -| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4720 events. | -| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
    If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
    'Trusted To Authenticate For Delegation' - Enabled | -| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. | - -For new, manually created, domain or local user accounts typical flags are: - -- Account Disabled - -- 'Password Not Required' - Enabled - -- 'Normal Account' – Enabled - - After new user creation event you will typically see couple of “[4738](event-4738.md): A user account was changed.” events with new flags: - -- 'Password Not Required' – Disabled - -- Account Enabled - - +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). +For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn - **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4738](event-4738.md): A user account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”. From bcb06b366e0974864272f5e86b26190abba03ad6 Mon Sep 17 00:00:00 2001 From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com> Date: Wed, 15 Nov 2023 14:53:15 +0100 Subject: [PATCH 103/114] Update event-4741.md Actual meaning of Old UAC Value and New UAC Value as defined by SAM. --- .../threat-protection/auditing/event-4741.md | 65 +------------------ 1 file changed, 3 insertions(+), 62 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md index a245d7e5ce..e188466a86 100644 --- a/windows/security/threat-protection/auditing/event-4741.md +++ b/windows/security/threat-protection/auditing/event-4741.md @@ -170,69 +170,10 @@ Typically, **Primary Group** field for new computer accounts has the following v > [!NOTE] > **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. -- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. **Old UAC value** always `0x0` for new computer accounts. This parameter contains the previous value of **userAccountControl** attribute of computer object. +- **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts. -- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of **userAccountControl** attribute of new computer object. - -To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag. - -Here's an example: Flags value from event: 0x15 - -Decoding: - -• PASSWD\_NOTREQD 0x0020 - -• LOCKOUT 0x0010 - -• HOMEDIR\_REQUIRED 0x0008 - -• (undeclared) 0x0004 - -• ACCOUNTDISABLE 0x0002 - -• SCRIPT 0x0001 - -0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event - -0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5 - -0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1 - -0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event - -0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done. - -So this UAC flags value decodes to: LOCKOUT and SCRIPT - -- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new computer accounts, when the object for this account was created, the **userAccountControl** value was considered to be `0x0`, and then it was changed from `0x0` to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4741 event. - -| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text | -|---|---|---|---|---| -| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4741 events. | -| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled
    Account Enabled | -| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4741 events. | -| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
    'Home Directory Required' - Disabled | -| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4741 events. | -| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
    'Password Not Required' - Disabled | -| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4741 events. | -| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
    Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
    'Encrypted Text Password Allowed' - Enabled | -| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. | -| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
    'Normal Account' - Enabled | -| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. | -| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
    'Workstation Trust Account' - Enabled | -| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
    'Server Trust Account' - Disabled | -| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
    Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
    'Don't Expire Password' - Enabled | -| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
    'MNS Logon Account' - Enabled | -| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
    'Smartcard Required' - Enabled | -| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
    If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
    'Trusted For Delegation' - Disabled | -| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
    Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
    'Not Delegated' - Enabled | -| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
    Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
    'Use DES Key Only' - Enabled | -| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
    Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
    'Don't Require Preauth' - Enabled | -| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4741 events. | -| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
    If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
    'Trusted To Authenticate For Delegation' - Enabled | -| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. | - -> Table 7. User’s or Computer’s account UAC flags. +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). +For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn - **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `` in this field in “[4742](event-4742.md)(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as `-`. From c293044f362171d85a50fe9694c30fb25d91ab52 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Nov 2023 07:22:54 -0800 Subject: [PATCH 104/114] fix syntax error --- windows/whats-new/deprecated-features.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index cad07d84d8..1f4ad7580a 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -37,7 +37,6 @@ The features in this article are no longer being actively developed, and might b |Feature | Details and mitigation | Deprecation announced | | ----------- | --------------------- | ---- | | Steps Recorder (psr.exe) | Steps Recorder is no longer being updated and will be removed in a future release of Windows. For screen recording, we recommend the Snipping Tool, Xbox Game Bar, or Microsoft Clipchamp. | November 2023 | -| --- | --- | --- | | Tips | The Tips app is deprecated and will be removed in a future release of Windows. Content in the app will continue to be updated with information about new Windows features until the app is removed. | November 2023 | | Computer Browser | The Computer Browser driver and service are deprecated. The browser (browser protocol and service) is a dated and insecure device location protocol. This protocol, service, and driver were first disabled by default in Windows 10 with the removal of the SMB1 service. For more information on Computer Browser, see [MS-BRWS Common Internet File System](/openspecs/windows_protocols/ms-brws/3cfbad92-09b3-4abc-808f-c6f6347d5677). | November 2023 | | Webclient (WebDAV) Service | The Webclient (WebDAV) service is deprecated. The Webclient service isn't started by default in Windows. For more information on WebDAV, see [WebDAV - Win32 apps](/windows/win32/webdav/webdav-portal). | November 2023 | From 0b673fbd0166438ef95dd9f7b9d16c99a85b6af0 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 15 Nov 2023 10:36:54 -0500 Subject: [PATCH 105/114] Update event-4742.md --- windows/security/threat-protection/auditing/event-4742.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index cffaebcf0d..4a82933448 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -199,8 +199,7 @@ Typical **Primary Group** values for computer accounts: - **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD). -- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. -For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec). - **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `` in this field. From 354b374b65bb27681316eb29af6a1574767f6adf Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 15 Nov 2023 10:48:03 -0500 Subject: [PATCH 106/114] Update event-4720.md --- windows/security/threat-protection/auditing/event-4720.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md index 56548894f7..5ca11d5d60 100644 --- a/windows/security/threat-protection/auditing/event-4720.md +++ b/windows/security/threat-protection/auditing/event-4720.md @@ -168,8 +168,7 @@ Typically, **Primary Group** field for new user accounts has the following value - **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts. -- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). -For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec). - **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4738](event-4738.md): A user account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”. From 3c37dc9f80223d624434e123ef3fdb6f39cc4ae0 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 15 Nov 2023 10:56:39 -0500 Subject: [PATCH 107/114] Update event-4741.md --- windows/security/threat-protection/auditing/event-4741.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md index e188466a86..e26b0c96b3 100644 --- a/windows/security/threat-protection/auditing/event-4741.md +++ b/windows/security/threat-protection/auditing/event-4741.md @@ -172,8 +172,7 @@ Typically, **Primary Group** field for new computer accounts has the following v - **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts. -- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). -For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec). - **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `` in this field in “[4742](event-4742.md)(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as `-`. From 6f95ab612d7eb8663cea036701389f5416ef590b Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 15 Nov 2023 10:58:07 -0500 Subject: [PATCH 108/114] Update event-4738.md --- windows/security/threat-protection/auditing/event-4738.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index b35ea56a2e..be3bf1a1e5 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -194,8 +194,7 @@ Typical **Primary Group** values for user accounts: - **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD). -- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. -For a list of account flags you may see here, please refer to [MS-SAMR]: USER_ACCOUNT Codes | Microsoft Learn +- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec). - **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: [User’s or Computer’s account UAC flags](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties). In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event. From 8f651c730b5fe2fa3b45a802b913abb5f4d6f558 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Nov 2023 15:12:23 -0800 Subject: [PATCH 109/114] meta update --- windows/client-management/manage-windows-copilot.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index e8c129e081..9851b09748 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -4,6 +4,8 @@ description: Learn how to manage Copilot in Windows for commercial environments ms.topic: article ms.technology: itpro-windows-copilot ms.date: 11/06/2023 +ms.author: mstewart +author: mestew appliesto: - ✅ Windows 11, version 22H2 or later --- From 87ed1cbfb0c7be095db32783b1c80f44a58e32c2 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 16 Nov 2023 11:40:20 -0500 Subject: [PATCH 110/114] Update update-csp.md --- windows/client-management/mdm/update-csp.md | 118 +++++++++++--------- 1 file changed, 67 insertions(+), 51 deletions(-) diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 9a3988642d..e825289b3c 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -8,7 +8,7 @@ ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 02/23/2018 +ms.date: 11/16/2023 --- # Update CSP @@ -40,7 +40,7 @@ The following example shows the Update configuration service provider in tree fo ----FailedUpdates --------Failed Update Guid ------------HResult -------------Status +------------State ------------RevisionNumber ----InstalledUpdates --------Installed Update Guid @@ -63,136 +63,152 @@ The following example shows the Update configuration service provider in tree fo ``` **./Vendor/MSFT/Update** -

    The root node. +The root node. -

    Supported operation is Get. +Supported operation is Get. **ApprovedUpdates** -

    Node for update approvals and EULA acceptance on behalf of the end-user. +Node for update approvals and EULA acceptance on behalf of the end-user. > [!NOTE] > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. -

    The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. +The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. -

    The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. +The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. > [!NOTE] > For the Windows 10 build, the client may need to reboot after additional updates are added. -

    Supported operations are Get and Add. +Supported operations are Get and Add. **ApprovedUpdates/_Approved Update Guid_** -

    Specifies the update GUID. +Specifies the update GUID. -

    To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. +To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. -

    Supported operations are Get and Add. +Supported operations are Get and Add. -

    Sample syncml: +Sample syncml: ``` ./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d ``` **ApprovedUpdates/*Approved Update Guid*/ApprovedTime** -

    Specifies the time the update gets approved. +Specifies the time the update gets approved. -

    Supported operations are Get and Add. +Supported operations are Get and Add. **FailedUpdates** -

    Specifies the approved updates that failed to install on a device. +Specifies the approved updates that failed to install on a device. -

    Supported operation is Get. +Supported operation is Get. **FailedUpdates/_Failed Update Guid_** -

    Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. +Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. -

    Supported operation is Get. +Supported operation is Get. **FailedUpdates/*Failed Update Guid*/HResult** -

    The update failure error code. +The update failure error code. -

    Supported operation is Get. +Supported operation is Get. -**FailedUpdates/*Failed Update Guid*/Status** -

    Specifies the failed update status (for example, download, install). +**FailedUpdates/*Failed Update Guid*/State** +Specifies the failed update state. -

    Supported operation is Get. +| Update Status | Integer Value | +| -------------------------- | ------------- | +| UpdateStatusNewUpdate | 1 | +| UpdateStatusReadyToDownload| 2 | +| UpdateStatusDownloading | 4 | +| UpdateStatusDownloadBlocked| 8 | +| UpdateStatusDownloadFailed | 16 | +| UpdateStatusReadyToInstall | 32 | +| UpdateStatusInstalling | 64 | +| UpdateStatusInstallBlocked | 128 | +| UpdateStatusInstallFailed | 256 | +| UpdateStatusRebootRequired | 512 | +| UpdateStatusUpdateCompleted| 1024 | +| UpdateStatusCommitFailed | 2048 | +| UpdateStatusPostReboot | 4096 | + +Supported operation is Get. **FailedUpdates/*Failed Update Guid*/RevisionNumber** -

    Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -

    Supported operation is Get. +Supported operation is Get. **InstalledUpdates** -

    The updates that are installed on the device. +The updates that are installed on the device. -

    Supported operation is Get. +Supported operation is Get. **InstalledUpdates/_Installed Update Guid_** -

    UpdateIDs that represent the updates installed on a device. +UpdateIDs that represent the updates installed on a device. -

    Supported operation is Get. +Supported operation is Get. **InstalledUpdates/*Installed Update Guid*/RevisionNumber** -

    Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -

    Supported operation is Get. +Supported operation is Get. **InstallableUpdates** -

    The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved. +The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved. -

    Supported operation is Get. +Supported operation is Get. **InstallableUpdates/_Installable Update Guid_** -

    Update identifiers that represent the updates applicable and not installed on a device. +Update identifiers that represent the updates applicable and not installed on a device. -

    Supported operation is Get. +Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/Type** -

    The UpdateClassification value of the update. Valid values are: +The UpdateClassification value of the update. Valid values are: - 0 - None - 1 - Security - 2 - Critical -

    Supported operation is Get. +Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/RevisionNumber** -

    The revision number for the update that must be passed in server to server sync to get the metadata for the update. +The revision number for the update that must be passed in server to server sync to get the metadata for the update. -

    Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates** -

    The updates that require a reboot to complete the update session. +The updates that require a reboot to complete the update session. -

    Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/_Pending Reboot Update Guid_** -

    Update identifiers for the pending reboot state. +Update identifiers for the pending reboot state. -

    Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** -

    The time the update is installed. +The time the update is installed. -

    Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber** -

    Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -

    Supported operation is Get. +Supported operation is Get. **LastSuccessfulScanTime** -

    The last successful scan time. +The last successful scan time. -

    Supported operation is Get. +Supported operation is Get. **DeferUpgrade** -

    Upgrades deferred until the next period. +Upgrades deferred until the next period. -

    Supported operation is Get. +Supported operation is Get. **Rollback** Added in Windows 10, version 1803. Node for the rollback operations. From e0b56e18533b49455b72e3e1c84d03a33f0c4419 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 16 Nov 2023 09:17:24 -0800 Subject: [PATCH 111/114] Date refresh --- .../windows-autopatch-post-reg-readiness-checks.md | 2 +- ...ch-groups-windows-quality-update-trending-report.md | 2 +- .../operate/windows-autopatch-maintain-environment.md | 2 +- .../operate/windows-autopatch-support-request.md | 2 +- .../overview/windows-autopatch-privacy.md | 2 +- .../windows-autopatch-enrollment-support-request.md | 2 +- .../prepare/windows-autopatch-fix-issues.md | 2 +- .../prepare/windows-autopatch-prerequisites.md | 2 +- ...ws-autopatch-windows-update-unsupported-policies.md | 2 +- .../whats-new/windows-autopatch-whats-new-2023.md | 10 +++++++++- 10 files changed, 18 insertions(+), 10 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md index eb2f5d26d5..e41d8e60f4 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -1,7 +1,7 @@ --- title: Post-device registration readiness checks description: This article details how post-device registration readiness checks are performed in Windows Autopatch -ms.date: 09/16/2022 +ms.date: 09/16/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md index e68ee4d6bd..71b96ec441 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md @@ -1,7 +1,7 @@ --- title: Quality update trending report description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups. -ms.date: 05/01/2023 +ms.date: 09/01/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index 3b72dc6d90..fe9d6b3321 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -1,7 +1,7 @@ --- title: Maintain the Windows Autopatch environment description: This article details how to maintain the Windows Autopatch environment -ms.date: 05/15/2023 +ms.date: 09/15/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md index 690e61a507..20c341551a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md @@ -1,7 +1,7 @@ --- title: Submit a support request description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests -ms.date: 01/06/2023 +ms.date: 09/06/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 043db6fb77..0e481d7a66 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -1,7 +1,7 @@ --- title: Privacy description: This article provides details about the data platform and privacy compliance for Autopatch -ms.date: 03/13/2023 +ms.date: 09/13/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: reference diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md index 6588ea5a13..bc26753af7 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md @@ -1,7 +1,7 @@ --- title: Submit a tenant enrollment support request description: This article details how to submit a tenant enrollment support request -ms.date: 01/13/2023 +ms.date: 09/13/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index 8acdf328e5..f7a2045294 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -1,7 +1,7 @@ --- title: Fix issues found by the Readiness assessment tool description: This article details how to fix issues found by the Readiness assessment tool. -ms.date: 01/12/2023 +ms.date: 09/12/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index b0df16842e..7cb1b4a4d5 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 04/24/2023 +ms.date: 09/24/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md index 9ece385c03..e72d9e8042 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md @@ -1,7 +1,7 @@ --- title: Windows update policies description: This article explains Windows update policies in Windows Autopatch -ms.date: 12/02/2022 +ms.date: 09/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 24650e3a33..1e7b26a9c9 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -1,7 +1,7 @@ --- title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. -ms.date: 10/27/2023 +ms.date: 11/16/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: whats-new @@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with Minor corrections such as typos, style, or formatting issues aren't listed. +## November 2023 + +## November service release + +| Message center post number | Description | +| ----- | ----- | +| [MC689492](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Service maintenance to improve Windows Autopatch performance | + ## October 2023 ### October feature releases or updates From cbcd5c0f7eb16df83f17e3a969b0d958a91bce38 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 16 Nov 2023 14:26:38 -0800 Subject: [PATCH 112/114] branch chache not supported on 11 8530422 --- windows/deployment/update/waas-branchcache.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 840ea3d5a7..829dc4d1f5 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -9,9 +9,8 @@ ms.author: mstewart manager: aaroncz ms.localizationpriority: medium appliesto: -- ✅ Windows 11 -- ✅ Windows 10 -ms.date: 12/31/2017 +✅ Windows 10 +ms.date: 11/16/2023 --- # Configure BranchCache for Windows client updates @@ -33,7 +32,10 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)). -In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode. +In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization **Download mode** to '100' (Bypass) to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode. + +> [!Note] +> Setting [Download mode](../do/waas-delivery-optimization-reference.md#download-mode) to '100' (Bypass) is only available in Windows 10, version 1607 and later, not in Windows 11. BranchCache isn't supported for Windows 11. ## Configure servers for BranchCache From c0775ea59a68657f8f3e1f7c895285019fcef49d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 16 Nov 2023 14:32:20 -0800 Subject: [PATCH 113/114] branch chache not supported on 11 8530422 --- windows/deployment/update/waas-branchcache.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 829dc4d1f5..05c5f63d80 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -9,7 +9,7 @@ ms.author: mstewart manager: aaroncz ms.localizationpriority: medium appliesto: -✅ Windows 10 +- ✅ Windows 10 ms.date: 11/16/2023 --- From 0d087d5cd7155c228cb6cb88d30207855d2879a7 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Thu, 16 Nov 2023 17:40:52 -0500 Subject: [PATCH 114/114] MBR2GPT Refresh --- windows/deployment/mbr-to-gpt.md | 78 ++++---------------------------- 1 file changed, 8 insertions(+), 70 deletions(-) diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 1b24406aee..a0eb436b76 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) ms.prod: windows-client author: frankroj ms.author: frankroj -ms.date: 10/17/2023 +ms.date: 11/16/2023 manager: aaroncz ms.localizationpriority: high ms.topic: how-to @@ -19,7 +19,7 @@ appliesto: # MBR2GPT.EXE -**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option. +**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows operating system (OS) by using the **`/allowFullOS`** option. **MBR2GPT.EXE** is located in the **`Windows\System32`** directory on a computer running Windows. @@ -32,7 +32,7 @@ See the following video for a detailed description and demonstration of MBR2GPT. You can use MBR2GPT to: - Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT. -- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them. +- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them. - Convert an operating system disk from MBR to GPT using Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT). Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to a currently supported version of Windows, then perform the MBR to GPT conversion. @@ -73,7 +73,7 @@ If any of these checks fails, the conversion doesn't proceed, and an error is re |**/disk:*\***| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| |**/logs:*\***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it isn't automatically created or overwritten.| |**/map:*\*=*\***| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | -|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.
    **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new EFI system partition is created by shrinking the OS partition.| +|**/allowFullOS**| By default, `MBR2GPT.exe` can only run from Windows PE and is blocked from running in full Windows. This option overrides this block and enables disk conversion while running in the full Windows environment.
    **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new EFI system partition is created by shrinking the OS partition.| ## Examples @@ -108,7 +108,7 @@ In the following example: 1. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). -1. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. +1. The OS volume is selected again. The detail displays that the OS volume is converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly. @@ -298,7 +298,7 @@ The conversion tool attempts to remap all drive letter assignment information co The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It then iterates through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry it does the following: -1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk. +1. Checks if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk. 2. If found, set the value to be the new unique ID, obtained after the layout conversion. 3. If the new unique ID can't be set and the value name starts with **\DosDevices**, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment. @@ -433,7 +433,7 @@ You can view the partition type of a disk by using the Disk Management tool: #### DiskPart tool -The partition type can be determined with the DiskPart tool. The DiskPart tool is useful in scenarios where the Disk Management tool and PowerShell aren't available, such as in WinPE when the PowerShell optional component in WinPE isn't loaded. To use the DiskPart tool to determine the partition type: +The partition type can be determined with the DiskPart tool. The DiskPart tool is useful in scenarios where the Disk Management tool and PowerShell aren't available, such as in WinPE. PowerShell isn't available in WinPE when the PowerShell optional component isn't loaded. To use the DiskPart tool to determine the partition type: 1. Open an elevated command prompt. @@ -449,7 +449,7 @@ The partition type can be determined with the DiskPart tool. The DiskPart tool i list disk ``` -1. The partition type is displayed in the **Gpt** column. If the partition is GPT, an asterisk (**\***) is displayed in the column. If the partition is MBR, the column will be blank. +1. The partition type is displayed in the **Gpt** column. If the partition is GPT, an asterisk (**\***) is displayed in the column. If the partition is MBR, the column is blank. The following shows an example output of the DiskPart tool showing the partition type for two disks: @@ -470,65 +470,3 @@ DISKPART> list disk ``` In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT. - -## Known issue - -### MBR2GPT.exe can't run in Windows PE - -When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues: - -**Issue 1** When you run the `MBR2GPT.exe` command, the process exits without converting the drive. - -**Issue 2** When you manually run the `MBR2GPT.exe` command in a Command Prompt window, there's no output from the tool. - -**Issue 3** When `MBR2GPT.exe` runs inside an imaging process such as a Microsoft Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. - -#### Cause - -This issue occurs because in Windows 10, version 1903 and later versions, `MBR2GPT.exe` requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later. - -#### Workaround - -To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. Use follow these steps: - -1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image). - -2. Copy the ReAgent files and the ReAgent localization files from the Windows 10, version 1903 ADK source folder to the mounted WIM. - - For example, if the ADK is installed to the default location of C:\Program Files (x86)\Windows Kits\10 and the Windows PE image is mounted to C:\WinPE_Mount, run the following commands from an elevated Command Prompt window: - - > [!NOTE] - > You can access the ReAgent files if you have installed the User State Migration Tool (USMT) as a feature while installing Windows Assessment and Deployment Kit. - - **Command 1:** - - ```cmd - copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32" - ``` - - This command copies three files: - - - ReAgent.admx - - ReAgent.dll - - ReAgent.xml - - **Command 2:** - - ```cmd - copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us" - ``` - - This command copies two files: - - - ReAgent.adml - - ReAgent.dll.mui - - > [!NOTE] - > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language. - -3. After you copy all the files, commit the changes and unmount the Windows PE WIM. `MBR2GPT.exe` now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). - -## Related articles - -- [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -- [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)