mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-17 03:13:44 +00:00
Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20221117-WHFB-metadata-headers
This commit is contained in:
@ -63,9 +63,6 @@
|
||||
]
|
||||
},
|
||||
"fileMetadata": {
|
||||
"ms.localizationpriority": {
|
||||
"windows/tutorial-school-deployment/**/**.md": "medium"
|
||||
},
|
||||
"ms.topic": {
|
||||
"windows/tutorial-school-deployment/**/**.md": "tutorial"
|
||||
}
|
||||
|
@ -82,7 +82,6 @@ The following applications can also run on Windows 11 SE, and can be deployed us
|
||||
| Application | Supported version | App Type | Vendor |
|
||||
|-----------------------------------------|-------------------|----------|------------------------------|
|
||||
| 3d builder | 15.2.10821.1070 | Win32 | Microsoft |
|
||||
| Absolute Software Endpoint Agent | 7.21-15655 | Win32 | Absolute Software Corporation|
|
||||
| AirSecure | 8.0.0 | Win32 | AIR |
|
||||
| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies |
|
||||
| Brave Browser | 106.0.5249.65 | Win32 | Brave |
|
||||
|
@ -202,9 +202,9 @@ The following table shows the required information to create an entry in the Azu
|
||||
|
||||
### Add on-premises MDM to the app gallery
|
||||
|
||||
There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrator to add an app to their tenant.
|
||||
There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant.
|
||||
|
||||
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. Thee ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance.
|
||||
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. The ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance.
|
||||
|
||||
## Themes
|
||||
|
||||
|
@ -56,7 +56,7 @@ Remove Task Manager | Enabled
|
||||
Remove Change Password option in Security Options UI | Enabled
|
||||
Remove Sign Out option in Security Options UI | Enabled
|
||||
Remove All Programs list from the Start Menu | Enabled – Remove and disable setting
|
||||
Prevent access to drives from My Computer | Enabled - Restrict all drivers
|
||||
Prevent access to drives from My Computer | Enabled - Restrict all drives
|
||||
|
||||
>[!NOTE]
|
||||
>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
|
||||
|
@ -34,7 +34,7 @@ This article outlines the general process that you should follow to migrate file
|
||||
|
||||
6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the `ScanState.exe` command. For example, the following command creates a `Config.xml` file by using the `MigDocs.xml` and `MigApp.xml` files:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log
|
||||
```
|
||||
|
||||
@ -51,7 +51,7 @@ This article outlines the general process that you should follow to migrate file
|
||||
|
||||
3. Run the `ScanState.exe` command on the source computer to collect files and settings. You should specify all of the .xml files that you want the `ScanState.exe` command to use. For example,
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
ScanState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log
|
||||
```
|
||||
|
||||
@ -78,7 +78,7 @@ This article outlines the general process that you should follow to migrate file
|
||||
|
||||
For example, the following command migrates the files and settings:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
LoadState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:LoadState.log
|
||||
```
|
||||
|
||||
|
@ -131,7 +131,7 @@ On a test computer, install the operating system that will be installed on the d
|
||||
|
||||
To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you're testing. To specify only **User1** in the migration, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
/ue:*\* /ui:user1
|
||||
```
|
||||
|
||||
|
@ -164,7 +164,7 @@ You can use multiple XML files with the ScanState and LoadState tools. Each of t
|
||||
|
||||
For example, you can use all of the XML migration file types for a single migration, as in the following example:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
ScanState.exe <store> /config:c:\myFolder\Config.xml /i:migapps.xml /i:MigDocs.xml /i:CustomRules.xml
|
||||
```
|
||||
|
||||
@ -194,14 +194,14 @@ To generate the XML migration rules file for a source computer:
|
||||
|
||||
4. At the command prompt, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
cd /d <USMTpath>
|
||||
ScanState.exe /genmigxml: <filepath.xml>
|
||||
```
|
||||
|
||||
Where *<USMTpath>* is the location on your source computer where you've saved the USMT files and tools, and *<filepath.xml>* is the full path to a file where you can save the report. For example, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
cd /d c:\USMT
|
||||
ScanState.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml"
|
||||
```
|
||||
@ -230,7 +230,7 @@ The `MigDocs.xml` file calls the `GenerateDocPatterns` function, which takes thr
|
||||
|
||||
**Usage:**
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
MigXmlHelper.GenerateDocPatterns ("<ScanProgramFiles>", "<IncludePatterns>", "<SystemDrive>")
|
||||
```
|
||||
|
||||
|
@ -107,7 +107,7 @@ To remove encryption from files that have already been migrated incorrectly, you
|
||||
|
||||
**Resolution:** You can use the `/mu` option when you run the **LoadState** tool to specify a new name for the user. For example,
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
LoadState.exe /i:MigApp.xml /i:MigDocs.xml \\server\share\migration\mystore
|
||||
/progress:Progress.log /l:LoadState.log /mu:fareast\user1:farwest\user1
|
||||
```
|
||||
@ -138,7 +138,7 @@ The following sections describe common XML file problems. Expand the section to
|
||||
|
||||
**Resolution:** Install all of the desired applications on the computer before running the `/genconfig` option. Then run `ScanState.exe` with all of the .xml files. For example, run the following command:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:5 /l:ScanState.log
|
||||
```
|
||||
|
||||
@ -248,7 +248,7 @@ The following sections describe common offline migration problems. Expand the se
|
||||
|
||||
**Resolution:** Use a Security Identifier (SID) to include a user when running the **ScanState** tool. For example:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
ScanState.exe /ui:S1-5-21-124525095-708259637-1543119021*
|
||||
```
|
||||
|
||||
@ -262,7 +262,7 @@ You can also use patterns for SIDs that identify generic users or groups. For ex
|
||||
|
||||
**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the **ScanState** tool has finished running. For example, at a command prompt, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
reg.exe unload hklm\$dest$software
|
||||
```
|
||||
|
||||
@ -282,7 +282,7 @@ The following sections describe common hard-link migration problems. Expand the
|
||||
|
||||
**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
UsmtUtils.exe /rd <storedir>
|
||||
```
|
||||
|
||||
|
@ -47,7 +47,7 @@ To run the ScanState tool on the source computer with USMT installed:
|
||||
|
||||
2. Navigate to the USMT tools. For example, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
cd /d "C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\User State Migration Tool\<architecture>"
|
||||
```
|
||||
|
||||
@ -55,13 +55,13 @@ To run the ScanState tool on the source computer with USMT installed:
|
||||
|
||||
3. Run the **ScanState** tool to generate an XML report of the space requirements. At the command prompt, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
ScanState.exe <StorePath> /p:<path to a file>
|
||||
```
|
||||
|
||||
Where *<StorePath>* is a path to a directory where the migration store will be saved and *<path to a file>* is the path and filename where the XML report for space requirements will be saved. For example:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
ScanState.exe c:\store /p:c:\spaceRequirements.xml
|
||||
```
|
||||
|
||||
|
@ -29,7 +29,7 @@ In addition, you can specify the file patterns that you want to extract by using
|
||||
|
||||
To extract files from the compressed migration store onto the destination computer, use the following UsmtUtils syntax:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
UsmtUtils.exe /extract <filePath> <destinationPath> [/i:<includePattern>] [/e:<excludePattern>] [/l:<logfile>] [/decrypt[:<AlgID>] {/key:<keystring> | /keyfile:<filename>}] [/o]
|
||||
```
|
||||
|
||||
@ -57,7 +57,7 @@ Where the placeholders have the following values:
|
||||
|
||||
To extract everything from a compressed migration store to a file on the `C:\` drive, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
|
||||
```
|
||||
|
||||
@ -65,7 +65,7 @@ UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
|
||||
|
||||
To extract specific files, such as `.txt` and `.pdf` files, from an encrypted compressed migration store, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt
|
||||
```
|
||||
|
||||
@ -75,7 +75,7 @@ In this example, the file is encrypted and the encryption key is located in a te
|
||||
|
||||
To extract all files except for one file type, such as `.exe` files, from an encrypted compressed migration store, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt
|
||||
```
|
||||
|
||||
@ -83,7 +83,7 @@ UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedS
|
||||
|
||||
To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o
|
||||
```
|
||||
|
||||
|
@ -55,13 +55,13 @@ You can use the XML helper functions in the [XML elements library](usmt-xml-elem
|
||||
|
||||
As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
SomeFunction("My String argument",NULL,NULL)
|
||||
```
|
||||
|
||||
is equivalent to:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
SomeFunction("My String argument")
|
||||
```
|
||||
|
||||
|
@ -92,7 +92,7 @@ It isn't necessary to estimate the size of a hard-link migration store since har
|
||||
|
||||
Separate hard-link migration stores are created on each NTFS volume that contain data being migrated. In this scenario, the primary migration-store location will be specified on the command line, and should be the operating-system volume. Migration stores with identical names and directory names will be created on every volume containing data being migrated. For example:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
ScanState.exe /hardlink c:\USMTMIG […]
|
||||
```
|
||||
|
||||
|
@ -34,7 +34,7 @@ Before using the **ScanState** tool for a migration that includes encrypted file
|
||||
|
||||
You can run the [Cipher.exe](/windows-server/administration/windows-commands/cipher) tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
cipher.exe /D /S:<PATH>
|
||||
```
|
||||
|
||||
|
@ -23,7 +23,7 @@ Links to detailed explanations of commands are available in the [Related article
|
||||
|
||||
2. Enter the following `ScanState.exe` command line in a command prompt window:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
ScanState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml /o
|
||||
````
|
||||
|
||||
@ -33,13 +33,13 @@ Links to detailed explanations of commands are available in the [Related article
|
||||
|
||||
- If you're migrating domain accounts, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml
|
||||
```
|
||||
|
||||
- If you're migrating local accounts along with domain accounts, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml /lac /lae
|
||||
```
|
||||
|
||||
@ -54,7 +54,7 @@ Links to detailed explanations of commands are available in the [Related article
|
||||
|
||||
2. Enter the following `ScanState.exe` command line in a command prompt window:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
ScanState.exe \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml /o
|
||||
```
|
||||
|
||||
@ -62,7 +62,7 @@ Links to detailed explanations of commands are available in the [Related article
|
||||
|
||||
4. Enter the following `LoadState.exe ` command line in a command prompt window:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml
|
||||
```
|
||||
|
||||
@ -74,7 +74,7 @@ Links to detailed explanations of commands are available in the [Related article
|
||||
|
||||
2. Enter the following `ScanState.exe` command line in a command prompt window:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
ScanState.exe \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:MigDocs.xml /i:MigApp.xml /o
|
||||
```
|
||||
|
||||
@ -82,7 +82,7 @@ Links to detailed explanations of commands are available in the [Related article
|
||||
|
||||
4. Enter the following `LoadState.exe ` command line in a command prompt window:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
LoadState.exe \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml
|
||||
```
|
||||
|
||||
|
@ -43,7 +43,7 @@ The `ScanState.exe` command's syntax is:
|
||||
|
||||
For example, to create a `Config.xml` file in the current directory, use:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
ScanState.exe /i:MigApp.xml /i:MigDocs.xml /genconfig:Config.xml /v:13
|
||||
```
|
||||
|
||||
|
@ -59,7 +59,7 @@ Where the placeholders have the following values:
|
||||
|
||||
To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
UsmtUtils.exe /verify D:\MyMigrationStore\store.mig
|
||||
```
|
||||
|
||||
@ -69,7 +69,7 @@ Because no report type is specified, **UsmtUtils** displays the default summary
|
||||
|
||||
To verify whether the catalog file is corrupted or intact, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
UsmtUtils.exe /verify:catalog D:\MyMigrationStore\store.mig
|
||||
```
|
||||
|
||||
@ -77,7 +77,7 @@ UsmtUtils.exe /verify:catalog D:\MyMigrationStore\store.mig
|
||||
|
||||
To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, enter:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
UsmtUtils.exe /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
|
||||
```
|
||||
|
||||
@ -87,7 +87,7 @@ In addition to verifying the status of all files, this example decrypts the file
|
||||
|
||||
In this example, the log file will only list the files that became corrupted during the **ScanState** process. This list will include the catalog file if it's also corrupted.
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
UsmtUtils.exe /verify:failureonly D:\MyMigrationStore\USMT\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt
|
||||
```
|
||||
|
||||
|
@ -36,9 +36,10 @@
|
||||
"recommendations": true,
|
||||
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
|
||||
"uhfHeaderId": "MSDocsHeader-M365-IT",
|
||||
"ms.topic": "article",
|
||||
"manager": "dansimp",
|
||||
"audience": "ITPro",
|
||||
"ms.localizationpriority": "medium",
|
||||
"ms.prod": "windows-client",
|
||||
"ms.technology": "itpro-security",
|
||||
"manager": "aaroncz",
|
||||
"feedback_system": "GitHub",
|
||||
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
|
||||
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
|
||||
@ -48,7 +49,6 @@
|
||||
"folder_relative_path_in_docset": "./"
|
||||
}
|
||||
},
|
||||
"titleSuffix": "Windows security",
|
||||
"contributors_to_exclude": [
|
||||
"rjagiewich",
|
||||
"traya1",
|
||||
@ -56,13 +56,22 @@
|
||||
"claydetels19",
|
||||
"jborsecnik",
|
||||
"tiburd",
|
||||
"AngelaMotherofDragons",
|
||||
"dstrome",
|
||||
"v-dihans",
|
||||
"garycentric"
|
||||
],
|
||||
"searchScope": ["Windows 10"]
|
||||
},
|
||||
"fileMetadata": {
|
||||
"titleSuffix":{
|
||||
"threat-protection/**/*.md": "Windows security"
|
||||
"author":{
|
||||
"/identity-protection/hello-for-business/**/*.md": "paolomatarazzo"
|
||||
},
|
||||
"ms.author":{
|
||||
"/identity-protection/hello-for-business/**/*.md": "paoloma"
|
||||
},
|
||||
"ms.reviewer":{
|
||||
"/identity-protection/hello-for-business/**/*.md": "erikdau"
|
||||
}
|
||||
},
|
||||
"template": [],
|
||||
|
@ -155,6 +155,12 @@ It also blocks automatic or manual attempts to move the paging file.
|
||||
Enable secure boot and mandatorily prompt a password to change BIOS settings.
|
||||
For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
|
||||
|
||||
### Tricking BitLocker to pass the key to a rogue operating system
|
||||
|
||||
An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don’t recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
|
||||
|
||||
An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
|
||||
|
||||
## Attacker countermeasures
|
||||
|
||||
The following sections cover mitigations for different types of attackers.
|
||||
|
@ -60,7 +60,7 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|
||||
|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|
||||
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|
||||
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office. <br/><br/>**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
|
||||
|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher<p>Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
|
||||
|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher<p>Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
|
||||
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<p>Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
|
||||
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|
||||
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher<p>Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
|
||||
|
Reference in New Issue
Block a user