deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into siosulli-privacyupdates-temp

Browse Source
This commit is contained in:
Sinead O'Sullivan 2021-10-14 11:52:54 +01:00
commit a776510a8e
4 changed files with 39 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/client-management/mdm/index.md
View File

@ -1,6 +1,6 @@
---
title: Mobile device management
description: Windows 10 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy
description: Windows 10 and Windows 11 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy
MS-HAID:
- 'p\_phDeviceMgmt.provisioning\_and\_device\_management'
- 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm'
@ -15,9 +15,9 @@ author: dansimp
# Mobile device management
Windows 10 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users privacy on their personal devices. A built-in management component can communicate with the management server.
Windows 10 and Windows 11 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users privacy on their personal devices. A built-in management component can communicate with the management server.
There are two parts to the Windows 10 management component:
There are two parts to the Windows management component:
- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.

58
windows/security/identity-protection/access-control/special-identities.md
View File

@ -12,7 +12,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 10/12/2021
ms.reviewer:
---
@ -39,7 +39,7 @@ The special identity groups are described in the following tables:
- [Anonymous Logon](#anonymous-logon)
- [Authenticated User](#authenticated-users)
- [Authenticated Users](#authenticated-users)
- [Batch](#batch)
@ -90,7 +90,7 @@ The special identity groups are described in the following tables:
Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-7 |
|Object Class| Foreign Security Principal|
@ -102,11 +102,11 @@ Any user who accesses the system through an anonymous logon has the Anonymous Lo
Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Membership is controlled by the operating system.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-11 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=System,cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight<br> [Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege<br> [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|
## Batch
@ -114,7 +114,7 @@ Any user who accesses the system through a sign-in process has the Authenticated
Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files. Membership is controlled by the operating system.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-3 |
|Object Class| Foreign Security Principal|
@ -128,7 +128,7 @@ The person who created the file or the directory is a member of this special ide
A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the objects current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-3-1 |
|Object Class| Foreign Security Principal|
@ -140,7 +140,7 @@ A placeholder security identifier (SID) is created in an inheritable access cont
The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the objects current owner.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-3-0 |
|Object Class| Foreign Security Principal|
@ -152,29 +152,29 @@ The person who created the file or the directory is a member of this special ide
Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-1 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights| none| 
|Default User Rights| none|
## Digest Authentication
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-64-21 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights| none| 
|Default User Rights| none|
## Enterprise Domain Controllers
This group includes all domain controllers in an Active Directory forest. Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise by using transitive trusts. Membership is controlled by the operating system.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-9 |
|Object Class| Foreign Security Principal|
@ -190,7 +190,7 @@ On computers running Windows 2000 and earlier, the Everyone group included the
Membership is controlled by the operating system.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-1-0 |
|Object Class| Foreign Security Principal|
@ -202,7 +202,7 @@ Membership is controlled by the operating system.
Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-4 |
|Object Class| Foreign Security Principal|
@ -214,7 +214,7 @@ Any user who is logged on to the local system has the Interactive identity. This
The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\\LocalService. This account does not have a password.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-19 |
|Object Class| Foreign Security Principal|
@ -227,7 +227,7 @@ The Local Service account is similar to an Authenticated User account. The Local
This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-18 |
|Object Class| Foreign Security Principal|
@ -238,7 +238,7 @@ This is a service account that is used by the operating system. The LocalSystem
This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-2 |
|Object Class| Foreign Security Principal|
@ -250,7 +250,7 @@ This group implicitly includes all users who are logged on through a network con
The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\\NetworkService. This account does not have a password.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-20 |
|Object Class| Foreign Security Principal|
@ -260,7 +260,7 @@ The Network Service account is similar to an Authenticated User account. The Net
## NTLM Authentication
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-64-10 |
|Object Class| Foreign Security Principal|
@ -272,7 +272,7 @@ The Network Service account is similar to an Authenticated User account. The Net
This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-1000 |
|Object Class| Foreign Security Principal|
@ -284,7 +284,7 @@ This group implicitly includes all users who are logged on to the system through
This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-10 |
|Object Class| Foreign Security Principal|
@ -296,7 +296,7 @@ This identity is a placeholder in an ACE on a user, group, or computer object in
This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-14|
|Object Class| Foreign Security Principal|
@ -308,7 +308,7 @@ This identity represents all users who are currently logged on to a computer by
Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the users access token.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-12 |
|Object Class| Foreign Security Principal|
@ -318,7 +318,7 @@ Users and computers with restricted capabilities have the Restricted identity. T
## SChannel Authentication
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-64-14 |
|Object Class| Foreign Security Principal|
@ -331,7 +331,7 @@ Users and computers with restricted capabilities have the Restricted identity. T
Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-6 |
|Object Class| Foreign Security Principal|
@ -343,7 +343,7 @@ Any service that accesses the system has the Service identity. This identity gro
Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system.
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-13 |
|Object Class| Foreign Security Principal|
@ -353,7 +353,7 @@ Any user accessing the system through Terminal Services has the Terminal Server
## This Organization
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-15 |
|Object Class| Foreign Security Principal|
@ -362,7 +362,7 @@ Any user accessing the system through Terminal Services has the Terminal Server
## Window Manager\\Window Manager Group
| **Attribute** | **Value** |
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | |
|Object Class| |

11
windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -22,6 +22,7 @@ ms.reviewer:
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
```powershell
# Script to find out if a machine is Device Guard compliant.
@ -780,7 +781,7 @@ function CheckOSSKU
function CheckOSArchitecture
{
$OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower()
$OSArch = $(Get-WmiObject win32_operatingsystem).OSArchitecture.ToLower()
Log $OSArch
if($OSArch -match ("^64\-?\s?bit"))
{
@ -818,9 +819,9 @@ function CheckSecureBootState
function CheckVirtualization
{
$_vmmExtension = $(gwmi -Class Win32_processor).VMMonitorModeExtensions
$_vmFirmwareExtension = $(gwmi -Class Win32_processor).VirtualizationFirmwareEnabled
$_vmHyperVPresent = (gcim -Class Win32_ComputerSystem).HypervisorPresent
$_vmmExtension = $(Get-WMIObject -Class Win32_processor).VMMonitorModeExtensions
$_vmFirmwareExtension = $(Get-WMIObject -Class Win32_processor).VirtualizationFirmwareEnabled
$_vmHyperVPresent = (Get-CimInstance -Class Win32_ComputerSystem).HypervisorPresent
Log "VMMonitorModeExtensions $_vmmExtension"
Log "VirtualizationFirmwareEnabled $_vmFirmwareExtension"
Log "HyperVisorPresent $_vmHyperVPresent"
@ -1046,7 +1047,7 @@ if(!$TestForAdmin)
exit
}
$isRunningOnVM = (get-wmiobject win32_computersystem).model
$isRunningOnVM = (Get-WmiObject win32_computersystem).model
if($isRunningOnVM.Contains("Virtual"))
{
LogAndConsoleWarning "Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization."

2
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -38,7 +38,7 @@ There are two forms of PIN reset called destructive and non-destructive. Destruc
Destructive and non-destructive PIN reset use the same entry points for initiating a PIN reset. If a user has forgotten their PIN, but has an alternate logon method, they can navigate to Sign-in options in Settings and initiate a PIN reset from the PIN options. If they do not have an alternate way to sign into their device, PIN reset can also be initiated from above the lock screen in the PIN credential provider.
>[!IMPORTANT]
>For hybrid Azure AD joined devices, users must have corporate network connectivity to domain controllers to reset their PIN. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
>For hybrid Azure AD joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
### Reset PIN from Settings