deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-24 14:53:44 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into WDAC-Docs

Browse Source
This commit is contained in:
jsuther1974
2023-03-30 16:30:18 -07:00
committed by GitHub
parent 5daf84c54d e2a11ef3ea
commit a7ae99a258
18 changed files with 175 additions and 160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/security/threat-protection/images/powershell-example.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 83 KiB

BIN
windows/security/threat-protection/images/vbs-example.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

44
windows/security/threat-protection/mbsa-removal-and-guidance.md Normal file
View File

@ -0,0 +1,44 @@
---
title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
ms.prod: windows-client
ms.localizationpriority: medium
ms.author: paoloma
author: paolomatarazzo
manager: aaroncz
ms.technology: itpro-security
ms.date: 03/29/2023
ms.topic: article
---
# What is Microsoft Baseline Security Analyzer and its uses?
Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive.
MBSA was largely used in situations where Microsoft Update a local WSUS or Configuration Manager server wasn't available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016.
> [!NOTE]
> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file.
## Solution
A script can help you with an alternative to MBSA's patch-compliance checking:
- [Using WUA to Scan for Updates Offline](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script.
For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0).
For example:
[![Screenshot that shows the VBS script.](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
[![Screenshot that shows the PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers.
## More information
For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit.
- [Windows security baselines](windows-security-baselines.md)
- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319)
- [Microsoft Security Guidance blog](/archive/blogs/secguide/)

BIN
windows/security/threat-protection/microsoft-defender-application-guard/images/MDAG-EndpointMgr-newprofile.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 91 KiB

108
windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
View File

@ -1,19 +1,19 @@
---
title: Enable hardware-based isolation for Microsoft Edge (Windows)
title: Enable hardware-based isolation for Microsoft Edge
description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
ms.prod: windows-client
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 11/30/2022
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.custom: asr
ms.technology: itpro-security
ms.collection:
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
ms.collection:
- highpri
- tier2
ms.topic: how-to
@ -21,39 +21,34 @@ ms.topic: how-to
# Prepare to install Microsoft Defender Application Guard
**Applies to:**
- Windows 10
- Windows 11
## Review system requirements
See [System requirements for Microsoft Defender Application Guard](./reqs-md-app-guard.md) to review the hardware and software installation requirements for Microsoft Defender Application Guard.
Before you continue, review [System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) to review the hardware and software installation requirements for Microsoft Defender Application Guard.
> [!NOTE]
> Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
## Prepare for Microsoft Defender Application Guard
## Prepare for Microsoft Defender Application Guard
Before you can install and use Microsoft Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
### Standalone mode
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Pro edition, version 1803
- Windows 11
Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-md-app-guard.md) testing scenario.
Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-md-app-guard.md) testing scenario.
Standalone mode is applicable for:
- Windows 10 Enterprise edition, version 1709 and later
- Windows 10 Pro edition, version 1803 and later
- Windows 11 and later
## Enterprise-managed mode
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 11
You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container.
Enterprise-managed mode is applicable for:
- Windows 10 Enterprise edition, version 1709 and later
- Windows 11 and later
The following diagram shows the flow between the host PC and the isolated container.
![Flowchart for movement between Microsoft Edge and Application Guard.](images/application-guard-container-v-host.png)
@ -62,71 +57,56 @@ The following diagram shows the flow between the host PC and the isolated contai
Application Guard functionality is turned off by default. However, you can quickly install it on your employee's devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution.
### To install by using the Control Panel
### Install from Control Panel
1. Open the **Control Panel**, click **Programs,** and then select **Turn Windows features on or off**.
1. Open the **Control Panel**, select **Programs,** and then select **Turn Windows features on or off**.
![Windows Features, turning on Microsoft Defender Application Guard.](images/turn-windows-features-on-off.png)
2. Select the check box next to **Microsoft Defender Application Guard** and then select **OK**.
1. Select the check box next to **Microsoft Defender Application Guard** and then select **OK** to install Application Guard and its underlying dependencies.
Application Guard and its underlying dependencies are all installed.
### To install by using PowerShell
### Install from PowerShell
> [!NOTE]
> Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only.
1. Select the **Search** or **Cortana** icon in the Windows 10 or Windows 11 taskbar and type **PowerShell**.
2. Right-click **Windows PowerShell**, and then select **Run as administrator**.
1. Select the **Search** icon in the Windows taskbar and type **PowerShell**.
Windows PowerShell opens with administrator credentials.
1. Right-click **Windows PowerShell**, and then select **Run as administrator** to open Windows PowerShell with administrator credentials.
3. Type the following command:
1. Type the following command:
```
Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard
```
4. Restart the device.
```powershell
Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard
```
Application Guard and its underlying dependencies are all installed.
1. Restart the device to install Application Guard and its underlying dependencies.
### To install by using Intune
### Install from Intune
> [!IMPORTANT]
> Make sure your organization's devices meet [requirements](reqs-md-app-guard.md) and are [enrolled in Intune](/mem/intune/enrollment/device-enrollment).
:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune.":::
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following: <br/>
1. Select **Endpoint security** > **Attack surface reduction** > **Create Policy**, and do the following:
1. In the **Platform** list, select **Windows 10 and later**.
2. In the **Profile** type, choose **Templates** and select **Endpoint protection**.
3. Choose **Create**.
- In the **Platform** list, select **Windows 10 and later**.
- In the **Profile** type, select **App and browser isolation**.
- Select **Create**.
2. Specify the following settings for the profile:
1. In the **Basics** tab, specify the **Name** and **Description** for the policy. Select **Next**.
- **Name** and **Description**
1. In the **Configuration settings** tab, configure the **Application Guard** settings, as desired. Select **Next**.
- In the **Select a category to configure settings** section, choose **Microsoft Defender Application Guard**.
1. In the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then select the tags you want to use. Select **Next**.
- In the **Application Guard** list, choose **Enabled for Edge**.
To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
- Choose your preferences for **Clipboard behavior**, **External content**, and the remaining settings.
1. In the **Assignments** page, select the users or groups that will receive the policy. Select **Next**.
3. Choose **OK**, and then choose **OK** again.
To learn more about assigning policies, see [Assign policies in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
4. Review your settings, and then choose **Create**.
1. Review your settings, and then select **Create**.
5. Choose **Assignments**, and then do the following:
1. On the **Include** tab, in the **Assign to** list, choose an option.
2. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab.
3. Select **Save**.
After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
After the policy is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.