diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index c857f7fb83..8cbc4ef4cd 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -7335,6 +7335,41 @@ "redirect_url": "/windows/security/security-foundations/zero-trust-windows-device-health", "redirect_document_id": false }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard.md", + "redirect_url": "/windows/security/identity-protection/credential-guard", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-considerations.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/considerations-known-issues", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/how-it-works", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-known-issues.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/considerations-known-issues", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-manage.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/configure", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/how-it-works", + "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/credential-guard/credential-guard-requirements.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/index", + "redirect_document_id": false + }, { "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md", "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure", diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md index 92e4894f78..12bc0daf1b 100644 --- a/education/windows/change-home-to-edu.md +++ b/education/windows/change-home-to-edu.md @@ -1,7 +1,7 @@ --- title: Upgrade Windows Home to Windows Education on student-owned devices description: Learn how IT Pros can upgrade student-owned devices from Windows Home to Windows Education using Mobile Device Management or Kivuto OnTheHub with qualifying subscriptions. -ms.date: 08/10/2022 +ms.date: 08/07/2023 ms.topic: how-to author: scottbreenmsft ms.author: scbree diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index 56094c8023..d3a6d97411 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -33,14 +33,14 @@ Stickers aren't enabled by default. Follow the instructions below to configure y #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`**
  • Data type: **Integer**
  • Value: **1**
    • | -[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] > [!TIP] > Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags. [1](#footnote1) diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md index 10c843fc0b..408976797e 100644 --- a/education/windows/edu-take-a-test-kiosk-mode.md +++ b/education/windows/edu-take-a-test-kiosk-mode.md @@ -53,7 +53,7 @@ To configure devices using Intune for Education, follow these steps: ### Configure Take a Test with a custom policy -[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| @@ -67,8 +67,8 @@ To configure devices using Intune for Education, follow these steps: :::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true"::: -[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md index bd941025f7..0f8053524d 100644 --- a/education/windows/edu-themes.md +++ b/education/windows/edu-themes.md @@ -23,14 +23,14 @@ Education themes aren't enabled by default. Follow the instructions below to con #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`**
  • Data type: **Integer**
  • Value: **1**
    • | -[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 0d98af99f7..6b703ae346 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -79,7 +79,7 @@ To use web sign-in with a federated identity provider, your devices must be conf To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings: -[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| @@ -90,8 +90,8 @@ To configure federated sign-in using Microsoft Intune, [create a custom profile] :::image type="content" source="images/federated-sign-in-settings-intune.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-intune.png" border="true"::: -[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) @@ -121,7 +121,7 @@ To use web sign-in with a federated identity provider, your devices must be conf To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings: -[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] +[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)] | Setting | |--------| @@ -131,8 +131,8 @@ To configure federated sign-in using Microsoft Intune, [create a custom profile] |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`**
  • Data type: **String**
  • Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**
    • | |
  • OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`**
  • Data type: **String**
  • Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**
    • | -[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] -[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)] +[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)] #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) diff --git a/education/windows/includes/intune-custom-settings-1.md b/education/windows/includes/intune-custom-settings-1.md deleted file mode 100644 index d911751e75..0000000000 --- a/education/windows/includes/intune-custom-settings-1.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -ms.date: 02/22/2022 -ms.topic: include ---- - -To configure devices with Microsoft Intune, use a custom policy: - -1. Go to the Microsoft Intune admin center -2. Select **Devices > Configuration profiles > Create profile** -3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom** -4. Select **Create** -5. Specify a **Name** and, optionally, a **Description > Next** -6. Add the following settings: \ No newline at end of file diff --git a/education/windows/includes/intune-custom-settings-2.md b/education/windows/includes/intune-custom-settings-2.md deleted file mode 100644 index 1a601acaa7..0000000000 --- a/education/windows/includes/intune-custom-settings-2.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -ms.date: 11/08/2022 -ms.topic: include ---- - -7. Select **Next** -8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** -9. Under **Applicability Rules**, select **Next** -10. Review the policy configuration and select **Create** \ No newline at end of file diff --git a/education/windows/includes/intune-custom-settings-info.md b/education/windows/includes/intune-custom-settings-info.md deleted file mode 100644 index 8ff9da4294..0000000000 --- a/education/windows/includes/intune-custom-settings-info.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -ms.date: 11/08/2022 -ms.topic: include ---- - -For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10). \ No newline at end of file diff --git a/education/windows/index.yml b/education/windows/index.yml index 691901dcf2..8d3a93691a 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -1,95 +1,181 @@ -### YamlMime:Landing +### YamlMime:Hub title: Windows for Education documentation -summary: Evaluate, plan, deploy, and manage Windows devices in an education environment +summary: Learn how to deploy, secure, and manage Windows clients in an education environment. +brand: windows metadata: - title: Windows for Education documentation - description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune - ms.topic: landing-page + ms.topic: hub-page ms.prod: windows-client ms.technology: itpro-edu ms.collection: - - education - - highpri - - tier1 + - education + - highpri + - tier1 author: paolomatarazzo ms.author: paoloma - ms.date: 03/09/2023 manager: aaroncz + ms.date: 07/28/2023 -landingContent: +highlightedContent: + items: + - title: Get started with Windows 11 + itemType: get-started + url: /windows/whats-new/windows-11-overview + - title: Windows 11, version 22H2 + itemType: whats-new + url: /windows/whats-new/whats-new-windows-11-version-22H2 + - title: Windows 11, version 22H2 group policy settings reference + itemType: download + url: https://www.microsoft.com/en-us/download/details.aspx?id=104594 + - title: Windows release health + itemType: whats-new + url: /windows/release-health + - title: Windows commercial licensing + itemType: overview + url: /windows/whats-new/windows-licensing + - title: Windows 365 documentation + itemType: overview + url: /windows-365 + - title: Explore all Windows trainings and learning paths for IT pros + itemType: learn + url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator + - title: Enroll Windows client devices in Microsoft Intune + itemType: how-to-guide + url: /mem/intune/fundamentals/deployment-guide-enrollment-windows - - title: Get started - linkLists: - - linkListType: tutorial - links: - - text: Deploy and manage Windows devices in a school - url: tutorial-school-deployment/index.md - - text: Prepare your tenant - url: tutorial-school-deployment/set-up-azure-ad.md - - text: Configure settings and applications with Microsoft Intune - url: tutorial-school-deployment/configure-devices-overview.md - - text: Manage devices with Microsoft Intune - url: tutorial-school-deployment/manage-overview.md - - text: Management functionalities for Surface devices - url: tutorial-school-deployment/manage-surface-devices.md +productDirectory: + title: Get started + items: - - title: Learn about Windows 11 SE - linkLists: - - linkListType: concept - links: - - text: What is Windows 11 SE? - url: windows-11-se-overview.md - - text: Windows 11 SE settings - url: windows-11-se-settings-list.md - - linkListType: whats-new - links: - - text: Configure federated sign-in - url: federated-sign-in.md - - text: Configure education themes - url: edu-themes.md - - text: Configure Stickers - url: edu-stickers.md - - linkListType: video - links: - - text: Deploy Windows 11 SE using Set up School PCs - url: https://www.youtube.com/watch?v=Ql2fbiOop7c + - title: Hardware security + imageSrc: /media/common/i_usb.svg + links: + - url: /windows/security/hardware-security/tpm/trusted-platform-module-overview + text: Trusted Platform Module + - url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor + text: Microsoft Pluton + - url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows + text: Windows Defender System Guard + - url: /windows-hardware/design/device-experiences/oem-vbs + text: Virtualization-based security (VBS) + - url: /windows-hardware/design/device-experiences/oem-highly-secure-11 + text: Secured-core PC + - url: /windows/security/hardware-security + text: Learn more about hardware security > - - title: Deploy devices with Set up School PCs - linkLists: - - linkListType: concept - links: - - text: What is Set up School PCs? - url: set-up-school-pcs-technical.md - - linkListType: how-to-guide - links: - - text: Use the Set up School PCs app - url: use-set-up-school-pcs-app.md - - linkListType: reference - links: - - text: Provisioning package settings - url: set-up-school-pcs-provisioning-package.md - - linkListType: video - links: - - text: Use the Set up School PCs App - url: https://www.youtube.com/watch?v=2ZLup_-PhkA + - title: OS security + imageSrc: /media/common/i_threat-protection.svg + links: + - url: /windows/security/operating-system-security + text: Trusted boot + - url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center + text: Windows security settings + - url: /windows/security/operating-system-security/data-protection/bitlocker/ + text: BitLocker + - url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines + text: Windows security baselines + - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ + text: MMicrosoft Defender SmartScreen + - url: /windows/security/operating-system-security + text: Learn more about OS security > - - title: Configure devices - linkLists: - - linkListType: concept - links: - - text: Take tests and assessments in Windows - url: take-tests-in-windows.md - - text: Considerations for shared and guest devices - url: /windows/configuration/shared-devices-concepts?context=/education/context/context - - text: Change Windows editions - url: change-home-to-edu.md - - linkListType: how-to-guide - links: - - text: Configure Take a Test in kiosk mode - url: edu-take-a-test-kiosk-mode.md - - text: Configure Shared PC - url: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context - - text: Get and deploy Minecraft Education - url: get-minecraft-for-education.md \ No newline at end of file + - title: Identity protection + imageSrc: /media/common/i_identity-protection.svg + links: + - url: /windows/security/identity-protection/hello-for-business + text: Windows Hello for Business + - url: /windows/security/identity-protection/credential-guard + text: Credential Guard + - url: /windows-server/identity/laps/laps-overview + text: Windows LAPS (Local Administrator Password Solution) + - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection + text: Enhanced phishing protection with SmartScreen + - url: /education/windows/federated-sign-in + text: Federated sign-in (EDU) + - url: /windows/security/identity-protection + text: Learn more about identity protection > + + - title: Application security + imageSrc: /media/common/i_queries.svg + links: + - url: /windows/security/application-security/application-control/windows-defender-application-control/ + text: Windows Defender Application Control (WDAC) + - url: /windows/security/application-security/application-control/user-account-control + text: User Account Control (UAC) + - url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules + text: Microsoft vulnerable driver blocklist + - url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview + text: Microsoft Defender Application Guard (MDAG) + - url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview + text: Windows Sandbox + - url: /windows/security/application-security + text: Learn more about application security > + + - title: Security foundations + imageSrc: /media/common/i_build.svg + links: + - url: /windows/security/security-foundations/certification/fips-140-validation + text: FIPS 140-2 validation + - url: /windows/security/security-foundations/certification/windows-platform-common-criteria + text: Common Criteria Certifications + - url: /windows/security/security-foundations/msft-security-dev-lifecycle + text: Microsoft Security Development Lifecycle (SDL) + - url: https://www.microsoft.com/msrc/bounty-windows-insider-preview + text: Microsoft Windows Insider Preview bounty program + - url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/ + text: OneFuzz service + - url: /windows/security/security-foundations + text: Learn more about security foundations > + + - title: Cloud security + imageSrc: /media/common/i_cloud-security.svg + links: + - url: /mem/intune/protect/security-baselines + text: Security baselines with Intune + - url: /windows/deployment/windows-autopatch + text: Windows Autopatch + - url: /windows/deployment/windows-autopilot + text: Windows Autopilot + - url: /universal-print + text: Universal Print + - url: /windows/client-management/mdm/remotewipe-csp + text: Remote wipe + - url: /windows/security/cloud-security + text: Learn more about cloud security > + +additionalContent: + sections: + - title: More Windows resources + items: + + - title: Windows Server + links: + - text: Windows Server documentation + url: /windows-server + - text: What's new in Windows Server 2022? + url: /windows-server/get-started/whats-new-in-windows-server-2022 + - text: Windows Server blog + url: https://cloudblogs.microsoft.com/windowsserver/ + + - title: Windows product site and blogs + links: + - text: Find out how Windows enables your business to do more + url: https://www.microsoft.com/microsoft-365/windows + - text: Windows blogs + url: https://blogs.windows.com/ + - text: Windows IT Pro blog + url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog + - text: Microsoft Intune blog + url: https://techcommunity.microsoft.com/t5/microsoft-intune-blog/bg-p/MicrosoftEndpointManagerBlog + - text: "Windows help & learning: end-user documentation" + url: https://support.microsoft.com/windows + + - title: Participate in the community + links: + - text: Windows community + url: https://techcommunity.microsoft.com/t5/windows/ct-p/Windows10 + - text: Microsoft Intune community + url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune + - text: Microsoft Support community + url: https://answers.microsoft.com/windows/forum \ No newline at end of file diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 0ef3e1439d..e484296ed5 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -89,7 +89,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Brave Browser` | 106.0.5249.119 | `Win32` | `Brave` | | `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` | | `CA Secure Browser` | 14.0.0 | `Win32` | `Cambium Development` | -| `Cisco Umbrella` | 3.0.110.0 | `Win32` | `Cisco` | +| `Cisco Umbrella` | 3.0.343.0 | `Win32` | `Cisco` | | `CKAuthenticator` | 3.6+ | `Win32` | `ContentKeeper` | | `Class Policy` | 116.0.0 | `Win32` | `Class Policy` | | `Classroom.cloud` | 1.40.0004 | `Win32` | `NetSupport` | @@ -107,7 +107,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Easysense 2` | 1.32.0001 | `Win32` | `Data Harvest` | | `Epson iProjection` | 3.31 | `Win32` | `Epson` | | `eTests` | 4.0.25 | `Win32` | `CASAS` | -| `Exam Writepad` | 22.10.14.1834 | `Win32` | `Sheldnet` | +| `Exam Writepad` | 23.2.4.2338 | `Win32` | `Sheldnet` | | `FirstVoices Keyboard` | 15.0.270 | `Win32` | `SIL International` | | `FortiClient` | 7.2.0.4034+ | `Win32` | `Fortinet` | | `Free NaturalReader` | 16.1.2 | `Win32` | `Natural Soft` | @@ -135,8 +135,9 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Mobile Plans` | 5.1911.3171.0 | `Store` | `Microsoft Corporation` | | `NAPLAN` | 5.2.2 | `Win32` | `NAP` | | `Netref Student` | 23.1.0 | `Win32` | `NetRef` | -| `NetSupport Manager` | 12.01.0014 | `Win32` | `NetSupport` | -| `NetSupport Notify` | 5.10.1.215 | `Win32` | `NetSupport` | +| `NetSupport DNA` | 4.80.0000 | `Win32` | `NetSupport` | +| `NetSupport Manager` | 14.00.0012 | `Win32` | `NetSupport` | +| `NetSupport Notify` | 5.10.1.223 | `Win32` | `NetSupport` | | `NetSupport School` | 14.00.0012 | `Win32` | `NetSupport` | | `NextUp Talker` | 1.0.49 | `Win32` | `NextUp Technologies` | | `NonVisual Desktop Access` | 2021.3.1 | `Win32` | `NV Access` | @@ -148,7 +149,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Project Monarch Outlook` | 1.2022.2250001 | `Store` | `Microsoft` | | `Questar Secure Browser` | 5.0.1.456 | `Win32` | `Questar, Inc` | | `ReadAndWriteForWindows` | 12.0.74 | `Win32` | `Texthelp Ltd.` | -| `Remote Desktop client (MSRDC)` | 1.2.4066.0 | `Win32` | `Microsoft` | +| `Remote Desktop client (MSRDC)` | 1.2.4240.0 | `Win32` | `Microsoft` | | `Remote Help` | 4.0.1.13 | `Win32` | `Microsoft` | | `Respondus Lockdown Browser` | 2.0.9.03 | `Win32` | `Respondus` | | `Safe Exam Browser` | 3.5.0.544 | `Win32` | `Safe Exam Browser` | diff --git a/includes/configure/gpo-settings-1.md b/includes/configure/gpo-settings-1.md index 8f3cdce242..d30e2cc685 100644 --- a/includes/configure/gpo-settings-1.md +++ b/includes/configure/gpo-settings-1.md @@ -6,4 +6,4 @@ ms.topic: include ms.prod: windows-client --- -To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the settings located under \ No newline at end of file +To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the following settings: \ No newline at end of file diff --git a/includes/configure/intune-settings-catalog-1.md b/includes/configure/intune-settings-catalog-1.md index 9aae47a0fa..d0b87a5b78 100644 --- a/includes/configure/intune-settings-catalog-1.md +++ b/includes/configure/intune-settings-catalog-1.md @@ -6,4 +6,4 @@ ms.topic: include ms.prod: windows-client --- -To configure devices using Microsoft Intune, [create a *Settings catalog policy*](/mem/intune/configuration/settings-catalog) and use the following settings: \ No newline at end of file +To configure devices using Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use the following settings: \ No newline at end of file diff --git a/includes/intune/intune-custom-settings-1.md b/includes/intune/intune-custom-settings-1.md deleted file mode 100644 index d911751e75..0000000000 --- a/includes/intune/intune-custom-settings-1.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -ms.date: 02/22/2022 -ms.topic: include ---- - -To configure devices with Microsoft Intune, use a custom policy: - -1. Go to the Microsoft Intune admin center -2. Select **Devices > Configuration profiles > Create profile** -3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom** -4. Select **Create** -5. Specify a **Name** and, optionally, a **Description > Next** -6. Add the following settings: \ No newline at end of file diff --git a/includes/intune/intune-custom-settings-2.md b/includes/intune/intune-custom-settings-2.md deleted file mode 100644 index 1a601acaa7..0000000000 --- a/includes/intune/intune-custom-settings-2.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -ms.date: 11/08/2022 -ms.topic: include ---- - -7. Select **Next** -8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** -9. Under **Applicability Rules**, select **Next** -10. Review the policy configuration and select **Create** \ No newline at end of file diff --git a/includes/intune/intune-custom-settings-info.md b/includes/intune/intune-custom-settings-info.md deleted file mode 100644 index 8ff9da4294..0000000000 --- a/includes/intune/intune-custom-settings-info.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -ms.date: 11/08/2022 -ms.topic: include ---- - -For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10). \ No newline at end of file diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md index e803e8009d..d64cd242d4 100644 --- a/includes/licensing/_edition-requirements.md +++ b/includes/licensing/_edition-requirements.md @@ -21,6 +21,7 @@ ms.topic: include |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes| |**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes| |**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes| +|**[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes| |**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes| |**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|❌|Yes| |**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes| @@ -53,6 +54,7 @@ ms.topic: include |**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes| |**Privacy Resource Usage**|Yes|Yes|Yes|Yes| |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes| +|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes| |**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes| |**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes| |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes| @@ -75,8 +77,6 @@ ms.topic: include |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|❌|Yes| |**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes| |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes| -|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes| -|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes| |**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes| |**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes| |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes| diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md index 28ea87e8e0..d9d793ad2b 100644 --- a/includes/licensing/_licensing-requirements.md +++ b/includes/licensing/_licensing-requirements.md @@ -21,6 +21,7 @@ ms.topic: include |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes| |**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes| |**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|Yes| +|**[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes| |**[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)**|Yes|Yes|Yes|Yes|Yes| |**[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)**|❌|Yes|Yes|Yes|Yes| |**[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)**|Yes|Yes|Yes|Yes|Yes| @@ -53,6 +54,7 @@ ms.topic: include |**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes| |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes| |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes| +|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes| |**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|Yes| |**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes| |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes| @@ -75,8 +77,6 @@ ms.topic: include |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|Yes|❌|❌| |**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes| -|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes| -|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes| |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes| diff --git a/includes/licensing/windows-defender-credential-guard.md b/includes/licensing/credential-guard.md similarity index 74% rename from includes/licensing/windows-defender-credential-guard.md rename to includes/licensing/credential-guard.md index adf6d74a0e..b5eea7128d 100644 --- a/includes/licensing/windows-defender-credential-guard.md +++ b/includes/licensing/credential-guard.md @@ -7,13 +7,13 @@ ms.topic: include ## Windows edition and licensing requirements -The following table lists the Windows editions that support Windows Defender Credential Guard: +The following table lists the Windows editions that support Credential Guard: |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| |:---:|:---:|:---:|:---:| |No|Yes|No|Yes| -Windows Defender Credential Guard license entitlements are granted by the following licenses: +Credential Guard license entitlements are granted by the following licenses: |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |:---:|:---:|:---:|:---:|:---:| diff --git a/includes/licensing/windows-defender-remote-credential-guard.md b/includes/licensing/remote-credential-guard.md similarity index 73% rename from includes/licensing/windows-defender-remote-credential-guard.md rename to includes/licensing/remote-credential-guard.md index 8d862bdc9d..8e80d94a84 100644 --- a/includes/licensing/windows-defender-remote-credential-guard.md +++ b/includes/licensing/remote-credential-guard.md @@ -7,13 +7,13 @@ ms.topic: include ## Windows edition and licensing requirements -The following table lists the Windows editions that support Windows Defender Remote Credential Guard: +The following table lists the Windows editions that support Remote Credential Guard: |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| |:---:|:---:|:---:|:---:| |Yes|Yes|Yes|Yes| -Windows Defender Remote Credential Guard license entitlements are granted by the following licenses: +Remote Credential Guard license entitlements are granted by the following licenses: |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |:---:|:---:|:---:|:---:|:---:| diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index 289c643dd9..e1194939bb 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -46,8 +46,8 @@ If you disable or don't configure this policy setting, then Microsoft won't be a -> [!IMPORTANT] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> [!NOTE] +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration). diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 700b3d03f2..20532820a0 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -132,8 +132,8 @@ See the documentation at for i > [!NOTE] > Configuring this setting doesn't affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports. -> [!IMPORTANT] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> [!NOTE] +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration). @@ -210,8 +210,8 @@ This setting has no effect on devices unless they're properly enrolled in Deskto -> [!IMPORTANT] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> [!NOTE] +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration). @@ -582,8 +582,8 @@ This setting has no effect on devices unless they're properly enrolled in Micros -> [!IMPORTANT] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> [!NOTE] +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration). @@ -774,8 +774,8 @@ If you disable or don't configure this policy setting, devices won't appear in U -> [!IMPORTANT] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> [!NOTE] +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration). @@ -900,8 +900,8 @@ If you disable or don't configure this policy setting, devices enrolled to the W -> [!IMPORTANT] -> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> [!NOTE] +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Enable Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration). diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md index a72e0b1d1d..1e160b35dd 100644 --- a/windows/deployment/customize-boot-image.md +++ b/windows/deployment/customize-boot-image.md @@ -7,7 +7,7 @@ author: frankroj manager: aaroncz ms.author: frankroj ms.topic: article -ms.date: 08/22/2023 +ms.date: 09/05/2023 ms.technology: itpro-deploy appliesto: - ✅ Windows 11 @@ -108,7 +108,7 @@ Before modifying the desired boot image, make a backup copy of the boot image th Adjust the above paths for 32-bit boot images (only available with Windows 10 ADKs). -The following commands backs up the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**: +The following command backs up the 64-bit boot image included with the **Windows PE add-on for the Windows ADK**: ### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) From an elevated **PowerShell** command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. If a backed-up boot image already exists, this command needs confirmation before it overwrites the existing backed up boot image: @@ -634,7 +634,7 @@ copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windo copy "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" +copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" copy "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" ``` @@ -646,7 +646,7 @@ copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windo copy "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" +copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" copy "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" ``` @@ -840,7 +840,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag **Example**: ```powershell - Remove-Item - Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Force + Remove-Item -Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Force ``` For more information, see [Remove-Item](/powershell/module/microsoft.powershell.management/remove-item). @@ -1019,7 +1019,7 @@ This process updates the boot image used by Configuration Manager. It also updat ### Updating Configuration Manager boot media -After completing the walkthrough, including updating boot images in Configuration Manager, update any Configuration Manager task sequence media. Updating any Configuration Manager task sequence media ensures that the task sequence media has both the updated boot image. If applicable, it will also updat bootmgr boot files on the media by extracting the latest versions from the boot image. For more information on creating Configuration Manager task sequence media, see [Create task sequence media](/mem/configmgr/osd/deploy-use/create-task-sequence-media). +After completing the walkthrough, including updating boot images in Configuration Manager, update any Configuration Manager task sequence media. Updating any Configuration Manager task sequence media ensures that the task sequence media has both the updated boot image. If applicable, it will also update bootmgr boot files on the media by extracting the latest versions from the boot image. For more information on creating Configuration Manager task sequence media, see [Create task sequence media](/mem/configmgr/osd/deploy-use/create-task-sequence-media). ## Microsoft Deployment Toolkit (MDT) considerations @@ -1154,7 +1154,7 @@ then follow these steps to update the boot image in WDS: --- -2. Once the existing boot image in WDS has been replaced, restart the WDS service: +1. Once the existing boot image in WDS has been replaced, restart the WDS service: #### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) @@ -1233,7 +1233,7 @@ then follow these steps to add the boot image in WDS: --- -2. Once the existing boot image in WDS has been replaced, restart the WDS service: +1. Once the existing boot image in WDS has been replaced, restart the WDS service: #### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell) @@ -1271,7 +1271,12 @@ The **boot.wim** that is part of Windows installation media isn't supported for ## Windows Server 2012 R2 -This walk-through isn't intended for use with Windows Server 2012 R2. Although the steps in this article may work with Windows Server 2012 R2 when using older versions of the Windows ADK. However it may have compatibility problems with versions of the Windows ADK that are newer than the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). For server OSes, it's recommended to use Windows Server 2016 or later for this walk-through. For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2). +This walk-through isn't intended for use with Windows Server 2012 R2. The steps in this article may work with Windows Server 2012 R2 when using older versions of the Windows ADK. However, it may have compatibility problems with versions of the Windows ADK that are newer than the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). To resolve compatibility problems with newer ADKs and Windows Server 2012 R2: + +1. Upgrade Windows Server 2012 R2 to a newer version of Windows Server. +1. Perform the boot image customizations on a computer running a version of Windows that supports the newer ADKs, for example Windows 10 or Windows 11, and then transfer the modified boot image to the Windows Server 2012 R2 server. + +For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products/windows-server-2012-r2). ## Related articles diff --git a/windows/deployment/update/deployment-service-expedited-updates.md b/windows/deployment/update/deployment-service-expedited-updates.md index dfa61b9776..a7e5e6a58f 100644 --- a/windows/deployment/update/deployment-service-expedited-updates.md +++ b/windows/deployment/update/deployment-service-expedited-updates.md @@ -14,7 +14,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 02/14/2023 +ms.date: 08/29/2023 --- # Deploy expedited updates with Windows Update for Business deployment service @@ -51,13 +51,13 @@ All of the [prerequisites for the Windows Update for Business deployment service ## List catalog entries for expedited updates -Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=3` and ordering by `ReleaseDateTimeshows` displays the three most recent updates. +Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=1` and ordering by `ReleaseDateTimeshows` displays the most recent update that can be deployed as expedited. ```msgraph-interactive -GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=3 +GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=1 ``` -The following truncated response displays a **Catalog ID** of `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432` for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update: +The following truncated response displays a **Catalog ID** of `e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5` for the `08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later` security update: ```json { @@ -65,21 +65,119 @@ The following truncated response displays a **Catalog ID** of `693fafea03c24cca "value": [ { "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry", - "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432", - "displayName": "01/10/2023 - 2023.01 B Security Updates for Windows 10 and later", + "id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5", + "displayName": "08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later", "deployableUntilDateTime": null, - "releaseDateTime": "2023-01-10T00:00:00Z", + "releaseDateTime": "2023-08-08T00:00:00Z", "isExpeditable": true, - "qualityUpdateClassification": "security" - }, - ... + "qualityUpdateClassification": "security", + "catalogName": "2023-08 Cumulative Update for Windows 10 and later", + "shortName": "2023.08 B", + "qualityUpdateCadence": "monthly", + "cveSeverityInformation": { + "maxSeverity": "critical", + "maxBaseScore": 9.8, + "exploitedCves@odata.context": "https://graph.microsoft.com/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/exploitedCves", + "exploitedCves": [ + { + "number": "ADV230003", + "url": "https://msrc.microsoft.com/update-guide/vulnerability/ADV230003" + }, + { + "number": "CVE-2023-38180", + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180" + } + ] + } + } ] } ``` +The deployment service can display more information about updates that were released on or after January 2023. Using [product revision](/graph/api/resources/windowsupdates-productrevision) gives you additional information about the updates, such as the KB numbers, and the `MajorVersion.MinorVersion.BuildNumber.UpdateBuildRevision`. Windows 10 and 11 share the same major and minor versions, but have different build numbers. + +Use the following to display the product revision information for the most recent quality update: + +```msgraph-interactive +GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$expand=microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions&$orderby=releaseDateTime desc&$top=1 +``` + + +The following truncated response displays information about KB5029244 for Windows 10, version 22H2, and KB5029263 for Windows 11, version 22H2: + +```json +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries(microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions())", + "value": [ + { + "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry", + "id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5", + "displayName": "08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later", + "deployableUntilDateTime": null, + "releaseDateTime": "2023-08-08T00:00:00Z", + "isExpeditable": true, + "qualityUpdateClassification": "security", + "catalogName": "2023-08 Cumulative Update for Windows 10 and later", + "shortName": "2023.08 B", + "qualityUpdateCadence": "monthly", + "cveSeverityInformation": { + "maxSeverity": "critical", + "maxBaseScore": 9.8, + "exploitedCves@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/exploitedCves", + "exploitedCves": [ + { + "number": "ADV230003", + "url": "https://msrc.microsoft.com/update-guide/vulnerability/ADV230003" + }, + { + "number": "CVE-2023-38180", + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180" + } + ] + }, + "productRevisions@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions", + "productRevisions": [ + { + "id": "10.0.19045.3324", + "displayName": "Windows 10, version 22H2, build 19045.3324", + "releaseDateTime": "2023-08-08T00:00:00Z", + "version": "22H2", + "product": "Windows 10", + "osBuild": { + "majorVersion": 10, + "minorVersion": 0, + "buildNumber": 19045, + "updateBuildRevision": 3324 + }, + "knowledgeBaseArticle@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions('10.0.19045.3324')/knowledgeBaseArticle/$entity", + "knowledgeBaseArticle": { + "id": "KB5029244", + "url": "https://support.microsoft.com/help/5029244" + } + }, + { + "id": "10.0.22621.2134", + "displayName": "Windows 11, version 22H2, build 22621.2134", + "releaseDateTime": "2023-08-08T00:00:00Z", + "version": "22H2", + "product": "Windows 11", + "osBuild": { + "majorVersion": 10, + "minorVersion": 0, + "buildNumber": 22621, + "updateBuildRevision": 2134 + }, + "knowledgeBaseArticle@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions('10.0.22621.2134')/knowledgeBaseArticle/$entity", + "knowledgeBaseArticle": { + "id": "KB5029263", + "url": "https://support.microsoft.com/help/5029263" + } + }, +``` + ## Create a deployment -When creating a deployment, there are [multiple options](/graph/api/resources/windowsupdates-deploymentsettings) available to define how the deployment behaves. The following example creates a deployment for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update with catalog entry ID `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432`, and defines the `expedite` and `userExperience` deployment options in the request body. +When creating a deployment, there are [multiple options](/graph/api/resources/windowsupdates-deploymentsettings) available to define how the deployment behaves. The following example creates a deployment for the `08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later` security update with catalog entry ID `e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5`, and defines the `expedite` and `userExperience` deployment options in the request body. ```msgraph-interactive POST https://graph.microsoft.com/beta/admin/windows/updates/deployments @@ -91,7 +189,7 @@ content-type: application/json "@odata.type": "#microsoft.graph.windowsUpdates.catalogContent", "catalogEntry": { "@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry", - "id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432" + "id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5" } }, "settings": { diff --git a/windows/deployment/update/deployment-service-feature-updates.md b/windows/deployment/update/deployment-service-feature-updates.md index 61ed9e5d63..f9ba6dd147 100644 --- a/windows/deployment/update/deployment-service-feature-updates.md +++ b/windows/deployment/update/deployment-service-feature-updates.md @@ -14,7 +14,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 02/14/2023 +ms.date: 08/29/2023 --- # Deploy feature updates with Windows Update for Business deployment service @@ -86,7 +86,8 @@ The following truncated response displays a **Catalog ID** of `d9049ddb-0ca8-4b "displayName": "Windows 11, version 22H2", "deployableUntilDateTime": "2025-10-14T00:00:00Z", "releaseDateTime": "2022-09-20T00:00:00Z", - "version": "Windows 11, version 22H2" + "version": "Windows 11, version 22H2", + "buildNumber": "22621" } ] } diff --git a/windows/deployment/update/includes/wufb-reports-endpoints.md b/windows/deployment/update/includes/wufb-reports-endpoints.md index 1975275322..388592c36c 100644 --- a/windows/deployment/update/includes/wufb-reports-endpoints.md +++ b/windows/deployment/update/includes/wufb-reports-endpoints.md @@ -5,7 +5,7 @@ manager: aaroncz ms.technology: itpro-updates ms.prod: windows-client ms.topic: include -ms.date: 04/06/2022 +ms.date: 08/21/2023 ms.localizationpriority: medium --- @@ -14,10 +14,11 @@ Devices must be able to contact the following endpoints in order to authenticate | **Endpoint** | **Function** | |---------------------------------------------------------|-----------| -| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Windows Update for Business reports. | -| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. | -| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. | -| `https://adl.windows.com` | Required for Windows Update functionality. | -| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. | -| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes. | -| `https://login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). | +| `*v10c.events.data.microsoft.com`

    `eu-v10c.events.data.microsoft.com` for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn) | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Windows Update for Business reports. | +| `umwatsonc.events.data.microsoft.com`

    `eu-watsonc.events.data.microsoft.com` for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn) | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. | +| `v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. | +| `settings-win.data.microsoft.com` | Used by Windows components and applications to dynamically update their configuration. Required for Windows Update functionality. | +| `adl.windows.com` | Required for Windows Update functionality. | +| `oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes. | +| `login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). | +| `*.blob.core.windows.net` | Azure blob data storage.| \ No newline at end of file diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index cf907c749f..c37d7cc3d2 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -22,72 +22,72 @@ This section lists the error codes for Microsoft Windows Update. | Error code | Message | Description | |------------|---------------------------------|--------------------------------------------------------------------------------------------------------| -| 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. | -| 0x8024A000 | `WU_E_AU_NOSERVICE` | Automatic Updates was unable to service incoming requests. | -| 0x8024A002 | `WU_E_AU_NONLEGACYSERVER` | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. | -| 0x8024A003 | `WU_E_AU_LEGACYCLIENTDISABLED` | The old version of the Automatic Updates client was disabled. | -| 0x8024A004 | `WU_E_AU_PAUSED` | Automatic Updates was unable to process incoming requests because it was paused. | -| 0x8024A005 | `WU_E_AU_NO_REGISTERED_SERVICE` | No unmanaged service is registered with `AU`. | -| 0x8024AFFF | `WU_E_AU_UNEXPECTED` | An Automatic Updates error not covered by another `WU_E_AU*` code. | +| `0x80243FFF` | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. | +| `0x8024A000` | `WU_E_AU_NOSERVICE` | Automatic Updates was unable to service incoming requests. | +| `0x8024A002` | `WU_E_AU_NONLEGACYSERVER` | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. | +| `0x8024A003` | `WU_E_AU_LEGACYCLIENTDISABLED` | The old version of the Automatic Updates client was disabled. | +| `0x8024A004` | `WU_E_AU_PAUSED` | Automatic Updates was unable to process incoming requests because it was paused. | +| `0x8024A005` | `WU_E_AU_NO_REGISTERED_SERVICE` | No unmanaged service is registered with `AU`. | +| `0x8024AFFF` | `WU_E_AU_UNEXPECTED` | An Automatic Updates error not covered by another `WU_E_AU*` code. | ## Windows Update UI errors | Error code | Message | Description | |------------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| -| 0x80243001 | `WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION` | The results of download and installation couldn't be read from the registry due to an unrecognized data format version. | -| 0x80243002 | `WU_E_INSTALLATION_RESULTS_INVALID_DATA` | The results of download and installation couldn't be read from the registry due to an invalid data format. | -| 0x80243003 | `WU_E_INSTALLATION_RESULTS_NOT_FOUND` | The results of download and installation aren't available; the operation may have failed to start. | -| 0x80243004 | `WU_E_TRAYICON_FAILURE` | A failure occurred when trying to create an icon in the taskbar notification area. | -| 0x80243FFD | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; Windows Update client UI modules may not be installed. | -| 0x80243FFE | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of Windows Update client UI exported functions. | -| 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. | -| 0x8024043D | `WU_E_SERVICEPROP_NOTAVAIL` | The requested service property isn't available. | +| `0x80243001` | `WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION` | The results of download and installation couldn't be read from the registry due to an unrecognized data format version. | +| `0x80243002` | `WU_E_INSTALLATION_RESULTS_INVALID_DATA` | The results of download and installation couldn't be read from the registry due to an invalid data format. | +| `0x80243003` | `WU_E_INSTALLATION_RESULTS_NOT_FOUND` | The results of download and installation aren't available; the operation may have failed to start. | +| `0x80243004` | `WU_E_TRAYICON_FAILURE` | A failure occurred when trying to create an icon in the taskbar notification area. | +| `0x80243FFD` | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; Windows Update client UI modules may not be installed. | +| `0x80243FFE` | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of Windows Update client UI exported functions. | +| `0x80243FFF` | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. | +| `0x8024043D` | `WU_E_SERVICEPROP_NOTAVAIL` | The requested service property isn't available. | ## Inventory errors | Error code | Message | Description | |------------|--------------------------------------------|-------------------------------------------------------------------------------| -| 0x80249001 | `WU_E_INVENTORY_PARSEFAILED` | Parsing of the rule file failed. | -| 0x80249002 | `WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED` | Failed to get the requested inventory type from the server. | -| 0x80249003 | `WU_E_INVENTORY_RESULT_UPLOAD_FAILED` | Failed to upload inventory result to the server. | -| 0x80249004 | `WU_E_INVENTORY_UNEXPECTED` | There was an inventory error not covered by another error code. | -| 0x80249005 | `WU_E_INVENTORY_WMI_ERROR` | A WMI error occurred when enumerating the instances for a particular class. | +| `0x80249001` | `WU_E_INVENTORY_PARSEFAILED` | Parsing of the rule file failed. | +| `0x80249002` | `WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED` | Failed to get the requested inventory type from the server. | +| `0x80249003` | `WU_E_INVENTORY_RESULT_UPLOAD_FAILED` | Failed to upload inventory result to the server. | +| `0x80249004` | `WU_E_INVENTORY_UNEXPECTED` | There was an inventory error not covered by another error code. | +| `0x80249005` | `WU_E_INVENTORY_WMI_ERROR` | A WMI error occurred when enumerating the instances for a particular class. | ## Expression evaluator errors | Error code | Message | Description | |------------|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------| -| 0x8024E001 | `WU_E_EE_UNKNOWN_EXPRESSION` | An expression evaluator operation couldn't be completed because an expression was unrecognized. | -| 0x8024E002 | `WU_E_EE_INVALID_EXPRESSION` | An expression evaluator operation couldn't be completed because an expression was invalid. | -| 0x8024E003 | `WU_E_EE_MISSING_METADATA` | An expression evaluator operation couldn't be completed because an expression contains an incorrect number of metadata nodes. | -| 0x8024E004 | `WU_E_EE_INVALID_VERSION` | An expression evaluator operation couldn't be completed because the version of the serialized expression data is invalid. | -| 0x8024E005 | `WU_E_EE_NOT_INITIALIZED` | The expression evaluator couldn't be initialized. | -| 0x8024E006 | `WU_E_EE_INVALID_ATTRIBUTEDATA` | An expression evaluator operation couldn't be completed because there was an invalid attribute. | -| 0x8024E007 | `WU_E_EE_CLUSTER_ERROR` | An expression evaluator operation couldn't be completed because the cluster state of the computer couldn't be determined. | -| 0x8024EFFF | `WU_E_EE_UNEXPECTED` | There was an expression evaluator error not covered by another `WU_E_EE_*` error code. | +| `0x8024E001` | `WU_E_EE_UNKNOWN_EXPRESSION` | An expression evaluator operation couldn't be completed because an expression was unrecognized. | +| `0x8024E002` | `WU_E_EE_INVALID_EXPRESSION` | An expression evaluator operation couldn't be completed because an expression was invalid. | +| `0x8024E003` | `WU_E_EE_MISSING_METADATA` | An expression evaluator operation couldn't be completed because an expression contains an incorrect number of metadata nodes. | +| `0x8024E004` | `WU_E_EE_INVALID_VERSION` | An expression evaluator operation couldn't be completed because the version of the serialized expression data is invalid. | +| `0x8024E005` | `WU_E_EE_NOT_INITIALIZED` | The expression evaluator couldn't be initialized. | +| `0x8024E006` | `WU_E_EE_INVALID_ATTRIBUTEDATA` | An expression evaluator operation couldn't be completed because there was an invalid attribute. | +| `0x8024E007` | `WU_E_EE_CLUSTER_ERROR` | An expression evaluator operation couldn't be completed because the cluster state of the computer couldn't be determined. | +| `0x8024EFFF` | `WU_E_EE_UNEXPECTED` | There was an expression evaluator error not covered by another `WU_E_EE_*` error code. | ## Reporter errors | Error code | Message | Description | |------------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------| -| 0x80247001 | `WU_E_OL_INVALID_SCANFILE` | An operation couldn't be completed because the scan package was invalid. | -| 0x80247002 | `WU_E_OL_NEWCLIENT_REQUIRED` | An operation couldn't be completed because the scan package requires a greater version of the Windows Update Agent. | -| 0x80247FFF | `WU_E_OL_UNEXPECTED` | Search using the scan package failed. | -| 0x8024F001 | `WU_E_REPORTER_EVENTCACHECORRUPT` | The event cache file was defective. | -| 0x8024F002 | `WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED` | The XML in the event namespace descriptor couldn't be parsed. | -| 0x8024F003 | `WU_E_INVALID_EVENT` | The XML in the event namespace descriptor couldn't be parsed. | -| 0x8024F004 | `WU_E_SERVER_BUSY` | The server rejected an event because the server was too busy. | -| 0x8024FFFF | `WU_E_REPORTER_UNEXPECTED` | There was a reporter error not covered by another error code. | +| `0x80247001` | `WU_E_OL_INVALID_SCANFILE` | An operation couldn't be completed because the scan package was invalid. | +| `0x80247002` | `WU_E_OL_NEWCLIENT_REQUIRED` | An operation couldn't be completed because the scan package requires a greater version of the Windows Update Agent. | +| `0x80247FFF` | `WU_E_OL_UNEXPECTED` | Search using the scan package failed. | +| `0x8024F001` | `WU_E_REPORTER_EVENTCACHECORRUPT` | The event cache file was defective. | +| `0x8024F002` | `WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED` | The XML in the event namespace descriptor couldn't be parsed. | +| `0x8024F003` | `WU_E_INVALID_EVENT` | The XML in the event namespace descriptor couldn't be parsed. | +| `0x8024F004` | `WU_E_SERVER_BUSY` | The server rejected an event because the server was too busy. | +| `0x8024FFFF` | `WU_E_REPORTER_UNEXPECTED` | There was a reporter error not covered by another error code. | ## Redirector errors The components that download the `Wuredir.cab` file and then parse the `Wuredir.cab` file generate the following errors. | Error code | Message | Description | |----------- |------------------------------|------------------------------------------------------------------------------------------| -| 0x80245001 | `WU_E_REDIRECTOR_LOAD_XML` | The redirector XML document couldn't be loaded into the DOM class. | -| 0x80245002 | `WU_E_REDIRECTOR_S_FALSE` | The redirector XML document is missing some required information. | -| 0x80245003 | `WU_E_REDIRECTOR_ID_SMALLER` | The redirectorId in the downloaded redirector cab is less than in the cached cab. | -| 0x80245FFF | `WU_E_REDIRECTOR_UNEXPECTED` | The redirector failed for reasons not covered by another `WU_E_REDIRECTOR_*` error code. | +| `0x80245001` | `WU_E_REDIRECTOR_LOAD_XML` | The redirector XML document couldn't be loaded into the DOM class. | +| `0x80245002` | `WU_E_REDIRECTOR_S_FALSE` | The redirector XML document is missing some required information. | +| `0x80245003` | `WU_E_REDIRECTOR_ID_SMALLER` | The redirectorId in the downloaded redirector cab is less than in the cached cab. | +| `0x80245FFF` | `WU_E_REDIRECTOR_UNEXPECTED` | The redirector failed for reasons not covered by another `WU_E_REDIRECTOR_*` error code. | ## Protocol Talker errors The following errors map to `SOAPCLIENT_ERROR`s through the `Atlsoap.h` file. These errors are obtained when the `CClientWebService` object calls the `GetClientError()` method. @@ -95,271 +95,271 @@ The following errors map to `SOAPCLIENT_ERROR`s through the `Atlsoap.h` file. Th | Error code | Message | Description | |------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------| -| 0x80244000 | `WU_E_PT_SOAPCLIENT_BASE` | `WU_E_PT_SOAPCLIENT_*` error codes map to the `SOAPCLIENT_ERROR` enum of the ATL Server Library. | -| 0x80244001 | `WU_E_PT_SOAPCLIENT_INITIALIZE` | Same as `SOAPCLIENT_INITIALIZE_ERROR` - initialization of the `SOAP` client failed possibly because of an MSXML installation failure. | -| 0x80244002 | `WU_E_PT_SOAPCLIENT_OUTOFMEMORY` | Same as `SOAPCLIENT_OUTOFMEMORY` - `SOAP` client failed because it ran out of memory. | -| 0x80244003 | `WU_E_PT_SOAPCLIENT_GENERATE` | Same as `SOAPCLIENT_GENERATE_ERROR` - `SOAP` client failed to generate the request. | -| 0x80244004 | `WU_E_PT_SOAPCLIENT_CONNECT` | Same as `SOAPCLIENT_CONNECT_ERROR` - `SOAP` client failed to connect to the server. | -| 0x80244005 | `WU_E_PT_SOAPCLIENT_SEND` | Same as `SOAPCLIENT_SEND_ERROR` - `SOAP` client failed to send a message for reasons of `WU_E_WINHTTP_*` error codes. | -| 0x80244006 | `WU_E_PT_SOAPCLIENT_SERVER` | Same as `SOAPCLIENT_SERVER_ERROR` - `SOAP` client failed because there was a server error. | -| 0x80244007 | `WU_E_PT_SOAPCLIENT_SOAPFAULT` | Same as `SOAPCLIENT_SOAPFAULT` - `SOAP` client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes. | -| 0x80244008 | `WU_E_PT_SOAPCLIENT_PARSEFAULT` | Same as `SOAPCLIENT_PARSEFAULT_ERROR` - `SOAP` client failed to parse a `SOAP` fault. | -| 0x80244009 | `WU_E_PT_SOAPCLIENT_READ` | Same as `SOAPCLIENT_READ_ERROR` - `SOAP` client failed while reading the response from the server. | -| 0x8024400A | `WU_E_PT_SOAPCLIENT_PARSE` | Same as `SOAPCLIENT_PARSE_ERROR` - `SOAP` client failed to parse the response from the server. | +| `0x80244000` | `WU_E_PT_SOAPCLIENT_BASE` | `WU_E_PT_SOAPCLIENT_*` error codes map to the `SOAPCLIENT_ERROR` enum of the ATL Server Library. | +| `0x80244001` | `WU_E_PT_SOAPCLIENT_INITIALIZE` | Same as `SOAPCLIENT_INITIALIZE_ERROR` - initialization of the `SOAP` client failed possibly because of an MSXML installation failure. | +| `0x80244002` | `WU_E_PT_SOAPCLIENT_OUTOFMEMORY` | Same as `SOAPCLIENT_OUTOFMEMORY` - `SOAP` client failed because it ran out of memory. | +| `0x80244003` | `WU_E_PT_SOAPCLIENT_GENERATE` | Same as `SOAPCLIENT_GENERATE_ERROR` - `SOAP` client failed to generate the request. | +| `0x80244004` | `WU_E_PT_SOAPCLIENT_CONNECT` | Same as `SOAPCLIENT_CONNECT_ERROR` - `SOAP` client failed to connect to the server. | +| `0x80244005` | `WU_E_PT_SOAPCLIENT_SEND` | Same as `SOAPCLIENT_SEND_ERROR` - `SOAP` client failed to send a message for reasons of `WU_E_WINHTTP_*` error codes. | +| `0x80244006` | `WU_E_PT_SOAPCLIENT_SERVER` | Same as `SOAPCLIENT_SERVER_ERROR` - `SOAP` client failed because there was a server error. | +| `0x80244007` | `WU_E_PT_SOAPCLIENT_SOAPFAULT` | Same as `SOAPCLIENT_SOAPFAULT` - `SOAP` client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes. | +| `0x80244008` | `WU_E_PT_SOAPCLIENT_PARSEFAULT` | Same as `SOAPCLIENT_PARSEFAULT_ERROR` - `SOAP` client failed to parse a `SOAP` fault. | +| `0x80244009` | `WU_E_PT_SOAPCLIENT_READ` | Same as `SOAPCLIENT_READ_ERROR` - `SOAP` client failed while reading the response from the server. | +| `x8024400A` | `WU_E_PT_SOAPCLIENT_PARSE` | Same as `SOAPCLIENT_PARSE_ERROR` - `SOAP` client failed to parse the response from the server. | ## Other Protocol Talker errors -The following errors map to `SOAP_ERROR_CODE`s from the `Atlsoap.h` file. These errors are obtained from the `m_fault.m_soapErrCode` member of the `CClientWebService` object when `GetClientError()` returns `SOAPCLIENT_SOAPFAULT`. +The following errors map to `SOAP_ERROR_CODE`s from the `Atlsoap.h` file. These errors are obtained from the `m_fault.m_soapErrCode` member of the `CClientWebService` object when `GetClientError()` returns `SOAPCLIENT_SOAPFAULT`. -| Error code | Message | Description | -|------------|----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x8024400B | `WU_E_PT_SOAP_VERSION` | Same as `SOAP_E_VERSION_MISMATCH` - `SOAP` client found an unrecognizable namespace for the `SOAP` envelope. | -| 0x8024400C | `WU_E_PT_SOAP_MUST_UNDERSTAND` | Same as `SOAP_E_MUST_UNDERSTAND` - `SOAP` client was unable to understand a header. | -| 0x8024400D | `WU_E_PT_SOAP_CLIENT` | Same as `SOAP_E_CLIENT` - `SOAP` client found the message was malformed; fix before resending. | -| 0x8024400E | `WU_E_PT_SOAP_SERVER` | Same as `SOAP_E_SERVER` - The `SOAP` message could not be processed due to a server error; resend later. | -| 0x8024400F | `WU_E_PT_WMI_ERROR` | There was an unspecified Windows Management Instrumentation (WMI) error. | -| 0x80244010 | `WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS` | The number of round trips to the server exceeded the maximum limit. | -| 0x80244011 | `WU_E_PT_SUS_SERVER_NOT_SET` | WUServer policy value is missing in the registry. | -| 0x80244012 | `WU_E_PT_DOUBLE_INITIALIZATION` | Initialization failed because the object was already initialized. | -| 0x80244013 | `WU_E_PT_INVALID_COMPUTER_NAME` | The computer name couldn't be determined. | -| 0x80244015 | `WU_E_PT_REFRESH_CACHE_REQUIRED` | The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. | -| 0x80244016 | `WU_E_PT_HTTP_STATUS_BAD_REQUEST` | Same as HTTP status 400 - the server couldn't process the request due to invalid syntax. | -| 0x80244017 | `WU_E_PT_HTTP_STATUS_DENIED` | Same as HTTP status 401 - the requested resource requires user authentication. | -| 0x80244018 | `WU_E_PT_HTTP_STATUS_FORBIDDEN` | Same as HTTP status 403 - server understood the request but declined to fulfill it. | -| 0x80244019 | `WU_E_PT_HTTP_STATUS_NOT_FOUND` | Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier). | -| 0x8024401A | `WU_E_PT_HTTP_STATUS_BAD_METHOD` | Same as HTTP status 405 - the HTTP method is not allowed. | -| 0x8024401B | `WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ` | Same as HTTP status 407 - proxy authentication is required. | -| 0x8024401C | `WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT` | Same as HTTP status 408 - the server timed out waiting for the request. | -| 0x8024401D | `WU_E_PT_HTTP_STATUS_CONFLICT` | Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource. | -| 0x8024401E | `WU_E_PT_HTTP_STATUS_GONE` | Same as HTTP status 410 - requested resource is no longer available at the server. | -| 0x8024401F | `WU_E_PT_HTTP_STATUS_SERVER_ERROR` | Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. | -| 0x80244020 | `WU_E_PT_HTTP_STATUS_NOT_SUPPORTED` | Same as HTTP status 500 - server does not support the functionality required to fulfill the request. | -| 0x80244021 | `WU_E_PT_HTTP_STATUS_BAD_GATEWAY` | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfill the request. | -| 0x80244022 | `WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL` | Same as HTTP status 503 - the service is temporarily overloaded. | -| 0x80244023 | `WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT` | Same as HTTP status 503 - the request was timed out waiting for a gateway. | -| 0x80244024 | `WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP` | Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request. | -| 0x80244025 | `WU_E_PT_FILE_LOCATIONS_CHANGED` | Operation failed due to a changed file location; refresh internal state and resend. | -| 0x80244026 | `WU_E_PT_REGISTRATION_NOT_SUPPORTED` | Operation failed because Windows Update Agent does not support registration with a non-WSUS server. | -| 0x80244027 | `WU_E_PT_NO_AUTH_PLUGINS_REQUESTED` | The server returned an empty authentication information list. | -| 0x80244028 | `WU_E_PT_NO_AUTH_COOKIES_CREATED` | Windows Update Agent was unable to create any valid authentication cookies. | -| 0x80244029 | `WU_E_PT_INVALID_CONFIG_PROP` | A configuration property value was wrong. | -| 0x8024402A | `WU_E_PT_CONFIG_PROP_MISSING` | A configuration property value was missing. | -| 0x8024402B | `WU_E_PT_HTTP_STATUS_NOT_MAPPED` | The HTTP request couldn't be completed and the reason did not correspond to any of the `WU_E_PT_HTTP_*` error codes. | -| 0x8024402C | `WU_E_PT_WINHTTP_NAME_NOT_RESOLVED` | Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved. | -| 0x8024402F | `WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS` | External cab file processing completed with some errors. | -| 0x80244030 | `WU_E_PT_ECP_INIT_FAILED` | The external cab processor initialization did not complete. | -| 0x80244031 | `WU_E_PT_ECP_INVALID_FILE_FORMAT` | The format of a metadata file was invalid. | -| 0x80244032 | `WU_E_PT_ECP_INVALID_METADATA` | External cab processor found invalid metadata. | -| 0x80244033 | `WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST` | The file digest couldn't be extracted from an external cab file. | -| 0x80244034 | `WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE` | An external cab file couldn't be decompressed. | -| 0x80244035 | `WU_E_PT_ECP_FILE_LOCATION_ERROR` | External cab processor was unable to get file locations. | -| 0x80244FFF | `WU_E_PT_UNEXPECTED` | A communication error not covered by another `WU_E_PT_*` error code. | -| 0x8024502D | `WU_E_PT_SAME_REDIR_ID` | Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. | -| 0x8024502E | `WU_E_PT_NO_MANAGED_RECOVER` | A redirector recovery action did not complete because the server is managed. | +| Error code | Message | Description | +|------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------| +| `0x8024400B` | `WU_E_PT_SOAP_VERSION` | Same as `SOAP_E_VERSION_MISMATCH` - `SOAP` client found an unrecognizable namespace for the `SOAP` envelope. | +| `0x8024400C` | `WU_E_PT_SOAP_MUST_UNDERSTAND` | Same as `SOAP_E_MUST_UNDERSTAND` - `SOAP` client was unable to understand a header. | +| `0x8024400D` | `WU_E_PT_SOAP_CLIENT` | Same as `SOAP_E_CLIENT` - `SOAP` client found the message was malformed; fix before resending. | +|`0x8024400E` | `WU_E_PT_SOAP_SERVER` | Same as `SOAP_E_SERVER` - The `SOAP` message couldn't be processed due to a server error; resend later. | +| `0x8024400F` | `WU_E_PT_WMI_ERROR` | There was an unspecified Windows Management Instrumentation (WMI) error. | +| `0x80244010` | `WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS` | The number of round trips to the server exceeded the maximum limit. | +| `0x80244011` | `WU_E_PT_SUS_SERVER_NOT_SET` | WUServer policy value is missing in the registry. | +| `0x80244012` | `WU_E_PT_DOUBLE_INITIALIZATION` | Initialization failed because the object was already initialized. | +| `0x80244013` | `WU_E_PT_INVALID_COMPUTER_NAME` | The computer name couldn't be determined. | +| `0x80244015` | `WU_E_PT_REFRESH_CACHE_REQUIRED` | The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. | +| `0x80244016` | `WU_E_PT_HTTP_STATUS_BAD_REQUEST` | Same as HTTP status 400 - the server couldn't process the request due to invalid syntax. | +| `0x80244017` | `WU_E_PT_HTTP_STATUS_DENIED` | Same as HTTP status 401 - the requested resource requires user authentication. | +| `0x80244018` | `WU_E_PT_HTTP_STATUS_FORBIDDEN` | Same as HTTP status 403 - server understood the request but declined to fulfill it. | +| `0x80244019` | `WU_E_PT_HTTP_STATUS_NOT_FOUND` | Same as HTTP status 404 - the server can't find the requested URI (Uniform Resource Identifier). | +| `0x8024401A` | `WU_E_PT_HTTP_STATUS_BAD_METHOD` | Same as HTTP status 405 - the HTTP method isn't allowed. | +| `0x8024401B` | `WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ` | Same as HTTP status 407 - proxy authentication is required. | +| `0x8024401C` | `WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT` | Same as HTTP status 408 - the server timed out waiting for the request. | +| `0x8024401D` | `WU_E_PT_HTTP_STATUS_CONFLICT` | Same as HTTP status 409 - the request wasn't completed due to a conflict with the current state of the resource. | +| `0x8024401E` | `WU_E_PT_HTTP_STATUS_GONE` | Same as HTTP status 410 - requested resource is no longer available at the server. | +| `0x8024401F` | `WU_E_PT_HTTP_STATUS_SERVER_ERROR` | Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. | +| `0x80244020` | `WU_E_PT_HTTP_STATUS_NOT_SUPPORTED` | Same as HTTP status 500 - server doesn't support the functionality required to fulfill the request. | +|`0x80244021` | `WU_E_PT_HTTP_STATUS_BAD_GATEWAY` | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfill the request. | +| `0x80244022` | `WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL` | Same as HTTP status 503 - the service is temporarily overloaded. | +| `0x80244023` | `WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT` | Same as HTTP status 503 - the request was timed out waiting for a gateway. | +| `0x80244024` | `WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP` | Same as HTTP status 505 - the server doesn't support the HTTP protocol version used for the request. | +| `0x80244025` | `WU_E_PT_FILE_LOCATIONS_CHANGED` | Operation failed due to a changed file location; refresh internal state and resend. | +| `0x80244026` | `WU_E_PT_REGISTRATION_NOT_SUPPORTED` | Operation failed because Windows Update Agent doesn't support registration with a non-WSUS server. | +| `0x80244027` | `WU_E_PT_NO_AUTH_PLUGINS_REQUESTED` | The server returned an empty authentication information list. | +| `0x80244028` | `WU_E_PT_NO_AUTH_COOKIES_CREATED` | Windows Update Agent was unable to create any valid authentication cookies. | +| `0x80244029` | `WU_E_PT_INVALID_CONFIG_PROP` | A configuration property value was wrong. | +| `0x8024402A` | `WU_E_PT_CONFIG_PROP_MISSING` | A configuration property value was missing. | +| `0x8024402B` | `WU_E_PT_HTTP_STATUS_NOT_MAPPED` | The HTTP request couldn't be completed and the reason didn't correspond to any of the `WU_E_PT_HTTP_*` error codes. | +| `0x8024402C` | `WU_E_PT_WINHTTP_NAME_NOT_RESOLVED` | Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name can't be resolved. | +| `0x8024402F` | `WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS` | External cab file processing completed with some errors. | +| `0x80244030` | `WU_E_PT_ECP_INIT_FAILED` | The external cab processor initialization didn't complete. | +| `0x80244031` | `WU_E_PT_ECP_INVALID_FILE_FORMAT` | The format of a metadata file was invalid. | +| `0x80244032` | `WU_E_PT_ECP_INVALID_METADATA` | External cab processor found invalid metadata. | +| `0x80244033` | `WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST` | The file digest couldn't be extracted from an external cab file. | +| `0x80244034` | `WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE` | An external cab file couldn't be decompressed. | +| `0x80244035` | `WU_E_PT_ECP_FILE_LOCATION_ERROR` | External cab processor was unable to get file locations. | +| `0x80244FFF` | `WU_E_PT_UNEXPECTED` | A communication error not covered by another `WU_E_PT_*` error code. | +| `0x8024502D` | `WU_E_PT_SAME_REDIR_ID` | Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. | +| `0x8024502E` | `WU_E_PT_NO_MANAGED_RECOVER` | A redirector recovery action didn't complete because the server is managed. | ## Download Manager errors | Error code | Message | Description | |------------|-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------| -| 0x80246001 | `WU_E_DM_URLNOTAVAILABLE` | A download manager operation couldn't be completed because the requested file does not have a URL. | -| 0x80246002 | `WU_E_DM_INCORRECTFILEHASH` | A download manager operation couldn't be completed because the file digest was not recognized. | -| 0x80246003 | `WU_E_DM_UNKNOWNALGORITHM` | A download manager operation couldn't be completed because the file metadata requested an unrecognized hash algorithm. | -| 0x80246004 | `WU_E_DM_NEEDDOWNLOADREQUEST` | An operation couldn't be completed because a download request is required from the download handler. | -| 0x80246005 | `WU_E_DM_NONETWORK` | A download manager operation couldn't be completed because the network connection was unavailable. | -| 0x80246006 | `WU_E_DM_WRONGBITSVERSION` | A download manager operation couldn't be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. | -| 0x80246007 | `WU_E_DM_NOTDOWNLOADED` | The update has not been downloaded. | -| 0x80246008 | `WU_E_DM_FAILTOCONNECTTOBITS` | A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). | -| 0x80246009 | `WU_E_DM_BITSTRANSFERERROR` | A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error. | -| 0x8024600A | `WU_E_DM_DOWNLOADLOCATIONCHANGED` | A download must be restarted because the location of the source of the download has changed. | -| 0x8024600B | `WU_E_DM_CONTENTCHANGED` | A download must be restarted because the update content changed in a new revision. | -| 0x80246FFF | `WU_E_DM_UNEXPECTED` | There was a download manager error not covered by another `WU_E_DM_*` error code. | +| `0x80246001` | `WU_E_DM_URLNOTAVAILABLE` | A download manager operation couldn't be completed because the requested file doesn't have a URL. | +| `0x80246002` | `WU_E_DM_INCORRECTFILEHASH` | A download manager operation couldn't be completed because the file digest wasn't recognized. | +| `0x80246003` | `WU_E_DM_UNKNOWNALGORITHM` | A download manager operation couldn't be completed because the file metadata requested an unrecognized hash algorithm. | +| `0x80246004` | `WU_E_DM_NEEDDOWNLOADREQUEST` | An operation couldn't be completed because a download request is required from the download handler. | +| `0x80246005` | `WU_E_DM_NONETWORK` | A download manager operation couldn't be completed because the network connection was unavailable. | +| `0x80246006` | `WU_E_DM_WRONGBITSVERSION` | A download manager operation couldn't be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. | +| `0x80246007` | `WU_E_DM_NOTDOWNLOADED` | The update hasn't been downloaded. | +| `0x80246008` | `WU_E_DM_FAILTOCONNECTTOBITS` | A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). | +| `0x80246009` | `WU_E_DM_BITSTRANSFERERROR` | A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error. | +| `0x8024600A` | `WU_E_DM_DOWNLOADLOCATIONCHANGED` | A download must be restarted because the location of the source of the download has changed. | +| `0x8024600B` | `WU_E_DM_CONTENTCHANGED` | A download must be restarted because the update content changed in a new revision. | +| `0x80246FFF` | `WU_E_DM_UNEXPECTED` | There was a download manager error not covered by another `WU_E_DM_*` error code. | ## Update Handler errors | Error code | Message | Description | |------------|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| -| 0x80242000 | `WU_E_UH_REMOTEUNAVAILABLE` | A request for a remote update handler couldn't be completed because no remote process is available. | -| 0x80242001 | `WU_E_UH_LOCALONLY` | A request for a remote update handler could not be completed because the handler is local only. | -| 0x80242002 | `WU_E_UH_UNKNOWNHANDLER` | A request for an update handler could not be completed because the handler could not be recognized. | -| 0x80242003 | `WU_E_UH_REMOTEALREADYACTIVE` | A remote update handler could not be created because one already exists. | -| 0x80242004 | `WU_E_UH_DOESNOTSUPPORTACTION` | A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). | -| 0x80242005 | `WU_E_UH_WRONGHANDLER` | An operation did not complete because the wrong handler was specified. | -| 0x80242006 | `WU_E_UH_INVALIDMETADATA` | A handler operation could not be completed because the update contains invalid metadata. | -| 0x80242007 | `WU_E_UH_INSTALLERHUNG` | An operation could not be completed because the installer exceeded the time limit. | -| 0x80242008 | `WU_E_UH_OPERATIONCANCELLED` | An operation being done by the update handler was canceled. | -| 0x80242009 | `WU_E_UH_BADHANDLERXML` | An operation could not be completed because the handler-specific metadata is invalid. | -| 0x8024200A | `WU_E_UH_CANREQUIREINPUT` | A request to the handler to install an update could not be completed because the update requires user input. | -| 0x8024200B | `WU_E_UH_INSTALLERFAILURE` | The installer failed to install (uninstall) one or more updates. | -| 0x8024200C | `WU_E_UH_FALLBACKTOSELFCONTAINED` | The update handler should download self-contained content rather than delta-compressed content for the update. | -| 0x8024200D | `WU_E_UH_NEEDANOTHERDOWNLOAD` | The update handler did not install the update because it needs to be downloaded again. | -| 0x8024200E | `WU_E_UH_NOTIFYFAILURE` | The update handler failed to send notification of the status of the install (uninstall) operation. | -| 0x8024200F | `WU_E_UH_INCONSISTENT_FILE_NAMES` | The file names contained in the update metadata and in the update package are inconsistent. | -| 0x80242010 | `WU_E_UH_FALLBACKERROR` | The update handler failed to fall back to the self-contained content. | -| 0x80242011 | `WU_E_UH_TOOMANYDOWNLOADREQUESTS` | The update handler has exceeded the maximum number of download requests. | -| 0x80242012 | `WU_E_UH_UNEXPECTEDCBSRESPONSE` | The update handler has received an unexpected response from CBS. | -| 0x80242013 | `WU_E_UH_BADCBSPACKAGEID` | The update metadata contains an invalid CBS package identifier. | -| 0x80242014 | `WU_E_UH_POSTREBOOTSTILLPENDING` | The post-reboot operation for the update is still in progress. | -| 0x80242015 | `WU_E_UH_POSTREBOOTRESULTUNKNOWN` | The result of the post-reboot operation for the update could not be determined. | -| 0x80242016 | `WU_E_UH_POSTREBOOTUNEXPECTEDSTATE` | The state of the update after its post-reboot operation has completed is unexpected. | -| 0x80242017 | `WU_E_UH_NEW_SERVICING_STACK_REQUIRED` | The OS servicing stack must be updated before this update is downloaded or installed. | -| 0x80242FFF | `WU_E_UH_UNEXPECTED` | An update handler error not covered by another `WU_E_UH_*` code. | +| `0x80242000` | `WU_E_UH_REMOTEUNAVAILABLE` | A request for a remote update handler couldn't be completed because no remote process is available. | +| `0x80242001`| `WU_E_UH_LOCALONLY` | A request for a remote update handler couldn't be completed because the handler is local only. | +| `0x80242002` | `WU_E_UH_UNKNOWNHANDLER` | A request for an update handler couldn't be completed because the handler couldn't be recognized. | +| `0x80242003` | `WU_E_UH_REMOTEALREADYACTIVE` | A remote update handler couldn't be created because one already exists. | +| `0x80242004` | `WU_E_UH_DOESNOTSUPPORTACTION` | A request for the handler to install (uninstall) an update couldn't be completed because the update doesn't support install (uninstall). | +|`0x80242005` | `WU_E_UH_WRONGHANDLER` | An operation didn't complete because the wrong handler was specified. | +| `0x80242006` | `WU_E_UH_INVALIDMETADATA` | A handler operation couldn't be completed because the update contains invalid metadata. | +| `0x80242007` | `WU_E_UH_INSTALLERHUNG` | An operation couldn't be completed because the installer exceeded the time limit. | +| `0x80242008` | `WU_E_UH_OPERATIONCANCELLED` | An operation being done by the update handler was canceled. | +| `0x80242009` | `WU_E_UH_BADHANDLERXML` | An operation couldn't be completed because the handler-specific metadata is invalid. | +| `0x8024200A` | `WU_E_UH_CANREQUIREINPUT` | A request to the handler to install an update couldn't be completed because the update requires user input. | +| `0x8024200B` | `WU_E_UH_INSTALLERFAILURE` | The installer failed to install (uninstall) one or more updates. | +| `0x8024200C` | `WU_E_UH_FALLBACKTOSELFCONTAINED` | The update handler should download self-contained content rather than delta-compressed content for the update. | +| `0x8024200D` | `WU_E_UH_NEEDANOTHERDOWNLOAD` | The update handler didn't install the update because it needs to be downloaded again. | +| `0x8024200E` | `WU_E_UH_NOTIFYFAILURE` | The update handler failed to send notification of the status of the install (uninstall) operation. | +| `0x8024200F` | `WU_E_UH_INCONSISTENT_FILE_NAMES` | The file names contained in the update metadata and in the update package are inconsistent. | +| `0x80242010` | `WU_E_UH_FALLBACKERROR` | The update handler failed to fall back to the self-contained content. | +| `0x80242011` | `WU_E_UH_TOOMANYDOWNLOADREQUESTS` | The update handler has exceeded the maximum number of download requests. | +| `0x80242012` | `WU_E_UH_UNEXPECTEDCBSRESPONSE` | The update handler has received an unexpected response from CBS. | +| `0x80242013` | `WU_E_UH_BADCBSPACKAGEID` | The update metadata contains an invalid CBS package identifier. | +| `0x80242014` | `WU_E_UH_POSTREBOOTSTILLPENDING` | The post-reboot operation for the update is still in progress. | +| `0x80242015` | `WU_E_UH_POSTREBOOTRESULTUNKNOWN` | The result of the post-reboot operation for the update couldn't be determined. | +| `0x80242016` | `WU_E_UH_POSTREBOOTUNEXPECTEDSTATE` | The state of the update after its post-reboot operation has completed is unexpected. | +| `0x80242017` | `WU_E_UH_NEW_SERVICING_STACK_REQUIRED` | The OS servicing stack must be updated before this update is downloaded or installed. | +| `0x80242FFF` | `WU_E_UH_UNEXPECTED` | An update handler error not covered by another `WU_E_UH_*` code. | ## Data Store errors | Error code | Message | Description | |------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x80248000 | `WU_E_DS_SHUTDOWN` | An operation failed because Windows Update Agent is shutting down. | -| 0x80248001 | `WU_E_DS_INUSE` | An operation failed because the data store was in use. | -| 0x80248002 | `WU_E_DS_INVALID` | The current and expected states of the data store do not match. | -| 0x80248003 | `WU_E_DS_TABLEMISSING` | The data store is missing a table. | -| 0x80248004 | `WU_E_DS_TABLEINCORRECT` | The data store contains a table with unexpected columns. | -| 0x80248005 | `WU_E_DS_INVALIDTABLENAME` | A table could not be opened because the table is not in the data store. | -| 0x80248006 | `WU_E_DS_BADVERSION` | The current and expected versions of the data store do not match. | -| 0x80248007 | `WU_E_DS_NODATA` | The information requested is not in the data store. | -| 0x80248008 | `WU_E_DS_MISSINGDATA` | The data store is missing required information or has a NULL in a table column that requires a non-null value. | -| 0x80248009 | `WU_E_DS_MISSINGREF` | The data store is missing required information or has a reference to missing license terms file localized property or linked row. | -| 0x8024800A | `WU_E_DS_UNKNOWNHANDLER` | The update was not processed because its update handler could not be recognized. | -| 0x8024800B | `WU_E_DS_CANTDELETE` | The update was not deleted because it is still referenced by one or more services. | -| 0x8024800C | `WU_E_DS_LOCKTIMEOUTEXPIRED` | The data store section could not be locked within the allotted time. | -| 0x8024800D | `WU_E_DS_NOCATEGORIES` | The category was not added because it contains no parent categories and is not a top-level category itself. | -| 0x8024800E | `WU_E_DS_ROWEXISTS` | The row was not added because an existing row has the same primary key. | -| 0x8024800F | `WU_E_DS_STOREFILELOCKED` | The data store could not be initialized because it was locked by another process. | -| 0x80248010 | `WU_E_DS_CANNOTREGISTER` | The data store is not allowed to be registered with COM in the current process. | -| 0x80248011 | `WU_E_DS_UNABLETOSTART` | Could not create a data store object in another process. | -| 0x80248013 | `WU_E_DS_DUPLICATEUPDATEID` | The server sent the same update to the client with two different revision IDs. | -| 0x80248014 | `WU_E_DS_UNKNOWNSERVICE` | An operation did not complete because the service is not in the data store. | -| 0x80248015 | `WU_E_DS_SERVICEEXPIRED` | An operation did not complete because the registration of the service has expired. | -| 0x80248016 | `WU_E_DS_DECLINENOTALLOWED` | A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline. | -| 0x80248017 | `WU_E_DS_TABLESESSIONMISMATCH` | A table was not closed because it is not associated with the session. | -| 0x80248018 | `WU_E_DS_SESSIONLOCKMISMATCH` | A table was not closed because it is not associated with the session. | -| 0x80248019 | `WU_E_DS_NEEDWINDOWSSERVICE` | A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service. | -| 0x8024801A | `WU_E_DS_INVALIDOPERATION` | A request was declined because the operation is not allowed. | -| 0x8024801B | `WU_E_DS_SCHEMAMISMATCH` | The schema of the current data store and the schema of a table in a backup XML document do not match. | -| 0x8024801C | `WU_E_DS_RESETREQUIRED` | The data store requires a session reset; release the session and retry with a new session. | -| 0x8024801D | `WU_E_DS_IMPERSONATED` | A data store operation did not complete because it was requested with an impersonated identity. | -| 0x80248FFF | `WU_E_DS_UNEXPECTED` | A data store error not covered by another `WU_E_DS_*` code. | +| `0x80248000` | `WU_E_DS_SHUTDOWN` | An operation failed because Windows Update Agent is shutting down. | +| `0x80248001` | `WU_E_DS_INUSE` | An operation failed because the data store was in use. | +| `0x80248002` | `WU_E_DS_INVALID` | The current and expected states of the data store don't match. | +| `0x80248003` | `WU_E_DS_TABLEMISSING` | The data store is missing a table. | +| `0x80248004` | `WU_E_DS_TABLEINCORRECT` | The data store contains a table with unexpected columns. | +| `0x80248005` | `WU_E_DS_INVALIDTABLENAME` | A table couldn't be opened because the table isn't in the data store. | +| `0x80248006` | `WU_E_DS_BADVERSION` | The current and expected versions of the data store don't match. | +| `0x80248007` | `WU_E_DS_NODATA` | The information requested isn't in the data store. | +| `0x80248008` | `WU_E_DS_MISSINGDATA` | The data store is missing required information or has a NULL in a table column that requires a non-null value. | +| `0x80248009` | `WU_E_DS_MISSINGREF` | The data store is missing required information or has a reference to missing license terms file localized property or linked row. | +| `0x8024800A` | `WU_E_DS_UNKNOWNHANDLER` | The update wasn't processed because its update handler couldn't be recognized. | +| `0x8024800B` | `WU_E_DS_CANTDELETE` | The update wasn't deleted because it's still referenced by one or more services. | +| `0x8024800C` | `WU_E_DS_LOCKTIMEOUTEXPIRED` | The data store section couldn't be locked within the allotted time. | +| `0x8024800D` | `WU_E_DS_NOCATEGORIES` | The category wasn't added because it contains no parent categories and isn't a top-level category itself. | +| `0x8024800E` | `WU_E_DS_ROWEXISTS` | The row wasn't added because an existing row has the same primary key. | +| `0x8024800F` | `WU_E_DS_STOREFILELOCKED` | The data store couldn't be initialized because it was locked by another process. | +| `0x80248010` | `WU_E_DS_CANNOTREGISTER` | The data store isn't allowed to be registered with COM in the current process. | +| `0x80248011` | `WU_E_DS_UNABLETOSTART` | Couldn't create a data store object in another process. | +| `0x80248013` | `WU_E_DS_DUPLICATEUPDATEID` | The server sent the same update to the client with two different revision IDs. | +| `0x80248014` | `WU_E_DS_UNKNOWNSERVICE` | An operation didn't complete because the service isn't in the data store. | +| `0x80248015` | `WU_E_DS_SERVICEEXPIRED` | An operation didn't complete because the registration of the service has expired. | +| `0x80248016` | `WU_E_DS_DECLINENOTALLOWED` | A request to hide an update was declined because it's a mandatory update or because it was deployed with a deadline. | +| `0x80248017` | `WU_E_DS_TABLESESSIONMISMATCH` | A table wasn't closed because it isn't associated with the session. | +| `0x80248018` | `WU_E_DS_SESSIONLOCKMISMATCH` | A table wasn't closed because it isn't associated with the session. | +| `0x80248019` | `WU_E_DS_NEEDWINDOWSSERVICE` | A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it's a built-in service and/or Automatic Updates can't fall back to another service. | +| `0x8024801A` | `WU_E_DS_INVALIDOPERATION` | A request was declined because the operation isn't allowed. | +| `0x8024801B` | `WU_E_DS_SCHEMAMISMATCH` | The schema of the current data store and the schema of a table in a backup XML document don't match. | +| `0x8024801C` | `WU_E_DS_RESETREQUIRED` | The data store requires a session reset; release the session and retry with a new session. | +| `0x8024801D` | `WU_E_DS_IMPERSONATED` | A data store operation didn't complete because it was requested with an impersonated identity. | +| `0x80248FFF` | `WU_E_DS_UNEXPECTED` | A data store error not covered by another `WU_E_DS_*` code. | ## Driver Util errors -The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. +The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This isn't a fatal error, and the device is merely skipped. | Error code | Message | Description | |------------|-------------------------------|------------------------------------------------------------------------------------------------| -| 0x8024C001 | `WU_E_DRV_PRUNED` | A driver was skipped. | -| 0x8024C002 | `WU_E_DRV_NOPROP_OR_LEGACY` | A property for the driver could not be found. It may not conform with required specifications. | -| 0x8024C003 | `WU_E_DRV_REG_MISMATCH` | The registry type read for the driver does not match the expected type. | -| 0x8024C004 | `WU_E_DRV_NO_METADATA` | The driver update is missing metadata. | -| 0x8024C005 | `WU_E_DRV_MISSING_ATTRIBUTE` | The driver update is missing a required attribute. | -| 0x8024C006 | `WU_E_DRV_SYNC_FAILED` | Driver synchronization failed. | -| 0x8024C007 | `WU_E_DRV_NO_PRINTER_CONTENT` | Information required for the synchronization of applicable printers is missing. | -| 0x8024CFFF | `WU_E_DRV_UNEXPECTED` | A driver error not covered by another `WU_E_DRV_*` code. | +| `0x8024C001` | `WU_E_DRV_PRUNED` | A driver was skipped. | +| `0x8024C002` | `WU_E_DRV_NOPROP_OR_LEGACY` | A property for the driver couldn't be found. It may not conform with required specifications. | +| `0x8024C003` | `WU_E_DRV_REG_MISMATCH` | The registry type read for the driver doesn't match the expected type. | +| `0x8024C004` | `WU_E_DRV_NO_METADATA` | The driver update is missing metadata. | +| `0x8024C005` | `WU_E_DRV_MISSING_ATTRIBUTE` | The driver update is missing a required attribute. | +| `0x8024C006` | `WU_E_DRV_SYNC_FAILED` | Driver synchronization failed. | +| `0x8024C007` | `WU_E_DRV_NO_PRINTER_CONTENT` | Information required for the synchronization of applicable printers is missing. | +| `0x8024CFFF` | `WU_E_DRV_UNEXPECTED` | A driver error not covered by another `WU_E_DRV_*` code. | ## Windows Update error codes | Error code | Message | Description | |------------|-----------------------------------|--------------------------------------------------------------| -| 0x80240001 | `WU_E_NO_SERVICE` | Windows Update Agent was unable to provide the service. -| 0x80240002 | `WU_E_MAX_CAPACITY_REACHED` | The maximum capacity of the service was exceeded. -| 0x80240003 | `WU_E_UNKNOWN_ID` | An ID cannot be found. -| 0x80240004 | `WU_E_NOT_INITIALIZED` | The object could not be initialized. -| 0x80240005 | `WU_E_RANGEOVERLAP` | The update handler requested a byte range overlapping a previously requested range. -| 0x80240006 | `WU_E_TOOMANYRANGES` | The requested number of byte ranges exceeds the maximum number (2^31 - 1). -| 0x80240007 | `WU_E_INVALIDINDEX` | The index to a collection was invalid. -| 0x80240008 | `WU_E_ITEMNOTFOUND` | The key for the item queried could not be found. -| 0x80240009 | `WU_E_OPERATIONINPROGRESS` | Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously. -| 0x8024000A | `WU_E_COULDNOTCANCEL` | Cancellation of the operation was not allowed. -| 0x8024000B | `WU_E_CALL_CANCELLED` | Operation was canceled. -| 0x8024000C | `WU_E_NOOP` | No operation was required. -| 0x8024000D | `WU_E_XML_MISSINGDATA` | Windows Update Agent could not find required information in the update's XML data. -| 0x8024000E | `WU_E_XML_INVALID` | Windows Update Agent found invalid information in the update's XML data. -| 0x8024000F | `WU_E_CYCLE_DETECTED` | Circular update relationships were detected in the metadata. -| 0x80240010 | `WU_E_TOO_DEEP_RELATION` | Update relationships too deep to evaluate were evaluated. -| 0x80240011 | `WU_E_INVALID_RELATIONSHIP` | An invalid update relationship was detected. -| 0x80240012 | `WU_E_REG_VALUE_INVALID` | An invalid registry value was read. -| 0x80240013 | `WU_E_DUPLICATE_ITEM` | Operation tried to add a duplicate item to a list. -| 0x80240016 | `WU_E_INSTALL_NOT_ALLOWED` | Operation tried to install while another installation was in progress or the system was pending a mandatory restart. -| 0x80240017 | `WU_E_NOT_APPLICABLE` | Operation was not performed because there are no applicable updates. -| 0x80240018 | `WU_E_NO_USERTOKEN` | Operation failed because a required user token is missing. -| 0x80240019 | `WU_E_EXCLUSIVE_INSTALL_CONFLICT` | An exclusive update cannot be installed with other updates at the same time. -| 0x8024001A | `WU_E_POLICY_NOT_SET` | A policy value was not set. -| 0x8024001B | `WU_E_SELFUPDATE_IN_PROGRESS` | The operation could not be performed because the Windows Update Agent is self-updating. -| 0x8024001D | `WU_E_INVALID_UPDATE` | An update contains invalid metadata. -| 0x8024001E | `WU_E_SERVICE_STOP` | Operation did not complete because the service or system was being shut down. -| 0x8024001F | `WU_E_NO_CONNECTION` | Operation did not complete because the network connection was unavailable. -| 0x80240020 | `WU_E_NO_INTERACTIVE_USER` | Operation did not complete because there is no logged-on interactive user. -| 0x80240021 | `WU_E_TIME_OUT` | Operation did not complete because it timed out. -| 0x80240022 | `WU_E_ALL_UPDATES_FAILED` | Operation failed for all the updates. -| 0x80240023 | `WU_E_EULAS_DECLINED` | The license terms for all updates were declined. -| 0x80240024 | `WU_E_NO_UPDATE` | There are no updates. -| 0x80240025 | `WU_E_USER_ACCESS_DISABLED` | Group Policy settings prevented access to Windows Update. -| 0x80240026 | `WU_E_INVALID_UPDATE_TYPE` | The type of update is invalid. -| 0x80240027 | `WU_E_URL_TOO_LONG` | The URL exceeded the maximum length. -| 0x80240028 | `WU_E_UNINSTALL_NOT_ALLOWED` | The update could not be uninstalled because the request did not originate from a WSUS server. -| 0x80240029 | `WU_E_INVALID_PRODUCT_LICENSE` | Search may have missed some updates before there is an unlicensed application on the system. -| 0x8024002A | `WU_E_MISSING_HANDLER` | A component required to detect applicable updates was missing. -| 0x8024002B | `WU_E_LEGACYSERVER` | An operation did not complete because it requires a newer version of server. -| 0x8024002C | `WU_E_BIN_SOURCE_ABSENT` | A delta-compressed update could not be installed because it required the source. -| 0x8024002D | `WU_E_SOURCE_ABSENT` | A full-file update could not be installed because it required the source. -| 0x8024002E | `WU_E_WU_DISABLED` | Access to an unmanaged server is not allowed. -| 0x8024002F | `WU_E_CALL_CANCELLED_BY_POLICY` | Operation did not complete because the DisableWindowsUpdateAccess policy was set. -| 0x80240030 | `WU_E_INVALID_PROXY_SERVER` | The format of the proxy list was invalid. -| 0x80240031 | `WU_E_INVALID_FILE` | The file is in the wrong format. -| 0x80240032 | `WU_E_INVALID_CRITERIA` | The search criteria string was invalid. -| 0x80240033 | `WU_E_EULA_UNAVAILABLE` | License terms could not be downloaded. -| 0x80240034 | `WU_E_DOWNLOAD_FAILED` | Update failed to download. -| 0x80240035 | `WU_E_UPDATE_NOT_PROCESSED` | The update was not processed. -| 0x80240036 | `WU_E_INVALID_OPERATION` | The object's current state did not allow the operation. -| 0x80240037 | `WU_E_NOT_SUPPORTED` | The functionality for the operation is not supported. -| 0x80240038 | `WU_E_WINHTTP_INVALID_FILE` | The downloaded file has an unexpected content type. -| 0x80240039 | `WU_E_TOO_MANY_RESYNC` | Agent is asked by server to resync too many times. -| 0x80240040 | `WU_E_NO_SERVER_CORE_SUPPORT` | `WUA API` method does not run on Server Core installation. -| 0x80240041 | `WU_E_SYSPREP_IN_PROGRESS` | Service is not available while sysprep is running. -| 0x80240042 | `WU_E_UNKNOWN_SERVICE` | The update service is no longer registered with `AU`. -| 0x80240043 | `WU_E_NO_UI_SUPPORT` | There is no support for `WUA UI`. -| 0x80240FFF | `WU_E_UNEXPECTED` | An operation failed due to reasons not covered by another error code. -| 0x80070422 | | Windows Update service stopped working or is not running. +| `0x80240001` | `WU_E_NO_SERVICE` | Windows Update Agent was unable to provide the service. +| `0x80240002` | `WU_E_MAX_CAPACITY_REACHED` | The maximum capacity of the service was exceeded. +| `0x80240003` | `WU_E_UNKNOWN_ID` | An ID can't be found. +| `0x80240004` | `WU_E_NOT_INITIALIZED` | The object couldn't be initialized. +| `0x80240005` | `WU_E_RANGEOVERLAP` | The update handler requested a byte range overlapping a previously requested range. +| `0x80240006` | `WU_E_TOOMANYRANGES` | The requested number of byte ranges exceeds the maximum number (2^31 - 1). +| `0x80240007` | `WU_E_INVALIDINDEX` | The index to a collection was invalid. +| `0x80240008` | `WU_E_ITEMNOTFOUND` | The key for the item queried couldn't be found. +| `0x80240009` | `WU_E_OPERATIONINPROGRESS` | Another conflicting operation was in progress. Some operations such as installation can't be performed twice simultaneously. +| `0x8024000A` | `WU_E_COULDNOTCANCEL` | Cancellation of the operation wasn't allowed. +| `0x8024000B` | `WU_E_CALL_CANCELLED` | Operation was canceled. +| `0x8024000C` | `WU_E_NOOP` | No operation was required. +| `0x8024000D` | `WU_E_XML_MISSINGDATA` | Windows Update Agent couldn't find required information in the update's XML data. +| `0x8024000E` | `WU_E_XML_INVALID` | Windows Update Agent found invalid information in the update's XML data. +| `0x8024000F` | `WU_E_CYCLE_DETECTED` | Circular update relationships were detected in the metadata. +| `0x80240010` | `WU_E_TOO_DEEP_RELATION` | Update relationships too deep to evaluate were evaluated. +| `0x80240011` | `WU_E_INVALID_RELATIONSHIP` | An invalid update relationship was detected. +| `0x80240012` | `WU_E_REG_VALUE_INVALID` | An invalid registry value was read. +| `0x80240013` | `WU_E_DUPLICATE_ITEM` | Operation tried to add a duplicate item to a list. +| `0x80240016` | `WU_E_INSTALL_NOT_ALLOWED` | Operation tried to install while another installation was in progress or the system was pending a mandatory restart. +| `0x80240017` | `WU_E_NOT_APPLICABLE` | Operation wasn't performed because there are no applicable updates. +| `0x80240018` | `WU_E_NO_USERTOKEN` | Operation failed because a required user token is missing. +| `0x80240019` | `WU_E_EXCLUSIVE_INSTALL_CONFLICT` | An exclusive update can't be installed with other updates at the same time. +| `0x8024001A` | `WU_E_POLICY_NOT_SET` | A policy value wasn't set. +| `0x8024001B` | `WU_E_SELFUPDATE_IN_PROGRESS` | The operation couldn't be performed because the Windows Update Agent is self-updating. +| `0x8024001D` | `WU_E_INVALID_UPDATE` | An update contains invalid metadata. +| `0x8024001E` | `WU_E_SERVICE_STOP` | Operation didn't complete because the service or system was being shut down. +| `0x8024001F` | `WU_E_NO_CONNECTION` | Operation didn't complete because the network connection was unavailable. +| `0x80240020` | `WU_E_NO_INTERACTIVE_USER` | Operation didn't complete because there's no logged-on interactive user. +| `0x80240021` | `WU_E_TIME_OUT` | Operation didn't complete because it timed out. +| `0x80240022` | `WU_E_ALL_UPDATES_FAILED` | Operation failed for all the updates. +| `0x80240023` | `WU_E_EULAS_DECLINED` | The license terms for all updates were declined. +| `0x80240024` | `WU_E_NO_UPDATE` | There are no updates. +| `0x80240025` | `WU_E_USER_ACCESS_DISABLED` | Group Policy settings prevented access to Windows Update. +| `0x80240026` | `WU_E_INVALID_UPDATE_TYPE` | The type of update is invalid. +| `0x80240027` | `WU_E_URL_TOO_LONG` | The URL exceeded the maximum length. +| `0x80240028` | `WU_E_UNINSTALL_NOT_ALLOWED` | The update couldn't be uninstalled because the request didn't originate from a WSUS server. +| `0x80240029` | `WU_E_INVALID_PRODUCT_LICENSE` | Search may have missed some updates before there's an unlicensed application on the system. +| `0x8024002A` | `WU_E_MISSING_HANDLER` | A component required to detect applicable updates was missing. +| `0x8024002B` | `WU_E_LEGACYSERVER` | An operation didn't complete because it requires a newer version of server. +| `0x8024002C` | `WU_E_BIN_SOURCE_ABSENT` | A delta-compressed update couldn't be installed because it required the source. +| `0x8024002D` | `WU_E_SOURCE_ABSENT` | A full-file update couldn't be installed because it required the source. +| `0x8024002E` | `WU_E_WU_DISABLED` | Access to an unmanaged server isn't allowed. +| `0x8024002F` | `WU_E_CALL_CANCELLED_BY_POLICY` | Operation didn't complete because the DisableWindowsUpdateAccess policy was set. +| `0x80240030` | `WU_E_INVALID_PROXY_SERVER` | The format of the proxy list was invalid. +| `0x80240031` | `WU_E_INVALID_FILE` | The file is in the wrong format. +| `0x80240032` | `WU_E_INVALID_CRITERIA` | The search criteria string was invalid. +| `0x80240033` | `WU_E_EULA_UNAVAILABLE` | License terms couldn't be downloaded. +| `0x80240034` | `WU_E_DOWNLOAD_FAILED` | Update failed to download. +| `0x80240035` | `WU_E_UPDATE_NOT_PROCESSED` | The update wasn't processed. +| `0x80240036` | `WU_E_INVALID_OPERATION` | The object's current state didn't allow the operation. +| `0x80240037` | `WU_E_NOT_SUPPORTED` | The functionality for the operation isn't supported. +| `0x80240038` | `WU_E_WINHTTP_INVALID_FILE` | The downloaded file has an unexpected content type. +| `0x80240039` | `WU_E_TOO_MANY_RESYNC` | Agent is asked by server to resync too many times. +| `0x80240040` | `WU_E_NO_SERVER_CORE_SUPPORT` | `WUA API` method doesn't run on Server Core installation. +| `0x80240041` | `WU_E_SYSPREP_IN_PROGRESS` | Service isn't available while sysprep is running. +| `0x80240042` | `WU_E_UNKNOWN_SERVICE` | The update service is no longer registered with `AU`. +| `0x80240043` | `WU_E_NO_UI_SUPPORT` | There's no support for `WUA UI`. +| `0x80240FFF` | `WU_E_UNEXPECTED` | An operation failed due to reasons not covered by another error code. +| `0x80070422` | | Windows Update service stopped working or isn't running. ## Windows Update success codes | Error code | Message | Description | |------------|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------| -| 0x00240001 | `WU_S_SERVICE_STOP` | Windows Update Agent was stopped successfully. | -| 0x00240002 | `WU_S_SELFUPDATE` | Windows Update Agent updated itself. | -| 0x00240003 | `WU_S_UPDATE_ERROR` | Operation completed successfully but there were errors applying the updates. | -| 0x00240004 | `WU_S_MARKED_FOR_DISCONNECT` | A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing. | -| 0x00240005 | `WU_S_REBOOT_REQUIRED` | The system must be restarted to complete installation of the update. | -| 0x00240006 | `WU_S_ALREADY_INSTALLED` | The update to be installed is already installed on the system. | -| 0x00240007 | `WU_S_ALREADY_UNINSTALLED` | The update to be removed is not installed on the system. | -| 0x00240008 | `WU_S_ALREADY_DOWNLOADED` | The update to be downloaded has already been downloaded. | +| `0x00240001` | `WU_S_SERVICE_STOP` | Windows Update Agent was stopped successfully. | +| `0x00240002` | `WU_S_SELFUPDATE` | Windows Update Agent updated itself. | +| `0x00240003` | `WU_S_UPDATE_ERROR` | Operation completed successfully but there were errors applying the updates. | +| `0x00240004` | `WU_S_MARKED_FOR_DISCONNECT` | A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing. | +| `0x00240005` | `WU_S_REBOOT_REQUIRED` | The system must be restarted to complete installation of the update. | +| `0x00240006` | `WU_S_ALREADY_INSTALLED` | The update to be installed is already installed on the system. | +| `0x00240007` | `WU_S_ALREADY_UNINSTALLED` | The update to be removed isn't installed on the system. | +| `0x00240008` | `WU_S_ALREADY_DOWNLOADED` | The update to be downloaded has already been downloaded. | ## Windows Installer minor errors -The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer. +The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they're related to Windows Installer. | Error code | Message | Description | |------------|------------------------------|---------------------------------------------------------------------------------------------| -| 0x80241001 | `WU_E_MSI_WRONG_VERSION` | Search may have missed some updates because the Windows Installer is less than version 3.1. | -| 0x80241002 | `WU_E_MSI_NOT_CONFIGURED` | Search may have missed some updates because the Windows Installer is not configured. | -| 0x80241003 | `WU_E_MSP_DISABLED` | Search may have missed some updates because policy has disabled Windows Installer patching. | -| 0x80241004 | `WU_E_MSI_WRONG_APP_CONTEXT` | An update could not be applied because the application is installed per-user. | -| 0x80241FFF | `WU_E_MSP_UNEXPECTED` | Search may have missed some updates because there was a failure of the Windows Installer. | +| `0x80241001` | `WU_E_MSI_WRONG_VERSION` | Search may have missed some updates because the Windows Installer is less than version 3.1. | +| `0x80241002` | `WU_E_MSI_NOT_CONFIGURED` | Search may have missed some updates because the Windows Installer isn't configured. | +| `0x80241003` | `WU_E_MSP_DISABLED` | Search may have missed some updates because policy has disabled Windows Installer patching. | +| `0x80241004` | `WU_E_MSI_WRONG_APP_CONTEXT` | An update couldn't be applied because the application is installed per-user. | +| `0x80241FFF` | `WU_E_MSP_UNEXPECTED` | Search may have missed some updates because there was a failure of the Windows Installer. | ## Windows Update Agent update and setup errors | Error code | Message | Description | |------------|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------| -| 0x8024D001 | `WU_E_SETUP_INVALID_INFDATA` | Windows Update Agent could not be updated because an INF file contains invalid information. | -| 0x8024D002 | `WU_E_SETUP_INVALID_IDENTDATA` | Windows Update Agent could not be updated because the `wuident.cab` file contains invalid information. | -| 0x8024D003 | `WU_E_SETUP_ALREADY_INITIALIZED` | Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice. | -| 0x8024D004 | `WU_E_SETUP_NOT_INITIALIZED` | Windows Update Agent could not be updated because setup initialization never completed successfully. | -| 0x8024D005 | `WU_E_SETUP_SOURCE_VERSION_MISMATCH` | Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions. | -| 0x8024D006 | `WU_E_SETUP_TARGET_VERSION_GREATER` | Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file. | -| 0x8024D007 | `WU_E_SETUP_REGISTRATION_FAILED` | Windows Update Agent could not be updated because `regsvr32.exe` returned an error. | -| 0x8024D009 | `WU_E_SETUP_SKIP_UPDATE` | An update to the Windows Update Agent was skipped due to a directive in the `wuident.cab` file. | -| 0x8024D00A | `WU_E_SETUP_UNSUPPORTED_CONFIGURATION` | Windows Update Agent could not be updated because the current system configuration is not supported. | -| 0x8024D00B | `WU_E_SETUP_BLOCKED_CONFIGURATION` | Windows Update Agent could not be updated because the system is configured to block the update. | -| 0x8024D00C | `WU_E_SETUP_REBOOT_TO_FIX` | Windows Update Agent could not be updated because a restart of the system is required. | -| 0x8024D00D | `WU_E_SETUP_ALREADYRUNNING` | Windows Update Agent setup is already running. | -| 0x8024D00E | `WU_E_SETUP_REBOOTREQUIRED` | Windows Update Agent setup package requires a reboot to complete installation. | -| 0x8024D00F | `WU_E_SETUP_HANDLER_EXEC_FAILURE` | Windows Update Agent could not be updated because the setup handler failed during execution. | -| 0x8024D010 | `WU_E_SETUP_INVALID_REGISTRY_DATA` | Windows Update Agent could not be updated because the registry contains invalid information. | -| 0x8024D013 | `WU_E_SETUP_WRONG_SERVER_VERSION` | Windows Update Agent could not be updated because the server does not contain update information for this version. | -| 0x8024DFFF | `WU_E_SETUP_UNEXPECTED` | Windows Update Agent could not be updated because of an error not covered by another `WU_E_SETUP_*` error code. | +| `0x8024D001` | `WU_E_SETUP_INVALID_INFDATA` | Windows Update Agent couldn't be updated because an INF file contains invalid information. | +| `0x8024D002` | `WU_E_SETUP_INVALID_IDENTDATA` | Windows Update Agent couldn't be updated because the `wuident.cab` file contains invalid information. | +| `0x8024D003` | `WU_E_SETUP_ALREADY_INITIALIZED` | Windows Update Agent couldn't be updated because of an internal error that caused setup initialization to be performed twice. | +| `0x8024D004` | `WU_E_SETUP_NOT_INITIALIZED` | Windows Update Agent couldn't be updated because setup initialization never completed successfully. | +| `0x8024D005` | `WU_E_SETUP_SOURCE_VERSION_MISMATCH` | Windows Update Agent couldn't be updated because the versions specified in the INF don't match the actual source file versions. | +| `0x8024D006` | `WU_E_SETUP_TARGET_VERSION_GREATER` | Windows Update Agent couldn't be updated because a WUA file on the target system is newer than the corresponding source file. | +| `0x8024D007` | `WU_E_SETUP_REGISTRATION_FAILED` | Windows Update Agent couldn't be updated because `regsvr32.exe` returned an error. | +| `0x8024D009` | `WU_E_SETUP_SKIP_UPDATE` | An update to the Windows Update Agent was skipped due to a directive in the `wuident.cab` file. | +| `0x8024D00A` | `WU_E_SETUP_UNSUPPORTED_CONFIGURATION` | Windows Update Agent couldn't be updated because the current system configuration isn't supported. | +| `0x8024D00B` | `WU_E_SETUP_BLOCKED_CONFIGURATION` | Windows Update Agent couldn't be updated because the system is configured to block the update. | +| `0x8024D00C` | `WU_E_SETUP_REBOOT_TO_FIX` | Windows Update Agent couldn't be updated because a restart of the system is required. | +| `0x8024D00D` | `WU_E_SETUP_ALREADYRUNNING` | Windows Update Agent setup is already running. | +| `0x8024D00E` | `WU_E_SETUP_REBOOTREQUIRED` | Windows Update Agent setup package requires a reboot to complete installation. | +| `0x8024D00F` | `WU_E_SETUP_HANDLER_EXEC_FAILURE` | Windows Update Agent couldn't be updated because the setup handler failed during execution. | +| `0x8024D010` | `WU_E_SETUP_INVALID_REGISTRY_DATA` | Windows Update Agent couldn't be updated because the registry contains invalid information. | +| `0x8024D013` | `WU_E_SETUP_WRONG_SERVER_VERSION` | Windows Update Agent couldn't be updated because the server doesn't contain update information for this version. | +| `0x8024DFFF` | `WU_E_SETUP_UNEXPECTED` | Windows Update Agent couldn't be updated because of an error not covered by another `WU_E_SETUP_*` error code. | diff --git a/windows/deployment/update/wufb-reports-configuration-manual.md b/windows/deployment/update/wufb-reports-configuration-manual.md index 1d156ad5b7..3f3c8c7937 100644 --- a/windows/deployment/update/wufb-reports-configuration-manual.md +++ b/windows/deployment/update/wufb-reports-configuration-manual.md @@ -1,19 +1,22 @@ --- -title: Manually configuring devices for Windows Update for Business reports -manager: aaroncz -description: How to manually configure devices for Windows Update for Business reports +title: Manually configure devices to send data +titleSuffix: Windows Update for Business reports +description: How to manually configure devices for Windows Update for Business reports using a PowerShell script. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual author: mestew ms.author: mstewart +manager: aaroncz ms.localizationpriority: medium -ms.topic: article +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 11/15/2022 -ms.technology: itpro-updates --- # Manually configuring devices for Windows Update for Business reports -***(Applies to: Windows 11 & Windows 10)*** There are a number of requirements to consider when manually configuring devices for Windows Update for Business reports. These requirements can potentially change with newer versions of Windows client. The [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required. diff --git a/windows/deployment/update/wufb-reports-configuration-script.md b/windows/deployment/update/wufb-reports-configuration-script.md index 69feacba6f..10af47e205 100644 --- a/windows/deployment/update/wufb-reports-configuration-script.md +++ b/windows/deployment/update/wufb-reports-configuration-script.md @@ -1,19 +1,22 @@ --- -title: Windows Update for Business reports configuration script -manager: aaroncz -description: Downloading and using the Windows Update for Business reports configuration script +title: Configure clients with a script +titleSuffix: Windows Update for Business reports +description: How to get and use the Windows Update for Business reports configuration script to configure devices for Windows Update for Business reports. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual author: mestew ms.author: mstewart +manager: aaroncz ms.localizationpriority: medium -ms.topic: article +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 07/11/2023 -ms.technology: itpro-updates --- # Configuring devices through the Windows Update for Business reports configuration script -***(Applies to: Windows 11 & Windows 10)*** The Windows Update for Business reports configuration script is the recommended method of configuring devices to send data to Microsoft for use with Windows Update for Business reports. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configure devices for Windows Update for Business reports](wufb-reports-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured. diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index ddb2f0861d..05cfa795ab 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -1,19 +1,22 @@ --- -title: Delivery Optimization data in Windows Update for Business reports -manager: aaroncz -description: Provides information about Delivery Optimization data in Windows Update for Business reports +title: Delivery Optimization data in reports +titleSuffix: Windows Update for Business reports +description: This article provides information about Delivery Optimization data in Windows Update for Business reports. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual author: mestew ms.author: mstewart -ms.topic: article +manager: aaroncz +ms.localizationpriority: medium +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 04/12/2023 -ms.technology: itpro-updates --- # Delivery Optimization data in Windows Update for Business reports - -***(Applies to: Windows 11 & Windows 10)*** [Delivery Optimization](../do/waas-delivery-optimization.md) (DO) is a Windows feature that can be used to reduce bandwidth consumption by sharing the work of downloading updates among multiple devices in your environment. You can use DO with many other deployment methods, but it's a cloud-managed solution, and access to the DO cloud services is a requirement. diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md index c29c9dced3..27a5b5ad14 100644 --- a/windows/deployment/update/wufb-reports-enable.md +++ b/windows/deployment/update/wufb-reports-enable.md @@ -1,19 +1,21 @@ --- title: Enable Windows Update for Business reports -manager: aaroncz -description: How to enable Windows Update for Business reports through the Azure portal +titleSuffix: Windows Update for Business reports +description: How to enable the Windows Update for Business reports service through the Azure portal or the Microsoft 365 admin center. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual author: mestew ms.author: mstewart -ms.topic: article +manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 07/11/2023 -ms.technology: itpro-updates --- # Enable Windows Update for Business reports -***(Applies to: Windows 11 & Windows 10)*** - After verifying the [prerequisites](wufb-reports-prerequisites.md) are met, you can start to set up Windows Update for Business reports. The two main steps for setting up Windows Update for Business reports are: 1. [Add Windows Update for Business reports](#bkmk_add) to your Azure subscription. This step has the following phases: diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 98ba761d81..60f9460966 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -1,14 +1,15 @@ ### YamlMime:FAQ metadata: - title: Windows Update for Business reports - Frequently Asked Questions (FAQ) + title: Frequently Asked Questions (FAQ) + titleSuffix: Windows Update for Business reports description: Answers to frequently asked questions about Windows Update for Business reports. ms.prod: windows-client + ms.technology: itpro-updates ms.topic: faq - ms.date: 06/20/2023 manager: aaroncz author: mestew ms.author: mstewart - ms.technology: itpro-updates + ms.date: 06/20/2023 title: Frequently Asked Questions about Windows Update for Business reports summary: | This article answers frequently asked questions about Windows Update for Business reports. diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md index 90184b8f3e..49268fb5a7 100644 --- a/windows/deployment/update/wufb-reports-help.md +++ b/windows/deployment/update/wufb-reports-help.md @@ -1,20 +1,21 @@ --- -title: Windows Update for Business reports feedback, support, and troubleshooting -manager: aaroncz -description: Windows Update for Business reports support information. +title: Feedback, support, and troubleshooting +titleSuffix: Windows Update for Business reports +description: Windows Update for Business reports support, feedback, and troubleshooting information. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: article author: mestew ms.author: mstewart -ms.topic: article +manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 02/10/2023 -ms.technology: itpro-updates --- # Windows Update for Business reports feedback, support, and troubleshooting - -***(Applies to: Windows 11 & Windows 10)*** - There are several resources that you can use to find help with Windows Update for Business reports. Whether you're just getting started or an experienced administrator, use the following resources when you need help with Windows Update for Business reports: - Send [product feedback about Windows Update for Business reports](#send-product-feedback) diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md index 13c5e19777..a4321c74d6 100644 --- a/windows/deployment/update/wufb-reports-overview.md +++ b/windows/deployment/update/wufb-reports-overview.md @@ -1,19 +1,21 @@ --- title: Windows Update for Business reports overview -manager: aaroncz +titleSuffix: Windows Update for Business reports description: Overview of Windows Update for Business reports to explain what it's used for and the cloud services it relies on. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: overview author: mestew ms.author: mstewart -ms.topic: article +manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 11/15/2022 -ms.technology: itpro-updates --- # Windows Update for Business reports overview -***(Applies to: Windows 11 & Windows 10)*** - Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you: - Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index bdd9e61896..b418f74af8 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -1,19 +1,21 @@ --- -title: Windows Update for Business reports prerequisites -manager: aaroncz -description: Prerequisites for Windows Update for Business reports +title: Prerequisites for Windows Update for Business reports +titleSuffix: Windows Update for Business reports +description: List of prerequisites for enabling and using Windows Update for Business reports in your organization. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual author: mestew ms.author: mstewart -ms.topic: article -ms.date: 06/27/2023 -ms.technology: itpro-updates +manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +ms.date: 08/30/2023 --- # Windows Update for Business reports prerequisites -***(Applies to: Windows 11 & Windows 10)*** - Before you begin the process of adding Windows Update for Business reports to your Azure subscription, ensure you meet the prerequisites. ## Azure and Azure Active Directory @@ -68,7 +70,7 @@ Device names don't appear in Windows Update for Business reports unless you indi Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. For more information about data handling and privacy for Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) and [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data). -## Data transmission requirements +## Endpoints [!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-endpoints.md)] diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md index 364bed3d49..6cf7e6e2a8 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclient.md +++ b/windows/deployment/update/wufb-reports-schema-ucclient.md @@ -1,21 +1,25 @@ --- -title: Windows Update for Business reports Data Schema - UCClient -manager: aaroncz -description: UCClient schema +title: UCClient data schema +titleSuffix: Windows Update for Business reports +description: UCClient schema for Windows Update for Business reports. UCClient acts as an individual device's record. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: reference author: mestew ms.author: mstewart -ms.topic: reference +manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 08/09/2023 -ms.technology: itpro-updates --- # UCClient -***(Applies to: Windows 11 & Windows 10)*** - UCClient acts as an individual device's record. It contains data such as the currently installed build, the device's name, the OS edition, and active hours (quantitative). +## Schema for UCClient + |Field |Type |Example |Description | |---|---|---|---| | **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID | diff --git a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md index de73ebfc5b..2e6bcaa89c 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md @@ -1,21 +1,26 @@ --- -title: Windows Update for Business reports Data Schema - UCClientReadinessStatus -manager: aaroncz -description: UCClientReadinessStatus schema +title: UCClientReadinessStatus data schema +titleSuffix: Windows Update for Business reports +description: UCClientReadinessStatus schema for Windows Update for Business reports. UCClientReadinessStatus is an individual device's record about Windows 11 readiness. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: reference author: mestew ms.author: mstewart -ms.topic: reference +manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 06/06/2022 -ms.technology: itpro-updates --- # UCClientReadinessStatus -***(Applies to: Windows 10)*** UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) the device doesn't meet. +## Schema for UCClientReadinessStatus + |Field |Type |Example |Description | |---|---|---|---| | **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name | diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md index 1c71d9d355..1373eed6d6 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md @@ -1,21 +1,26 @@ --- -title: Windows Update for Business reports Data Schema - UCClientUpdateStatus -manager: aaroncz -description: UCClientUpdateStatus schema +title: UCClientUpdateStatus data schema +titleSuffix: Windows Update for Business reports +description: UCClientUpdateStatus schema for Windows Update for Business reports. UCClientUpdateStatus combines the latest client-based data with the latest service data. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: reference author: mestew ms.author: mstewart -ms.topic: reference +manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 06/05/2023 -ms.technology: itpro-updates --- # UCClientUpdateStatus -***(Applies to: Windows 11 & Windows 10)*** Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update. +## Schema for UCClientUpdateStatus + | Field | Type | Example | Description | |---|---|---|---| | **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Azure AD tenant to which the device belongs. | diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md index e515e80e13..435324d2db 100644 --- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md +++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md @@ -1,21 +1,25 @@ --- -title: Windows Update for Business reports Data Schema - UCDeviceAlert -manager: aaroncz -description: UCDeviceAlert schema +title: UCDeviceAlert data schema +titleSuffix: Windows Update for Business reports +description: UCDeviceAlert schema for Windows Update for Business reports. UCDeviceAlert is an individual device's record about an alert. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: reference author: mestew ms.author: mstewart -ms.topic: reference +manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 06/06/2022 -ms.technology: itpro-updates --- # UCDeviceAlert -***(Applies to: Windows 11 & Windows 10)*** - These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from (ServiceDeviceAlert, ClientDeviceAlert). For example, an EndOfService alert is a ClientDeviceAlert, as a build no longer being serviced (EOS) is a client-wide state. Meanwhile, DeviceRegistrationIssues in the Windows Update for Business deployment service will be a ServiceDeviceAlert, as it's a device-wide state in the service to not be correctly registered. +## Schema for UCDeviceAlert + |Field |Type |Example |Description | |---|---|---|---| | **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational | diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md index 25c5d1ae59..a7012d9409 100644 --- a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md @@ -1,22 +1,27 @@ --- -title: Windows Update for Business reports Data Schema - UCDOAggregatedStatus -ms.reviewer: carmenf -manager: aaroncz -description: UCDOAggregatedStatus schema +title: UCDOAggregatedStatus data schema +titleSuffix: Windows Update for Business reports +description: UCDOAggregatedStatus schema for Windows Update for Business reports. UCDOAggregatedStatus is an aggregation of all UDDOStatus records across the tenant. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: reference author: mestew ms.author: mstewart -ms.topic: reference +manager: aaroncz +ms.reviewer: carmenf +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 11/17/2022 -ms.technology: itpro-updates --- # UCDOAggregatedStatus -***(Applies to: Windows 11 & Windows 10)*** UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do). +## Schema for UCDOAggregatedStatus + |Field |Type |Example |Description | |---|---|---|---| | **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID | diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md index 7897c27f1c..a76acc8512 100644 --- a/windows/deployment/update/wufb-reports-schema-ucdostatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md @@ -1,22 +1,25 @@ --- -title: Windows Update for Business reports Data Schema - UCDOStatus -ms.reviewer: carmenf -manager: aaroncz -description: UCDOStatus schema +title: UCDOStatus data schema +titleSuffix: Windows Update for Business reports +description: UCDOStatus schema for Windows Update for Business reports. UCDOStatus provides information, for a single device, on its DO and MCC bandwidth utilization. ms.prod: windows-client +ms.topic: reference author: mestew ms.author: mstewart -ms.topic: reference +manager: aaroncz +ms.reviewer: carmenf +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 11/17/2022 -ms.technology: itpro-updates --- # UCDOStatus -***(Applies to: Windows 11 & Windows 10)*** - UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do). +## Data schema for UCDOStatus + |Field |Type |Example |Description | |---|---|---|---| | **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID | diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md index 8e8e34ea82..52989b6baf 100644 --- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md @@ -1,21 +1,25 @@ --- -title: Windows Update for Business reports Data Schema - UCServiceUpdateStatus -manager: aaroncz -description: UCServiceUpdateStatus schema +title: UCServiceUpdateStatus data schema +titleSuffix: Windows Update for Business reports +description: UCServiceUpdateStatus schema for Windows Update for Business reports. UCServiceUpdateStatus has service-side information for one device and one update. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: reference author: mestew ms.author: mstewart -ms.topic: reference +manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 06/06/2022 -ms.technology: itpro-updates --- # UCServiceUpdateStatus -***(Applies to: Windows 11 & Windows 10)*** - Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. This event has certain fields removed from it in favor of being able to show data in near real time. +## Schema for UCServiceUpdateStatus + | Field | Type | Example | Description | |---|---|---|---| | **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. | diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md index db70047ed0..c85d070cc9 100644 --- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md +++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md @@ -1,21 +1,25 @@ --- -title: Windows Update for Business reports Data Schema - UCUpdateAlert -manager: aaroncz -description: UCUpdateAlert schema +title: UCUpdateAlert data schema +titleSuffix: Windows Update for Business reports +description: UCUpdateAlert schema for Windows Update for Business reports. UCUpdateAlert is an alert for both client and service updates. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: reference author: mestew ms.author: mstewart -ms.topic: reference +manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 06/06/2022 -ms.technology: itpro-updates --- # UCUpdateAlert -***(Applies to: Windows 11 & Windows 10)*** - Alert for both client and service updates. Contains information that needs attention, relative to one device (client), one update, and one deployment (if relevant). Certain fields may be blank depending on the UpdateAlert's AlertType field; for example, ServiceUpdateAlert won't necessarily contain client-side statuses. +## Schema for UCUpdateAlert + |Field |Type |Example |Description | |---|---|---|---| | **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational | diff --git a/windows/deployment/update/wufb-reports-schema.md b/windows/deployment/update/wufb-reports-schema.md index cbcae6c319..8a4fc45ecb 100644 --- a/windows/deployment/update/wufb-reports-schema.md +++ b/windows/deployment/update/wufb-reports-schema.md @@ -1,22 +1,24 @@ --- title: Windows Update for Business reports data schema -manager: aaroncz -description: An overview of Windows Update for Business reports data schema +titleSuffix: Windows Update for Business reports +description: An overview of Windows Update for Business reports data schema to power additional dashboards and data analysis tools. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: reference author: mestew ms.author: mstewart -ms.topic: reference +manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 11/15/2022 -ms.technology: itpro-updates --- -# Windows Update for Business reports schema +# Windows Update for Business reports schema -***(Applies to: Windows 11 & Windows 10)*** - When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Windows Update for Business reports and have a high-level understanding of the capabilities of [Azure Monitor log queries](/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more. -## Schema +## Schemas for Windows Update for Business reports The following table summarizes the different tables that are part of the Windows Update for Business reports solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](/azure/azure-monitor/log-query/get-started-queries). diff --git a/windows/deployment/update/wufb-reports-use.md b/windows/deployment/update/wufb-reports-use.md index 6b58c8cffb..2b4f1b8b1a 100644 --- a/windows/deployment/update/wufb-reports-use.md +++ b/windows/deployment/update/wufb-reports-use.md @@ -1,19 +1,21 @@ --- title: Use the Windows Update for Business reports data -manager: aaroncz +titleSuffix: Windows Update for Business reports description: How to use the Windows Update for Business reports data for custom solutions using tools like Azure Monitor Logs. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual author: mestew ms.author: mstewart -ms.topic: article +manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 11/15/2022 -ms.technology: itpro-updates --- # Use Windows Update for Business reports -***(Applies to: Windows 11 & Windows 10)*** - In this article, you'll learn how to use Windows Update for Business reports to monitor Windows updates for your devices. To configure your environment for use with Windows Update for Business reports, see [Enable Windows Update for Business reports](wufb-reports-enable.md). ## Display Windows Update for Business reports data diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index df61f9ca36..d024ceda0d 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -1,20 +1,21 @@ --- title: Use the workbook for Windows Update for Business reports -manager: aaroncz -description: How to use the Windows Update for Business reports workbook. +titleSuffix: Windows Update for Business reports +description: How to use the Windows Update for Business reports workbook from the Azure portal. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual author: mestew ms.author: mstewart -ms.topic: article +manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.date: 06/23/2023 -ms.technology: itpro-updates --- # Windows Update for Business reports workbook -***(Applies to: Windows 11 & Windows 10)*** - - [Windows Update for Business reports](wufb-reports-overview.md) presents information commonly needed by updates administrators in an easy-to-use format. Windows Update for Business reports uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into tab sections: - [Summary](#summary-tab) diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md index c6bd179c95..295f638ff4 100644 --- a/windows/deployment/update/wufb-wsus.md +++ b/windows/deployment/update/wufb-wsus.md @@ -2,22 +2,20 @@ title: Use Windows Update for Business and Windows Server Update Services (WSUS) together description: Learn how to use Windows Update for Business and WSUS together using the new scan source policy. ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual author: mestew -ms.localizationpriority: medium ms.author: mstewart manager: aaroncz -ms.topic: article -ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.localizationpriority: medium +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +ms.date: 01/13/2022 --- # Use Windows Update for Business and WSUS together -**Applies to** - -- Windows 10 -- Windows 11 - > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business service. @@ -70,13 +68,10 @@ The policy can be configured using the following two methods: 2. Configuration Service Provider (CSP) Policies: **SetPolicyDrivenUpdateSourceFor<Update Type>**: > [!NOTE] -> You should configure **all** of these policies if you are using CSPs. +> - You should configure **all** of these policies if you are using CSPs. +> - Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be altered. - [Update/SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourcefordriver) - [Update/SetPolicyDrivenUpdateSourceForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforfeature) - [Update/SetPolicyDrivenUpdateSourceForOtherUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforother) - [Update/SetPolicyDrivenUpdateSourceForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforquality) - - -> [!NOTE] -> Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be alterred. diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index d36ddbbc92..98f95d0597 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -69,7 +69,7 @@ As the authorized administrator, it is your responsibility to protect the privac - **Maintain security of the file server and the deployment server** - We recommend that you manage the security of the file and deployment servers. It's important to make sure that the file server where you save the store is secure. You must also secure the deployment server, to ensure that the user data that is in the log files isn't exposed. We also recommend that you only transmit data over a secure Internet connection, such as a virtual private network. For more information about network security, see [Microsoft Security Compliance Manager](https://go.microsoft.com/fwlink/p/?LinkId=215657). + We recommend that you manage the security of the file and deployment servers. It's important to make sure that the file server where you save the store is secure. You must also secure the deployment server, to ensure that the user data that is in the log files isn't exposed. We also recommend that you only transmit data over a secure Internet connection, such as a virtual private network. For more information about network security, see [Microsoft Security Compliance Manager](https://www.microsoft.com/download/details.aspx?id=53353). - **Password Migration** diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index 2ee3c1c6fc..c95df27c15 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -123,6 +123,8 @@ href: references/windows-autopatch-windows-update-unsupported-policies.md - name: Microsoft 365 Apps for enterprise update policies href: references/windows-autopatch-microsoft-365-policies.md + - name: Conflicting configurations + href: references/windows-autopatch-conflicting-configurations.md - name: Changes made at tenant enrollment href: references/windows-autopatch-changes-to-tenant.md - name: Driver and firmware updates public preview addendum diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md index 1a0e660f16..5ac998067b 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md @@ -1,7 +1,7 @@ --- title: Roles and responsibilities description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do -ms.date: 08/08/2023 +ms.date: 08/31/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -30,6 +30,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili | Review the [prerequisites](../prepare/windows-autopatch-prerequisites.md) | :heavy_check_mark: | :x: | | Review the [FAQ](../overview/windows-autopatch-faq.yml) | :heavy_check_mark: | :x: | | [Review the service data platform and privacy compliance details](../overview/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: | +| Consult the [Deployment guide](../overview/windows-autopatch-deployment-guide.md) | :heavy_check_mark: | :x: | | Ensure device [prerequisites](../prepare/windows-autopatch-prerequisites.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: | | Ensure [infrastructure and environment prerequisites](../prepare/windows-autopatch-configure-network.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: | | Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: | @@ -38,6 +39,8 @@ This article outlines your responsibilities and Windows Autopatch's responsibili | [Manage and respond to tenant enrollment support requests](../prepare/windows-autopatch-enrollment-support-request.md) | :x: | :heavy_check_mark: | | Identify stakeholders for deployment communications | :heavy_check_mark: | :x: | +For more information and assistance with preparing for your Windows Autopatch deployment journey, see [Need additional guidance](../overview/windows-autopatch-deployment-guide.md#need-additional-guidance). + ## Deploy | Task | Your responsibility | Windows Autopatch | @@ -46,13 +49,13 @@ This article outlines your responsibilities and Windows Autopatch's responsibili | [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: | | Educate users on the Windows Autopatch end user update experience
    • [Windows quality update end user experience](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md)
    • [Windows feature update end user experience](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md)
    • [Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)
    • [Microsoft Edge end user experience](../operate/windows-autopatch-edge.md)
    • [Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)
    | :heavy_check_mark: | :x: | | Review network optimization
    • [Prepare your network](../prepare/windows-autopatch-configure-network.md)
    • [Delivery Optimization](../prepare/windows-autopatch-configure-network.md#delivery-optimization) | :heavy_check_mark: | :x: | -| Review existing configurations
      • Remove your devices from existing unsupported [Windows Update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies
      | :heavy_check_mark: | :x: | +| Review existing configurations
      • Remove your devices from existing unsupported [Windows Update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies
      • Consult [General considerations](../overview/windows-autopatch-deployment-guide.md#general-considerations)
      | :heavy_check_mark: | :x: | | Confirm your update service needs and configure your workloads
      • [Turn on or off expedited Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md#expedited-releases)
      • [Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates)
      • [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)
      • [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md)
      • Decide your [Windows feature update versions(s)](../operate/windows-autopatch-groups-windows-feature-update-overview.md)
      | :heavy_check_mark: | :x: | | [Consider your Autopatch groups distribution](../deploy/windows-autopatch-groups-overview.md)
      • [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)
      • [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)
      | :heavy_check_mark: | :x: | | [Register devices](../deploy/windows-autopatch-register-devices.md)
      • [Review your device registration options](../deploy/windows-autopatch-device-registration-overview.md)
      • [Register your first devices](../deploy/windows-autopatch-register-devices.md) | :heavy_check_mark: | :x: | | [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-registered-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: | | Automatically assign devices to deployment rings at device registration
        • [Default Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)
        • [Custom Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)
        | :x: | :heavy_check_mark: | -| Remediate registration issues
        • [For devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade)
        • [For devices displayed in the **Not registered** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade)
        | :heavy_check_mark: | :x: | +| Remediate registration issues
        • [For devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade)
        • [For devices displayed in the **Not registered** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade)
        • [For devices with conflicting configurations](../references/windows-autopatch-conflicting-configurations.md)
        | :heavy_check_mark: | :x: | | Populate the Test and Last deployment ring membership
        • [Default Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)
        • [Custom Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)
        | :heavy_check_mark: | :x: | | [Manually override device assignments to deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings) | :heavy_check_mark: | :x: | | Review device conflict scenarios
        • [Device conflict in deployment rings within an Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#device-conflict-in-deployment-rings-within-an-autopatch-group)
        • [Device conflict across different Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#device-conflict-across-different-autopatch-groups)
        | :heavy_check_mark: | :x: | @@ -83,11 +86,11 @@ This article outlines your responsibilities and Windows Autopatch's responsibili | [Pause updates (Windows Autopatch initiated)](../operate/windows-autopatch-groups-windows-quality-update-signals.md) | :x: | :heavy_check_mark: | | [Pause updates (initiated by you)](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) | :heavy_check_mark: | :x: | | Run [on-going post-registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | :x: | :heavy_check_mark: | -| Maintain existing configurations
        • Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies
        | :heavy_check_mark: | :x: | -| Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are
        • [Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)
        • [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)
        • have [Device alerts](../operate/windows-autopatch-device-alerts.md)
        +| Maintain existing configurations
        • Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies
        • Consult [General considerations](../overview/windows-autopatch-deployment-guide.md#general-considerations)
        | :heavy_check_mark: | :x: | +| Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are
        • [Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)
        • [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)
        • have [Device alerts](../operate/windows-autopatch-device-alerts.md)
        • have [conflicting configurations](../references/windows-autopatch-conflicting-configurations.md)
        | [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: | | [Exclude a device](../operate/windows-autopatch-exclude-device.md) | :heavy_check_mark: | :x: | -| [Register a device that was previously excluded (upon customers request)](../operate/windows-autopatch-exclude-device.md) | :x: | :heavy_check_mark: | +| [Register a device that was previously excluded](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) | :heavy_check_mark: | :x: | | [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: | | [Remove Windows Autopatch data from the service and exclude devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: | | [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: | diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md new file mode 100644 index 0000000000..865f6c15c9 --- /dev/null +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md @@ -0,0 +1,153 @@ +--- +title: Conflicting configurations +description: This article explains how to remediate conflicting configurations affecting the Windows Autopatch service. +ms.date: 09/05/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: adnich +ms.collection: + - highpri + - tier1 +--- + +# Conflicting configurations (public preview) + +> [!IMPORTANT] +> This feature is in **public preview**. The feature is being actively developed and might not be complete. + +During Readiness checks, if there are devices with conflicting registry configurations, notifications are listed in the **Not ready** tab. The notifications include a list of alerts that explain why the device isn't ready for updates. Instructions are provided on how to resolve the issue(s). You can review any device marked as **Not ready** and remediate them to a **Ready** state. + +Windows Autopatch monitors conflicting configurations. You’re notified of the specific registry values that prevent Windows from updating properly. These registry keys should be removed to resolve the conflict. However, it’s possible that other services write back the registry keys. It’s recommended that you review common sources for conflicting configurations to ensure your devices continue to receive Windows Updates. + +The most common sources of conflicting configurations include: + +- Active Directory Group Policy (GPO) +- Configuration Manager Device client settings +- Windows Update for Business (WUfB) policies +- Manual registry updates +- Local Group Policy settings applied during imaging (LGPO) + +## Registry keys inspected by Autopatch + +```cmd +Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations Value=Any +Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess Value=Any +Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer String=Any +Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer Value=Any +Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate Value=Any +``` + +## Resolving conflicts + +Windows Autopatch recommends removing the conflicting configurations. The following remediation examples can be used to remove conflicting settings and registry keys when targeted at Autopatch-managed clients. + +> [!IMPORTANT] +> **It’s recommended to only target devices with conflicting configuration alerts**. The following remediation examples can affect devices that aren’t managed by Windows Autopatch, be sure to target accordingly. + +### Intune Remediation + +Navigate to Intune Remediations and create a remediation using the following examples. It’s recommended to create a single remediation per value to understand if the value persists after removal. + +If you use either [**Detect**](#detect) and/or [**Remediate**](#remediate) actions, ensure to update the appropriate **Path** and **Value** called out in the Alert. For more information, see [Remediations](/mem/intune/fundamentals/remediations). + +#### Detect + +```powershell +if((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).PSObject.Properties.Name -contains 'DoNotConnectToWindowsUpdateInternetLocations') { + Exit 1 +} else { + exit 0 +} +``` + +| Alert details | Description | +| ----- | ----- | +| Path | `HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` | +| Value | `DoNotConnectToWindowsUpdateInternetLocations` | + +#### Remediate + +```powershell +if((Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate).PSObject.Properties.Name -contains 'DoNotConnectToWindowsUpdateInternetLocations') { + Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DoNotConnectToWindowsUpdateInternetLocations" +} +``` + +| Alert details | Description | +| ----- | ----- | +| Path | `HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` | +| Value | `DoNotConnectToWindowsUpdateInternetLocations` | + +### PowerShell + +Copy and paste the following PowerShell script into PowerShell or a PowerShell editor, and save it with a `.ps1` extension. For more information, see [Remove-ItemProperty (Microsoft.PowerShell.Management)](/powershell/module/microsoft.powershell.management/remove-itemproperty). + +```powershell +Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DoNotConnectToWindowsUpdateInternetLocations" +Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DisableWindowsUpdateAccess" +Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "WUServer" +Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" +Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" +``` + +### Batch file + +Copy and paste the following code into a text editor, and save it with a `.cmd` extension, and execute against affected devices. This command removes registry keys that affect the Windows Autopatch service. For more information, see [Using batch files: Scripting; Management Services](/previous-versions/windows/it-pro/windows-server-2003/cc758944(v=ws.10)?redirectedfrom=MSDN). + +```cmd +@echo off +echo Deleting registry keys... +reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /f +reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /f +reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUServer" /f +reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /f +reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /f +echo Registry keys deleted. +Pause +``` + +### Registry file + +Copy the following code to a Notepad file, save as a `.reg` extension, and execute against affected devices. This removes registry keys that affect the Windows Autopatch service. For more information, see [How to add, modify, or delete registry subkeys and values by using a .reg file](https://support.microsoft.com/topic/how-to-add-modify-or-delete-registry-subkeys-and-values-by-using-a-reg-file-9c7f37cf-a5e9-e1cd-c4fa-2a26218a1a23). + +```cmd +Windows Registry Editor Version 5.00 +[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] +"DoNotConnectToWindowsUpdateInternetLocations"=- +"DisableWindowsUpdateAccess"=- +"WUServer"=- +[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] +"UseWUServer"=- +"NoAutoUpdate"=- +``` + +## Common sources of conflicting configurations + +The following examples can be used to validate if the configuration is persistent from one of the following services. The list isn’t an exhaustive, and Admins should be aware that changes can affect devices not managed by Windows Autopatch and should plan accordingly. + +### Group Policy management + +Group Policy management is the most popular client configuration tool in most organizations. For this reason, it’s most often the source of conflicting configurations. Use Result Set of Policy (RSOP) on an affected client can quickly identify if configured policies conflict with Windows Autopatch. For more information, see Use Resultant Set of Policy to Manage Group Policy. + +1. Launch an Elevated Command Prompt and enter `RSOP`. +1. Navigate to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** +1. If a Policy **doesn’t exist** in Windows Update, then it appears to not be Group Policy. +1. If a Policy **exists** in Windows Update is present, modify or limit the target of the conflicting policy to resolve the Alert. +1. If the **Policy name** is labeled **Local Group Policy**, these settings could have been applied during imaging or by Configuration Manager. + +### Configuration Manager + +Configuration Manager is a common enterprise management tool that, among many things, can help manage Windows Updates. For this reason, we see many environments misconfigured when moving to either a 100% cloud or co-managed workloads even when the workloads are configured correctly. The client settings are often missed. For more information, see [About client settings and software updates](/mem/configmgr/core/clients/deploy/about-client-settings#software-updates). + +1. Go the **Microsoft Endpoint Configuration Manager Console**. +1. Navigate to **Administration** > **Overview** > **Client Settings**. +1. Ensure **Software Updates** isn’t configured. If configured, it’s recommended to remove these settings to prevent conflicts with Windows Autopatch. + +## Third-party solutions + +Third-party solutions can include any other product that may write configurations for the devices in question, such as MDMs (Mobile Device Managers) or Policy Managers. diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index a439a1529c..15e3e60775 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -1,7 +1,7 @@ --- title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. -ms.date: 08/23/2023 +ms.date: 09/05/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: whats-new @@ -21,6 +21,12 @@ This article lists new and updated feature releases, and service releases, with Minor corrections such as typos, style, or formatting issues aren't listed. +## September 2023 + +| Article | Description | +| ----- | ----- | +| [Conflicting configurations](../references/windows-autopatch-conflicting-configurations.md) | New feature. This article explains how to remediate conflicting configurations
        • [MC671811](https://admin.microsoft.com/adminportal/home#/MessageCenter)
        | + ## August 2023 ### August feature releases or updates @@ -34,6 +40,12 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | [Exclude a device](../operate/windows-autopatch-exclude-device.md) | Renamed Deregister a device to [Exclude a device](../operate/windows-autopatch-exclude-device.md). Added the [Restore device](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) feature
        • [MC667662](https://admin.microsoft.com/adminportal/home#/MessageCenter)
        | | [Device alerts](../operate/windows-autopatch-device-alerts.md) | Added `'InstallSetupBlock'` to the [Alert resolutions section](../operate/windows-autopatch-device-alerts.md#alert-resolutions) | +## August service releases + +| Message center post number | Description | +| ----- | ----- | +| [MC671811](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch Service Improvements | + ## July 2023 ### July feature releases or updates diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 4d3e1900ea..b341fb250c 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -70,7 +70,7 @@ productDirectory: - url: /windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines text: Windows security baselines - url: /windows/security/identity-protection/credential-guard/credential-guard-how-it-works - text: Windows Defender Credential Guard + text: Credential Guard - url: /windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust text: Windows Hello for Business cloud Kerberos trust - url: /windows/security/threat-protection/windows-defender-application-control diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 01ea346024..b7c4487f1c 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -70,61 +70,17 @@ For more info, see [Configure Windows diagnostic data in your organization](conf Customers who use services that depend on Windows diagnostic data, such as [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data), may be impacted by the behavioral changes when they're released. These services will be updated to address these changes and guidance will be published on how to configure them properly. -## Significant changes coming to the Windows diagnostic data processor configuration - -Currently, to enroll devices in the [Window diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) option, IT admins can use policies, such as the “Allow commercial data pipeline” policy, at the individual device level. - -To enable efficiencies and help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/), we'll be introducing the following significant change for enterprise Windows devices that have diagnostic data turned on. - -***We’ll stop using policies, such as the “Allow commercial data pipeline” policy, to configure the processor option. Instead, we’ll be introducing an organization-wide configuration based on Azure Active Directory (Azure AD) to determine Microsoft’s role in data processing.*** - -We’re making this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way, and in the same geographic region. - -### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA) - -For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe. - -From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows). - -### Devices in Azure AD tenants with a billing address outside of the EU and EFTA - -For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data: - -- [Update Compliance](/windows/deployment/update/update-compliance-monitor) -- [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) -- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) -- [Microsoft Managed Desktop](/managed-desktop/intro/) -- [Endpoint analytics (in Microsoft Intune)](/mem/analytics/overview) - -*(Additional licensing requirements may apply to use these services.)* - -If you don’t sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data. +## Significant change to the Windows diagnostic data processor configuration > [!NOTE] -> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. +> The information in this section applies to the following versions of Windows: +> - Windows 10, versions 20H2, 21H2, 22H2, and newer +> - Windows 11, versions 21H2, 22H2, and newer -### Rollout plan for this change +Previously, IT admins could use policies (for example, the “Allow commercial data pipeline” policy) at the individual device level to enroll devices in the Windows diagnostic data processor configuration. -This change will rollout in phases, starting with Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program. Starting in build 25169, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option. +Starting with the January 2023 preview cumulative update, how you enable the processor configuration option depends on the billing address of the Azure AD tenant to which your devices are joined. -During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA: +We made this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way and in the same geographic region, and to help us implement our plan to [store and process EU Data for European enterprise customers in the EU](/privacy/eudb/eu-data-boundary-learn). -- Devices can't be enabled for the Windows diagnostic data processor configuration at this time. -- The processor configuration will be disabled in any devices that were previously enabled. -- Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. - -It's recommended Insiders on these devices pause flighting if these changes aren't acceptable. - -For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. - -For other Windows devices (not in the Dev Channel), the change will rollout with the January 2023 release preview cumulative update for Windows 10 versions 20H2, 21H2 and 22H2, and Windows 11 versions 21H2 and 22H2. - -To prepare for this change, ensure that you meet the [prerequisites](configure-windows-diagnostic-data-in-your-organization.md#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD (can be a hybrid Azure AD join), and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services. - -As part of this change, the following policies will no longer be supported to configure the processor option: - - Allow commercial data pipeline - - Allow Desktop Analytics Processing - - Allow Update Compliance Processing - - Allow WUfB Cloud Processing - - Allow Microsoft Managed Desktop Processing - - Configure the Commercial ID +For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). \ No newline at end of file diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 17cd1c6c1d..720b1ad0d9 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -321,10 +321,12 @@ For the best experience, use the most current build of any operating system spec The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable: - us-v10c.events.data.microsoft.com (eu-v10c.events.data.microsoft.com for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations)) -- umwatsonc.events.data.microsoft.com (eu-watsonc.events.data.microsoft.com for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations)) +- watsonc.events.data.microsoft.com (eu-watsonc.events.data.microsoft.com for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations)) - settings-win.data.microsoft.com - *.blob.core.windows.net +Tenants with billing addresses in countries or regions in the Middle East and Africa, as well as European countries or regions not in the EU, also use the eu-v10c.events.data.microsoft.com and eu-watsonc.events.data.microsoft.com endpoints. Their diagnostic data is processed initially in Europe, but those tenants aren't considered part of the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn). + >[!Note] > - Windows diagnostic data collected from a device before it was enabled with Windows diagnostic data processor configuration will be deleted when this configuration is enabled. > - When you enable devices with the Windows diagnostic data processor configuration, users may continue to submit feedback through various channels such as Windows feedback hub or Edge feedback. However, the feedback data is not subject to the terms of the Windows diagnostic data processor configuration. If this is not desired, we recommend that you disable feedback using the available policies or application management solutions. @@ -342,20 +344,16 @@ Starting with the January 2023 preview cumulative update, how you enable the pro For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe. -> [!NOTE] -> The Windows diagnostic data processor configuration has components for which work is in progress to be included in the EU Data Boundary, but completion of this work is delayed beyond January 1, 2023. These components will be included in the EU Data Boundary in the coming months. In the meantime, Microsoft will temporarily transfer data out of the EU Data Boundary as part of service operations to ensure uninterrupted operation of the services customers signed up for. - From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows). #### Devices in Azure AD tenants with a billing address outside of the EU and EFTA For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data: -- [Update Compliance](/windows/deployment/update/update-compliance-monitor) - [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) - [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) -- [Microsoft Managed Desktop](/managed-desktop/intro/) -- [Endpoint analytics (in Microsoft Intune)](/mem/analytics/overview) +- [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) +- [Windows updates reports (in Microsoft Intune)](/mem/intune/protect/data-enable-windows-data#windows-data) *(Additional licensing requirements may apply to use these services.)* diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index bf79b242af..71d3061064 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -99,9 +99,9 @@ Windows deployment can be configured using several different methods that provid If you want the ability to fully control and apply restrictions on data being sent back to Microsoft, you can use [Configuration Manager](/mem/configmgr/) as a deployment solution. Configuration Manager can be used to deploy a customized boot image using a variety of [deployment methods](/mem/configmgr/osd/get-started/prepare-for-operating-system-deployment). You can further restrict any Configuration Manager-specific diagnostic data from being sent back to Microsoft by turning off this setting as outlined in the instructions [here](/mem/configmgr/core/plan-design/diagnostics/frequently-asked-questions). -Alternatively, your administrators can also choose to use Windows Autopilot. Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Autopilot profile and policies. +Alternatively, your administrators can also choose to use Windows Autopilot. Windows Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Windows Autopilot profile and policies. -You can use the following articles to learn more about Autopilot and how to use Autopilot to deploy Windows: +You can use the following articles to learn more about Windows Autopilot and how to use Windows Autopilot to deploy Windows: - [Overview of Windows Autopilot](/windows/deployment/windows-Autopilot/windows-Autopilot) - [Windows Autopilot deployment process](/windows/deployment/windows-Autopilot/deployment-process) @@ -145,15 +145,12 @@ An administrator can disable a user’s ability to delete their device’s diagn #### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_ -> [!IMPORTANT] -> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). - **Applies to:** - Windows 11 Enterprise, Professional, and Education editions - Windows 10 Enterprise, Professional, and Education, version 1809 with July 2021 update and newer -The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD)-joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities. +The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD)-joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities. The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific Azure Active Directory User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific Azure AD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer. @@ -165,8 +162,6 @@ We recommend that IT administrators who have enabled the Windows diagnostic data >[!Note] >Tenant account closure will lead to the deletion of all data associated with that tenant. -Specific services that depend on Windows diagnostic data will also result in the enterprise becoming controllers of their Windows diagnostic data. These services include Update Compliance, Windows Update for Business reports, Windows Update for Business, and Microsoft Managed Desktop. For more information, see [Related Windows product considerations](#5-related-windows-product-considerations). - For more information on how Microsoft can help you honor rights and fulfill obligations under the GDPR when using Windows diagnostic data processor configurations, see [General Data Protection Regulation Summary](/compliance/regulatory/gdpr). ## 3. The process for exercising data subject rights @@ -230,18 +225,17 @@ An administrator can configure privacy-related settings, such as choosing to onl >[!Note] >The Windows diagnostic data processor configuration is not available for Surface Hub. -### 5.3 Microsoft Managed Desktop +### 5.3 Windows Update for Business reports -[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows Enterprise edition, Office 365 ProPlus, and Microsoft security services. +[Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) is a cloud-based solution that provides information about an organization’s Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports uses Windows diagnostic data for all of its reporting. -### 5.4 Update Compliance +### 5.4 Windows Autopatch -[Update Compliance](/windows/deployment/update/update-compliance-monitor) is a service that enables organizations to monitor security, quality and feature updates for Windows Professional, Education, and Enterprise editions, and view a report of device and update issues related to compliance that need attention. Update Compliance uses Windows diagnostic data for all its reporting. +[Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Windows Autopatch reports use Windows diagnostic data for their reporting. -### 5.5 Windows Update for Business reports - -[Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) is a cloud-based solution that provides information about an organization’s Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports uses Windows diagnostic data for all its reporting. +### 5.5 Windows updates reports (in Microsoft Intune) +Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. Microsoft Intune includes reports that help you prepare a Windows upgrade or update. For example, [App and driver compatibility reports](/mem/intune/protect/windows-update-compatibility-reports), [Windows driver updates](/mem/intune/protect/windows-driver-updates-overview), and [Windows Autopilot](/autopilot/windows-autopilot). These reports use Windows diagnostic data for their reporting. ## Additional Resources diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index 0d956ceadf..4a3fe25421 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -31,11 +31,11 @@ Rule enforcement is applied only to a collection of rules, not to individual rul ## Step 3: Update the policy -You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](https://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the -Microsoft Desktop Optimization Pack. +You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) feature from the Microsoft Desktop Optimization Pack. + +> [!CAUTION] +> You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. ->**Caution:** You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. - For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For the procedures to distribute policies for local PCs by using the Local Security Policy snap-in (secpol.msc), see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index 2afb56de2f..c6f4be0bc8 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -67,7 +67,7 @@ Collecting these events in a central location can help you maintain your AppLock As new apps are deployed or existing apps are updated by the software publisher, you'll need to make revisions to your rule collections to ensure that the policy is current. -You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](https://go.microsoft.com/fwlink/p/?LinkId=145013). +You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more information, see [Advanced Group Policy Management Overview](/microsoft-desktop-optimization-pack/agpm/). > [!IMPORTANT] > You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md index 1909066094..c7086b6b5e 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune.md @@ -2,7 +2,7 @@ title: Deploy WDAC policies using Mobile Device Management (MDM) description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. ms.localizationpriority: medium -ms.date: 01/23/2023 +ms.date: 08/30/2023 ms.topic: how-to --- @@ -28,10 +28,10 @@ Intune's built-in Windows Defender Application Control support allows you to con - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG) > [!NOTE] -> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. You can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic. +> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. Use the [improved Intune WDAC experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to create and deploy multiple-policy format files. Or, you can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic. > [!NOTE] -> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP always requests a device restart when it applies WDAC policies. You can use Intune's custom OMA-URI feature with the ApplicationControl CSP to deploy your own WDAC policies without a restart. +> Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP always requests a device restart when it applies WDAC policies. Use the [improved Intune WDAC experience](/mem/intune/protect/endpoint-security-app-control-policy), currently in public preview, to deploy your own WDAC policies without a restart. Or, you can use Intune's custom OMA-URI feature with the ApplicationControl CSP. To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windows 10 (and later)](/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json). @@ -46,6 +46,9 @@ You should now have one or more WDAC policies converted into binary form. If not Beginning with Windows 10 1903, custom OMA-URI policy deployment can use the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. +> [!NOTE] +> You must convert your custom policy XML to binary form before deploying with OMA-URI. + The steps to use Intune's custom OMA-URI functionality are: 1. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). @@ -53,10 +56,9 @@ The steps to use Intune's custom OMA-URI functionality are: 2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy` - **Data type**: Base64 (file) - - **Certificate file**: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. + - **Certificate file**: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune converts the uploaded .bin file to Base64 on your behalf. - > [!div class="mx-imgBorder"] - > ![Configure custom WDAC.](../images/wdac-intune-custom-oma-uri.png) + :::image type="content" alt-text="Configure custom WDAC." source="../images/wdac-intune-custom-oma-uri.png" lightbox="../images/wdac-intune-custom-oma-uri.png"::: > [!NOTE] > For the _Policy GUID_ value, do not include the curly brackets. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md index d38b2eff55..398a529b8e 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md @@ -81,7 +81,7 @@ To check that the policy was successfully applied on your computer: ```xml - 10.0.25880.0 + 10.0.25930.0 {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} @@ -516,18 +516,6 @@ To check that the policy was successfully applied on your computer: - - - - - - - - - - - - @@ -550,6 +538,18 @@ To check that the policy was successfully applied on your computer: + + + + + + + + + + + + @@ -642,6 +642,18 @@ To check that the policy was successfully applied on your computer: + + + + + + + + + + + + @@ -761,6 +773,14 @@ To check that the policy was successfully applied on your computer: + + + + + + + + @@ -1097,6 +1117,18 @@ To check that the policy was successfully applied on your computer: + + + + + + + + + + + + @@ -1155,11 +1187,13 @@ To check that the policy was successfully applied on your computer: + + @@ -1172,12 +1206,14 @@ To check that the policy was successfully applied on your computer: - + + + @@ -1188,6 +1224,7 @@ To check that the policy was successfully applied on your computer: + @@ -1196,7 +1233,7 @@ To check that the policy was successfully applied on your computer: - + @@ -1225,6 +1262,8 @@ To check that the policy was successfully applied on your computer: + + @@ -1244,12 +1283,15 @@ To check that the policy was successfully applied on your computer: + + + @@ -1374,6 +1416,8 @@ To check that the policy was successfully applied on your computer: + + @@ -1389,11 +1433,13 @@ To check that the policy was successfully applied on your computer: + + @@ -1412,6 +1458,7 @@ To check that the policy was successfully applied on your computer: + @@ -1425,6 +1472,7 @@ To check that the policy was successfully applied on your computer: + @@ -1492,6 +1540,7 @@ To check that the policy was successfully applied on your computer: + @@ -1773,12 +1822,14 @@ To check that the policy was successfully applied on your computer: + + @@ -1787,6 +1838,7 @@ To check that the policy was successfully applied on your computer: + @@ -1910,6 +1962,48 @@ To check that the policy was successfully applied on your computer: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2012,6 +2106,8 @@ To check that the policy was successfully applied on your computer: + + @@ -2033,9 +2129,12 @@ To check that the policy was successfully applied on your computer: + + + @@ -2071,6 +2170,10 @@ To check that the policy was successfully applied on your computer: + + + + @@ -2079,6 +2182,7 @@ To check that the policy was successfully applied on your computer: + @@ -2093,6 +2197,8 @@ To check that the policy was successfully applied on your computer: + + @@ -2106,6 +2212,7 @@ To check that the policy was successfully applied on your computer: + @@ -2147,1055 +2254,1087 @@ To check that the policy was successfully applied on your computer: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3218,7 +3357,7 @@ To check that the policy was successfully applied on your computer: - 10.0.25880.0 + 10.0.25930.0 diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md index 53788ab824..170525c906 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/citool-commands.md @@ -3,6 +3,8 @@ title: Managing CI Policies and Tokens with CiTool description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool ms.topic: how-to ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 --- # CiTool technical reference diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md index 42fb2e18d7..22e5196913 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md @@ -6,7 +6,7 @@ ms.collection: - highpri - tier3 - must-keep -ms.date: 04/06/2023 +ms.date: 08/30/2023 ms.topic: article --- @@ -33,9 +33,9 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat ## WDAC and Smart App Control -Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** rule which isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy). +Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](design/create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy). -Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect. +Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect. | Value | Description | |-------|-------------| @@ -48,7 +48,7 @@ Smart App Control is only available on clean installation of Windows 11 version ### Smart App Control Enforced Blocks -Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control: +Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following aren't blocked by Smart App Control: - Infdefaultinstall.exe - Microsoft.Build.dll diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md index 93ffec5801..5b544490b0 100644 --- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md @@ -46,15 +46,15 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

        Windows 11 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:
        - Disable the clipboard functionality completely when Virtualization Security is enabled.
        - Enable copying of certain content from Application Guard into Microsoft Edge.
        - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

        **Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.| -|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

        Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:
        - Enable Application Guard to print into the XPS format.
        - Enable Application Guard to print into the PDF format.
        - Enable Application Guard to print to locally attached printers.
        - Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.

        **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Allow Persistence|Windows 10 Enterprise, 1709 or higher

        Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

        **Disabled or not configured.** All user data within Application Guard is reset between sessions.

        **NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

        **To reset the container:**
        1. Open a command-line program and navigate to `Windows/System32`.
        2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
        3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| -|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

        Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
        - Enable Microsoft Defender Application Guard only for Microsoft Edge
        - Enable Microsoft Defender Application Guard only for Microsoft Office
        - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

        **Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.

        **Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.| -|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher

        Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

        **Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

        Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

        **Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won't load any third-party graphics drivers or interact with any connected graphics hardware.| -|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

        Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

        **Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| -|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher

        Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

        **Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.| -|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

        Windows 11 Enterprise|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

        **Disabled or not configured.** Event logs aren't collected from your Application Guard container.| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

        Windows 10 Education, 1809 or higher

        Windows 11 Enterprise and Education|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:
        - Disable the clipboard functionality completely when Virtualization Security is enabled.
        - Enable copying of certain content from Application Guard into Microsoft Edge.
        - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

        **Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

        Windows 10 Education, 1809 or higher

        Windows 11 Enterprise and Education|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:
        - Enable Application Guard to print into the XPS format.
        - Enable Application Guard to print into the PDF format.
        - Enable Application Guard to print to locally attached printers.
        - Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.

        **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

        Windows 10 Education, 1809 or higher

        Windows 11 Enterprise and Education|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

        **Disabled or not configured.** All user data within Application Guard is reset between sessions.

        **NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

        **To reset the container:**
        1. Open a command-line program and navigate to `Windows/System32`.
        2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
        3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| +|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1709 or higher

        Windows 10 Education, 1809 or higher

        Windows 11 Enterprise and Education|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
        - Enable Microsoft Defender Application Guard only for Microsoft Edge
        - Enable Microsoft Defender Application Guard only for Microsoft Office
        - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

        **Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.

        **Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.| +|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher

        Windows 10 Education, 1809 or higher

        Windows 11 Enterprise or Pro or Education|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

        **Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher

        Windows 10 Education, 1809 or higher

        Windows 11 Enterprise and Education|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

        **Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won't load any third-party graphics drivers or interact with any connected graphics hardware.| +|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher

        Windows 10 Education, 1809 or higher

        Windows 11 Enterprise and Education|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

        **Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher

        Windows 10 Education, 1809 or higher

        Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

        **Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.| +|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher

        Windows 10 Education, 1809 or higher

        Windows 11 Enterprise and Education|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

        **Disabled or not configured.** Event logs aren't collected from your Application Guard container.| ## Application Guard support dialog settings These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you're presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it's possible to provide additional information in the dialog box. diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md index eeac8ba0d1..ac710efb7a 100644 --- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md @@ -27,7 +27,8 @@ Standalone mode is applicable for: - Windows 10 Enterprise edition, version 1709 and later - Windows 10 Pro edition, version 1803 and later -- Windows 11 and later +- Windows 10 Education edition, version 1809 and later +- Windows 11 Enterprise, Education, or Pro editions ## Enterprise-managed mode @@ -36,7 +37,8 @@ You and your security department can define your corporate boundaries by explici Enterprise-managed mode is applicable for: - Windows 10 Enterprise edition, version 1709 and later -- Windows 11 and later +- Windows 10 Education edition, version 1809 and later +- Windows 11 Enterprise or Education editions The following diagram shows the flow between the host PC and the isolated container. diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md index 190662392c..e27e886eea 100644 --- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -34,6 +34,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl | Software | Description | |--------|-----------| -| Operating system | Windows 10 Enterprise edition, version 1809 or later
        Windows 10 Professional edition, version 1809 or later
        Windows 10 Professional for Workstations edition, version 1809 or later
        Windows 10 Professional Education edition, version 1809 or later
        Windows 10 Education edition, version 1809 or later
        Windows 11 Education, Enterprise, and Professional editions | +| Operating system | Windows 10 Enterprise or Education editions, version 1809 or later
        Windows 10 Professional edition, version 1809 or later (only [standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard#standalone-mode) is supported)
        Windows 11 Education or Enterprise editions
        Windows 11 Professional edition (only [Standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard#standalone-mode) is supported) | | Browser | Microsoft Edge | | Management system
        (only for managed devices)| [Microsoft Intune](/intune/)

        **OR**

        [Microsoft Configuration Manager](/configmgr/)

        **OR**

        [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

        **OR**

        Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Microsoft MDM solutions, see the documentation that came with your product. | diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md index 89a10d9e0f..17cc685415 100644 --- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md @@ -268,24 +268,24 @@ Value | Description #### SecurityServicesConfigured -This field indicates whether Windows Defender Credential Guard or memory integrity has been configured. +This field indicates whether Credential Guard or memory integrity has been configured. Value | Description -|- **0.** | No services are configured. -**1.** | If present, Windows Defender Credential Guard is configured. +**1.** | If present, Credential Guard is configured. **2.** | If present, memory integrity is configured. **3.** | If present, System Guard Secure Launch is configured. **4.** | If present, SMM Firmware Measurement is configured. #### SecurityServicesRunning -This field indicates whether Windows Defender Credential Guard or memory integrity is running. +This field indicates whether Credential Guard or memory integrity is running. Value | Description -|- **0.** | No services running. -**1.** | If present, Windows Defender Credential Guard is running. +**1.** | If present, Credential Guard is running. **2.** | If present, memory integrity is running. **3.** | If present, System Guard Secure Launch is running. **4.** | If present, SMM Firmware Measurement is running. diff --git a/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md index 15c8a64f62..35ef8a1826 100644 --- a/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md @@ -61,7 +61,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic ![Verifying Secure Launch is running in the Windows Security settings.](images/secure-launch-msinfo.png) > [!NOTE] -> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). +> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/index.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). > [!NOTE] > For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index 32967fd8b7..5a6e9fd2c9 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -1,64 +1,93 @@ --- -ms.date: 08/17/2017 +ms.date: 08/31/2023 title: Additional mitigations -description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard. -ms.topic: article +description: Learn how to improve the security of your domain environment with additional mitigations for Credential Guard and sample code. +ms.topic: reference --- # Additional mitigations -Windows Defender Credential Guard can provide mitigation against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust. +Credential Guard offers mitigations against attacks on derived credentials, preventing the use of stolen credentials elsewhere. However, devices can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using stolen credentials prior to the enablement of Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust. -## Restricting domain users to specific domain-joined devices +## Additional security qualifications -Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. +All devices that meet baseline protections for hardware, firmware, and software can use Credential Guard.\ +Devices that meet more qualifications can provide added protections to further reduce the attack surface. + +The following table list qualifications for improved security. We recommend meeting the additional qualifications to strengthen the level of security that Credential Guard can provide. + +|Protection |Requirements|Security Benefits| +|---|---|---| +|**Secure Boot configuration and management**|- BIOS password or stronger authentication must be supported
        - In the BIOS configuration, BIOS authentication must be set
        - There must be support for protected BIOS option to configure list of permitted boot devices (for example, *Boot only from internal hard drive*) and boot device order, overriding `BOOTORDER` modification made by the operating system | - Prevent other operating systems from starting
        -Prevent changes to the BIOS settings| +|**Hardware Rooted Trust Platform Secure Boot**|- Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby
        - Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification)|- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
        - HSTI provides security assurance for correctly secured silicon and platform| +|**Firmware Update through Windows Update**|- Firmware must support field updates through Windows Update and UEFI encapsulation update|Helps ensure that firmware updates are fast, secure, and reliable.| +|**Securing Boot Configuration and Management**|- Required BIOS capabilities: ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time
        - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should use ISV-provided certificates or OEM certificate for the specific UEFI software|- Enterprises can choose to allow proprietary EFI drivers/applications to run
        - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots| +|**VBS enablement of No-Execute (NX) protection for UEFI runtime services**|- VBS enables NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet the following requirements:
          - Implement UEFI 2.6 `EFI_MEMORY_ATTRIBUTES_TABLE`. All UEFI runtime service memory (code and data) must be described by this table
          - PE sections must be page-aligned in memory (not required for in non-volatile storage).
          - The Memory Attributes Table needs to correctly mark code and data as `RO/NX` for configuration by the OS
          - All entries must include attributes `EFI_MEMORY_RO`, `EFI_MEMORY_XP`, or both.
          - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writable and non-executable
        (**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|- Vulnerabilities in UEFI runtime, if any, are blocked from compromising VBS (such as in functions like *UpdateCapsule* and *SetVariable*)
        - Reduces the attack surface to VBS from system firmware.| +|**Firmware support for SMM protection**|- The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based features.|- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
        - Reduces the attack surface to VBS from system firmware
        - Blocks additional security attacks against SMM| + +> [!IMPORTANT] +> +> Regarding **VBS enablement of NX protection for UEFI runtime services**: +> +> - It only applies to UEFI runtime service memory, and not UEFI boot service memory +> - The protection is applied by VBS on OS page tables +> - Don't use sections that are both writable and executable +> - Don't attempt to directly modify executable system memory +> - Don't use dynamic code + +## Restrict domain users to specific domain-joined devices + +Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. ### Kerberos armoring -Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. +Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. + +To enable Kerberos armoring for restricting domain users to specific domain-joined devices: -**To enable Kerberos armoring for restricting domain users to specific domain-joined devices** - Users need to be in domains that are running Windows Server 2012 R2 or higher - All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. -- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. +- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. -### Protecting domain-joined device secrets +### Protect domain-joined device secrets -Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. +Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. Domain-joined device certificate authentication has the following requirements: + - Devices' accounts are in Windows Server 2012 domain functional level or higher. - All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: - KDC EKU present - - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension + - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension - Windows devices have the CA issuing the domain controller certificates in the enterprise store. - A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. -#### Deploying domain-joined device certificates +#### Deploy domain-joined device certificates To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template. -**Creating a new certificate template** +**Create a new certificate template** -1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** -2. Right-click **Workstation Authentication**, and then click **Duplicate Template**. -3. Right-click the new template, and then click **Properties**. -4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**. -5. Click **Client Authentication**, and then click **Remove**. -6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values: +1. From the Certificate Manager console, right-click **Certificate Templates > Manage** +1. Right-click **Workstation Authentication > Duplicate Template** +1. Right-click the new template, and then select **Properties** +1. On the **Extensions** tab, select **Application Policies > Edit** +1. Select **Client Authentication**, and then select **Remove** +1. Add the ID-PKInit-KPClientAuth EKU. Select **Add > New**, and then specify the following values: - Name: Kerberos Client Auth - Object Identifier: 1.3.6.1.5.2.3.4 -7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**. -8. Under **Issuance Policies**, click**High Assurance**. -9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. +1. On the **Extensions** tab, select **Issuance Policies > Edit** +1. Under **Issuance Policies**, select **High Assurance** +1. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box -Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created. +Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created. -**Enrolling devices in a certificate** +**Enroll devices in a certificate** Run the following command: + ```powershell CertReq -EnrollCredGuardCert MachineAuthentication ``` @@ -88,7 +117,7 @@ From a Windows PowerShell command prompt, run the following command: .\set-IssuancePolicyToGroupLink.ps1 -IssuancePolicyName:"" -groupOU:"" -groupName:"" ``` -### Restricting user sign-on +### Restrict user sign-on So we now have completed the following: @@ -101,25 +130,25 @@ Authentication policies have the following requirements: **Creating an authentication policy restricting users to the specific universal security group** -1. Open Active Directory Administrative Center. -1. Click **Authentication**, click **New**, and then click **Authentication Policy**. -1. In the **Display name** box, enter a name for this authentication policy. -1. Under the **Accounts** heading, click **Add**. -1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**. -1. Under the **User Sign On** heading, click the **Edit** button. -1. Click **Add a condition**. -1. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. -1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. -1. Click **OK** to close the **Edit Access Control Conditions** box. -1. Click **OK** to create the authentication policy. -1. Close Active Directory Administrative Center. +1. Open Active Directory Administrative Center +1. Select **Authentication > New > Authentication Policy** +1. In the **Display name** box, enter a name for this authentication policy +1. Under the **Accounts** heading, select **Add** +1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then select **OK** +1. Under the **User Sign On** heading, select the **Edit** button +1. Select **Add a condition** +1. In the **Edit Access Control Conditions** box, ensure that it reads **User > Group > Member of each > Value**, and then select **Add items** +1. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then select **OK** +1. Select **OK** to close the **Edit Access Control Conditions** box +1. Select **OK** to create the authentication policy +1. Select Active Directory Administrative Center > [!NOTE] > When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. -#### Discovering authentication failures due to authentication policies +#### Discover authentication failures due to authentication policies -To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. +To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then select **Enable Log**. To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486813(v=ws.11)). diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md new file mode 100644 index 0000000000..21c87bfeeb --- /dev/null +++ b/windows/security/identity-protection/credential-guard/configure.md @@ -0,0 +1,413 @@ +--- +title: Configure Credential Guard +description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry. +ms.date: 08/31/2023 +ms.collection: + - highpri + - tier2 +ms.topic: how-to +--- + +# Configure Credential Guard + +This article describes how to configure Credential Guard using Microsoft Intune, Group Policy, or the registry. + +## Default enablement + +Starting in **Windows 11, version 22H2**, Credential Guard is turned on by default on devices that [meet the requirements](index.md#hardware-and-software-requirements). The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Guard remotely, if needed. + +If Credential Guard or VBS are disabled *before* a device is updated to Windows 11, version 22H2 or later, default enablement doesn't overwrite the existing settings. + +While the default state of Credential Guard changed, system administrators can [enable](#enable-credential-guard) or [disable](#disable-credential-guard) it using one of the methods described in this article. + +> [!IMPORTANT] +> For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md#single-sign-on-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2). + +> [!NOTE] +> Devices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or Credential Guard automatically enabled if they meet the other requirements for default enablement, and have previously run Credential Guard. For example if Credential Guard was enabled on an Enterprise device that later downgraded to Pro. +> +> To determine whether the Pro device is in this state, check if the following registry key exists: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\IsolatedCredentialsRootSecret`. In this scenario, if you wish to disable VBS and Credential Guard, follow the instructions to [disable Virtualization-based Security](#disable-virtualization-based-security). If you wish to disable Credential Guard only, without disabling VBS, use the procedures to [disable Credential Guard](#disable-credential-guard). + +## Enable Credential Guard + +Credential Guard should be enabled before a device is joined to a domain or before a domain user signs in for the first time. If Credential Guard is enabled after domain join, the user and device secrets may already be compromised. + +To enable Credential Guard, you can use: + +- Microsoft Intune/MDM +- Group policy +- Registry + +[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune) + +### Configure Credential Guard with Intune + +[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| Device Guard | Credential Guard | Select one of the options:
         - **Enabled with UEFI lock**
         - **Enabled without lock** | + +>[!IMPORTANT] +> If you want to be able to turn off Credential Guard remotely, choose the option **Enabled without lock**. + +[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] + +> [!TIP] +> You can also configure Credential Guard by using an *account protection* profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings). + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1]. + +| Setting | +|--------| +| **Setting name**: Turn On Virtualization Based Security
        **OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`
        **Data type**: int
        **Value**: `1`| +| **Setting name**: Credential Guard Configuration
        **OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags`
        **Data type**: int
        **Value**:
         **Enabled with UEFI lock**: `1`
         **Enabled without lock**: `2`| + +Once the policy is applied, restart the device. + +#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) + +### Configure Credential Guard with group policy + +[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\System\Device Guard** |Turn On Virtualization Based Security | **Enabled** and select one of the options listed under the **Credential Guard Configuration** dropdown:
         - **Enabled with UEFI lock**
         - **Enabled without lock**| + +>[!IMPORTANT] +> If you want to be able to turn off Credential Guard remotely, choose the option **Enabled without lock**. + +[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)] + +Once the policy is applied, restart the device. + +#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) + +### Configure Credential Guard with registry settings + +To configure devices using the registry, use the following settings: + +| Setting | +|--| +| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
        **Key name**: `EnableVirtualizationBasedSecurity`
        **Type**: `REG_DWORD`
        **Value**: `1` (to enable Virtualization Based Security)| +| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
        **Key name**: `RequirePlatformSecurityFeatures`
        **Type**: `REG_DWORD`
        **Value**:
         `1` (to use Secure Boot)
         `3` (to use Secure Boot and DMA protection) | +| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
        **Key name**: `LsaCfgFlags`
        **Type**: `REG_DWORD`
        **Value**:
         `1` (to enable Credential Guard with UEFI lock)
         `2` (to enable Credential Guard without lock)| + +Restart the device to apply the change. + +> [!TIP] +> You can enable Credential Guard by setting the registry entries in the [*FirstLogonCommands*](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting. + +--- + +### Verify if Credential Guard is enabled + +Checking Task Manager if `LsaIso.exe` is running isn't a recommended method for determining whether Credential Guard is running. Instead, use one of the following methods: + +- System Information +- PowerShell +- Event Viewer + +#### System Information + +You can use *System Information* to determine whether Credential Guard is running on a device. + +1. Select **Start**, type `msinfo32.exe`, and then select **System Information** +1. Select **System Summary** +1. Confirm that **Credential Guard** is shown next to **Virtualization-based Security Services Running** + +#### PowerShell + +You can use PowerShell to determine whether Credential Guard is running on a device. From an elevated PowerShell session, use the following command: + +```powershell +(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning +``` + +The command generates the following output: + +- **0**: Credential Guard is disabled (not running) +- **1**: Credential Guard is enabled (running) + +#### Event viewer + +Perform regular reviews of the devices that have Credential Guard enabled, using security audit policies or WMI queries.\ +Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filter the event sources for *WinInit*: + +:::row::: + :::column span="1"::: + **Event ID** + :::column-end::: + :::column span="3"::: + **Description** + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: + 13 (Information) + :::column-end::: + :::column span="3"::: + ```logging + Credential Guard (LsaIso.exe) was started and will protect LSA credentials. + ``` + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: + `14` (Information) + :::column-end::: + :::column span="3"::: + ```logging + Credential Guard (LsaIso.exe) configuration: [**0x0** | **0x1** | **0x2**], **0** + ``` + - The first variable: **0x1** or **0x2** means that Credential Guard is configured to run. **0x0** means that it's not configured to run. + - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**. + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: + `15` (Warning) + :::column-end::: + :::column span="3"::: + ```logging + Credential Guard (LsaIso.exe) is configured but the secure kernel isn't running; + continuing without Credential Guard. + ``` + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: + `16` (Warning) + :::column-end::: + :::column span="3"::: + ```logging + Credential Guard (LsaIso.exe) failed to launch: [error code] + ``` + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: + `17` + :::column-end::: + :::column span="3"::: + ```logging + Error reading Credential Guard (LsaIso.exe) UEFI configuration: [error code] + ``` + :::column-end::: +:::row-end::: + +The following event indicates whether TPM is used for key protection. Path: `Applications and Services logs > Microsoft > Windows > Kernel-Boot` + +:::row::: + :::column span="1"::: + **Event ID** + :::column-end::: + :::column span="3"::: + **Description** + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: + 51 (Information) + :::column-end::: + :::column span="3"::: + ```logging + VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. + ``` + :::column-end::: +:::row-end::: + +If you're running with a TPM, the TPM PCR mask value is something other than 0. + +## Disable Credential Guard + +There are different options to disable Credential Guard. The option you choose depends on how Credential Guard is configured: + +- Credential Guard running in a virtual machine can be [disabled by the host](#disable-credential-guard-for-a-virtual-machine) +- If Credential Guard is enabled **with UEFI Lock**, follow the procedure described in [disable Credential Guard with UEFI Lock](#disable-credential-guard-with-uefi-lock) +- If Credential Guard is enabled **without UEFI Lock**, or as part of the automatic enablement in the Windows 11, version 22H2 update, use one of the following options to disable it: + - Microsoft Intune/MDM + - Group policy + - Registry + +[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune) + +### Disable Credential Guard with Intune + +If Credential Guard is enabled via Intune and without UEFI Lock, disabling the same policy setting disables Credential Guard. + +[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| Device Guard | Credential Guard | **Disabled** | + +[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1]. + +| Setting | +|--------| +| **Setting name**: Credential Guard Configuration
        **OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags`
        **Data type**: int
        **Value**: `0`| + +Once the policy is applied, restart the device. + +#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) + +### Disable Credential Guard with group policy + +If Credential Guard is enabled via Group Policy and without UEFI Lock, disabling the same group policy setting disables Credential Guard. + +[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\System\Device Guard** |Turn On Virtualization Based Security | **Disabled** | + +[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)] + +Once the policy is applied, restart the device. + +#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) + +### Disable Credential Guard with registry settings + +If Credential Guard is enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys to disable it. + +| Setting | +|-| +| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
        **Key name**: `LsaCfgFlags`
        **Type**: `REG_DWORD`
        **Value**: `0`| +| **Key path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard`
        **Key name**: `LsaCfgFlags`
        **Type**: `REG_DWORD`
        **Value**: `0`| + +> [!NOTE] +> Deleting these registry settings may not disable Credential Guard. They must be set to a value of 0. + +Restart the device to apply the change. + +--- + +For information on disabling Virtualization-based Security (VBS), see [disable Virtualization-based Security](#disable-virtualization-based-security). + +### Disable Credential Guard with UEFI lock + +If Credential Guard is enabled with UEFI lock, follow this procedure since the settings are persisted in EFI (firmware) variables. + +> [!NOTE] +> This scenario requires physical presence at the machine to press a function key to accept the change. + +1. Follow the steps in [Disable Credential Guard](#disable-credential-guard) +1. Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: + + ```cmd + mountvol X: /s + copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y + bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" + bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: + mountvol X: /d + ``` + +1. Restart the device. Before the OS boots, a prompt appears notifying that UEFI was modified, and asking for confirmation. The prompt must be confirmed for the changes to persist. + +### Disable Credential Guard for a virtual machine + +From the host, you can disable Credential Guard for a virtual machine with the following command: + +```powershell +Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true +``` + +## Disable Virtualization-based Security + +If you disable Virtualization-based Security (VBS), you'll automatically disable Credential Guard and other features that rely on VBS. + +> [!IMPORTANT] +> Other security features beside Credential Guard rely on VBS. Disabling VBS may have unintended side effects. + +Use one of the following options to disable VBS: + +- Microsoft Intune/MDM +- Group policy +- Registry + +[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune) + +### Disable VBS with Intune + +If VBS is enabled via Intune and without UEFI Lock, disabling the same policy setting disables VBS. + +[!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| Device Guard | Enable Virtualization Based Security | **Disabled** | + +[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1]. + +| Setting | +|--------| +| **Setting name**: Turn On Virtualization Based Security
        **OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`
        **Data type**: int
        **Value**: `0`| + +Once the policy is applied, restart the device. + +#### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) + +### Disable VBS with group policy + +Configure the policy used to enable VBS to **Disabled**. + +[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\System\Device Guard\Turn on Virtualization Based Security** |Turn On Virtualization Based Security | **Disabled** | + +[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)] + +Once the policy is applied, restart the device + +#### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) + +### Disable VBS with registry settings + +Delete the following registry keys: + +| Setting | +|--| +| Key path: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
        Key name: `EnableVirtualizationBasedSecurity` | +| Key path: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
        Key name: `RequirePlatformSecurityFeatures`| + +> [!IMPORTANT] +> If you manually remove the registry settings, make sure to delete them all, otherwise the device might go into BitLocker recovery. + +Restart the device to apply the change. + +--- + +If Credential Guard is enabled with UEFI Lock, the EFI variables stored in firmware must be cleared using the command `bcdedit.exe`. From an elevated command prompt, run the following commands: + +```cmd +bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS +bcdedit /set vsmlaunchtype off +``` + +## Next steps + +- Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article +- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md) + + + +[CSP-1]: /windows/client-management/mdm/policy-csp-deviceguard#enablevirtualizationbasedsecurity +[INT-1]: /mem/intune/configuration/settings-catalog diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md new file mode 100644 index 0000000000..26ee36124b --- /dev/null +++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md @@ -0,0 +1,235 @@ +--- +ms.date: 08/31/2023 +title: Considerations and known issues when using Credential Guard +description: Considerations, recommendations and known issues when using Credential Guard. +ms.topic: troubleshooting +--- + +# Considerations and known issues when using Credential Guard + +It's recommended that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards. + +## Wi-fi and VPN considerations + +When you enable Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use. + +If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. + +For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based connections (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (such as PEAP-TLS or EAP-TLS). + +## Kerberos considerations + +When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\ +Use constrained or resource-based Kerberos delegation instead. + +## Third party Security Support Providers considerations + +Some third party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\ +It's recommended that custom implementations of SSPs/APs are tested with Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. + +For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package). + +## Upgrade considerations + +As the depth and breadth of protections provided by Credential Guard are increased, new releases of Windows with Credential Guard running may affect scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. + +Test scenarios required for operations in an organization before upgrading a device using Credential Guard. + +## Saved Windows credentials considerations + +*Credential Manager* allows you to store three types of credentials: + +- Windows credentials +- Certificate-based credentials +- Generic credentials + +Domain credentials that are stored in *Credential Manager* are protected with Credential Guard. + +Generic credentials, such as user names and passwords that you use to sign in websites, aren't protected since the applications require your clear-text password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. + +The following considerations apply to the Credential Guard protections for Credential Manager: + +- Windows credentials saved by the Remote Desktop client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message *Logon attempt failed* +- Applications that extract Windows credentials fail +- When credentials are backed up from a PC that has Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do so before you enable Credential Guard + +## TPM clearing considerations + +Virtualization-based Security (VBS) uses the TPM to protect its key. When the TPM is cleared, the TPM protected key used to encrypt VBS secrets is lost. + +>[!WARNING] +> Clearing the TPM results in loss of protected data for all features that use VBS to protect data. +> +> When a TPM is cleared, **all** features that use VBS to protect data can no longer decrypt their protected data. + +As a result, Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever. + +>[!NOTE] +> Credential Guard obtains the key during initialization. The data loss will only impact persistent data and occur after the next system startup. + +### Windows credentials saved to Credential Manager + +Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard. + +### Domain-joined device's automatically provisioned public key + +Active Directory domain-joined devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). + +Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless other policies are deployed, there shouldn't be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). + +Also if any access control checks including authentication policies require devices to have either the `KEY TRUST IDENTITY (S-1-18-4)` or `FRESH PUBLIC KEY IDENTITY (S-1-18-3)` well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). + +### Breaking DPAPI on domain-joined devices + +On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible. + +>[!IMPORTANT] +> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior. + +Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost. +If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following. + +Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller: + +|Credential Type | Behavior +|---|---|---| +| Certificate (smart card or Windows Hello for Business) | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. | +| Password | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. | + +Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted. + +#### Impact of DPAPI failures on Windows Information Protection + +When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed. + +**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate). + +## Known issues + +Credential Guard blocks certain authentication capabilities. Applications that require such capabilities won't function when Credential Guard is enabled. + +This article describes known issues when Credential Guard is enabled. + +### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 + +Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running. + +#### Affected devices + +Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements). + +All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement. + +> [!TIP] +> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. +> If it's present, the device enables Credential Guard after the update. +> +> You can Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard). + +#### Cause of the issue + +Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Credential Guard blocks them. Affected protocols include: + +- Kerberos unconstrained delegation (both SSO and supplied credentials are blocked) +- Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked) +- MS-CHAP (only SSO is blocked) +- WDigest (only SSO is blocked) +- NTLM v1 (only SSO is blocked) + +> [!NOTE] +> Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials. + +#### How to confirm the issue + +MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, version 22H2 update. To confirm if Credential Guard is blocking MS-CHAP or NTLMv1, open the Event Viewer (`eventvwr.exe`) and go to `Application and Services Logs\Microsoft\Windows\NTLM\Operational`. Check the following logs: + +:::row::: + :::column span="1"::: + **Event ID (type)** + :::column-end::: + :::column span="3"::: + **Description** + :::column-end::: +:::row-end::: +:::row::: + :::column span="1"::: + 4013 (Warning) + :::column-end::: + :::column span="3"::: + ```logging + + ``` + :::column-end::: +:::row-end::: + +#### How to fix the issue + +We recommend moving away from MSCHAPv2-based connections, such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication, like PEAP-TLS or EAP-TLS. Credential Guard doesn't block certificate-based authentication. + +For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft. + +> [!TIP] +> To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to Windows 11, version 22H2. If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update. +> +> If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update. + +### Issues with third-party applications + +The following issue affects MSCHAPv2: + +- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a common enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352). + +The following issue affects the Java GSS API. See the following Oracle bug database article: + +- [JDK-8161921: Credential Guard doesn't allow sharing of TGT with Java](https://bugs.java.com/bugdatabase/view_bug?bug_id=8161921) + +When Credential Guard is enabled on Windows, the Java GSS API doesn't authenticate. Credential Guard blocks specific application authentication capabilities and doesn't provide the TGT session key to applications, regardless of registry key settings. For more information, see [Application requirements](index.md#application-requirements). + +The following issue affects McAfee Application and Change Control (MACC): + +- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869) + +The following issue affects Citrix applications: + +- Windows machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled. + +> [!NOTE] +> Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled devices to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage). +> +> For more technical information on LSAISO.exe, see [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes). + +#### Vendor support + +The following products and services don't support Credential Guard: + +- [Check Point Endpoint Security Client support for Microsoft Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912) +- [*VMware Workstation and Device/Credential Guard aren't compatible* error in VMware Workstation on Windows 10 host (2146361)](https://kb.vmware.com/s/article/2146361) +- [ThinkPad support for Hypervisor-Protected Code Integrity and Credential Guard in Microsoft Windows](https://support.lenovo.com/in/en/solutions/ht503039) +- [Windows devices with Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121) + +>[!IMPORTANT] +>This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Credential Guard on systems that run a specific version of Windows. Specific computer system models may be incompatible with Credential Guard. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md deleted file mode 100644 index d48686101c..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ /dev/null @@ -1,102 +0,0 @@ ---- -ms.date: 01/06/2023 -title: Considerations when using Windows Defender Credential Guard -description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard. -ms.topic: article ---- - -# Considerations when using Windows Defender Credential Guard - -It's recommended that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards. - -## Wi-fi and VPN considerations - -When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.\ -If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. - -For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based connections (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (such as PEAP-TLS or EAP-TLS). - -## Kerberos considerations - -When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\ -Use constrained or resource-based Kerberos delegation instead. - -## Third party Security Support Providers considerations - -Some third party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\ -It's recommended that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. - -For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package). - -## Upgrade considerations - -As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, new releases of Windows with Windows Defender Credential Guard running may affect scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. - -Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard. - -## Saved Windows credentials protected - -Domain credentials that are stored in *Credential Manager* are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: - -- Windows credentials -- Certificate-based credentials -- Generic credentials - -Generic credentials, such as user names and passwords that you use to sign in websites, aren't protected since the applications require your clear-text password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. - -The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager: - -- Windows credentials saved by the Remote Desktop client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message *Logon attempt failed.* -- Applications that extract Windows credentials fail -- When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do so before you enable Windows Defender Credential Guard. Otherwise, you can't restore those credentials - -## Clearing TPM considerations - -Virtualization-based Security (VBS) uses the TPM to protect its key. When the TPM is cleared, the TPM protected key used to encrypt VBS secrets is lost. - ->[!WARNING] -> Clearing the TPM results in loss of protected data for all features that use VBS to protect data. -> -> When a TPM is cleared, **all** features that use VBS to protect data can no longer decrypt their protected data. - -As a result, Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever. - ->[!NOTE] -> Credential Guard obtains the key during initialization. The data loss will only impact persistent data and occur after the next system startup. - -### Windows credentials saved to Credential Manager - -Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard. - -### Domain-joined device's automatically provisioned public key - -Active Directory domain-joined devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). - -Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless other policies are deployed, there shouldn't be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication). - -Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). - -### Breaking DPAPI on domain-joined devices - -On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible. - ->[!IMPORTANT] -> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior. - -Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost. -If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following. - -Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller: - -|Credential Type | Behavior -|---|---|---| -| Certificate (smart card or Windows Hello for Business) | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. | -| Password | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected. | - -Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted. - -#### Impact of DPAPI failures on Windows Information Protection - -When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed. - -**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate). \ No newline at end of file diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md deleted file mode 100644 index f6fafc39c0..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -ms.date: 08/17/2017 -title: How Windows Defender Credential Guard works -description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. -ms.topic: conceptual ---- - -# How Windows Defender Credential Guard works - -Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. - -For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. - -When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, aren't to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. - -When Windows Defender Credential Guard is enabled, Kerberos doesn't allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials. - -Here's a high-level overview on how the LSA is isolated by using Virtualization-based security: - -![Windows Defender Credential Guard overview.](images/credguard.png) - -## See also - -**Related videos** - -[What is Virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md deleted file mode 100644 index f05c26620f..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ /dev/null @@ -1,155 +0,0 @@ ---- -ms.date: 11/28/2022 -title: Windows Defender Credential Guard - Known issues -description: Windows Defender Credential Guard - Known issues in Windows Enterprise -ms.topic: article ---- -# Windows Defender Credential Guard: Known issues - -Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements). - -## Known Issue: Single Sign-On (SSO) for Network services breaks after upgrading to **Windows 11, version 22H2** - -### Symptoms of the issue: -Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication will be unable to use SSO to log in and will be forced to manually re-authenticate in every new Windows session when Windows Defender Credential Guard is running. - -### Affected devices: -Any device that enables Windows Defender Credential Guard may encounter this issue. As part of the Windows 11, version 22H2 update, eligible devices which had not previously explicitly disabled Windows Defender Credential Guard had it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements). - -\* All Pro devices which previously ran Windows Defender Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements), will receive default enablement. - -> [!TIP] -> To determine if your Pro device will receive default enablement when upgraded to **Windows 11, version 22H2**, do the following **before** upgrading: -> Check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. If it is present, the device will have Windows Defender Credential Guard enabled after upgrading. Note that Windows Defender Credential Guard can be disabled after upgrade by following the [disablement instructions](credential-guard-manage.md#disable-windows-defender-credential-guard). - -### Why this is happening: -Applications and services are affected by this issue when they rely on insecure protocols that use password-based authentication. Windows Defender Credential Guard blocks the use of these insecure protocols by design. These protocols are considered insecure because they can lead to password disclosure on the client and the server, which is in direct contradiction to the goals of Windows Defender Credential Guard. Affected procols include: - - Kerberos unconstrained delegation (both SSO and supplied credentials are blocked) - - Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked) - - MS-CHAP (only SSO is blocked) - - WDigest (only SSO is blocked) - - NTLM v1 (only SSO is blocked) - -Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials. - -> [!NOTE] -> MS-CHAP and NTLMv1 are particularly relevant to the observed SSO breakage after the Windows 11, version 22H2 update. To confirm whether Windows Defender Credential Guard is blocking either of these protocols, check the NTLM event logs in Event Viewer at `Application and Services Logs\Microsoft\Windows\NTLM\Operational` for the following warning and/or error: - > - > **Event ID 4013** (Warning) - > ``` - > id="NTLMv1BlockedByCredGuard" - > value="Attempt to use NTLMv1 failed. - > Target server: %1%nSupplied user: %2%nSupplied domain: %3%nPID of client process: %4%nName of client process: %5%nLUID of client process: %6%nUser identity of client process: %7%nDomain name of user identity of client process: %8%nMechanism OID: %9%n%nThis device does not support NTLMv1. For more information, see https://go.microsoft.com/fwlink/?linkid=856826." - > /> - > ``` - > - > **Event ID 4014** (Error) - > ``` - > id="NTLMGetCredentialKeyBlockedByCredGuard" - > value="Attempt to get credential key by call package blocked by Credential Guard.%n%nCalling Process Name: %1%nService Host Tag: %2" - > /> - > ``` - -### Options to fix the issue: - -Microsoft recommends that organizations move away from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. Windows Defender Credential Guard will not block certificate-based authentication. - -For a more immediate but less secure fix, [disable Windows Defender Credential Guard](credential-guard-manage.md#disable-windows-defender-credential-guard). Note that Windows Defender Credential Guard does not have per-protocol or per-application policies, and must either be completely on or off. Disabling Windows Defender Credential Guard will leave some stored domain credentials vulnerable to theft. Windows Defender Credential Guard can be disabled after it has already been enabled, or it can be explicitly disabled prior to updating to Windows 11, version 22H2, which will prevent default enablement from occurring. - -> [!TIP] -> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage.md#disabling-windows-defender-credential-guard-using-group-policy) before updating to Windows 11, version 22H2. If the GPO value is not configured (which is the default state), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. This process can also be done via Mobile Device Management (MDM) policy rather than Group Policy if the devices are currently being managed by MDM. - -## Known issues involving third-party applications - -The following issue affects MSCHAPv2: - -- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a very popular enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352). - -The following issue affects the Java GSS API. See the following Oracle bug database article: - -- [JDK-8161921: Windows Defender Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921) - -When Windows Defender Credential Guard is enabled on Windows, the Java GSS API won't authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and won't provide the TGT session key to applications regardless of registry key settings. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements). - -The following issue affects Cisco AnyConnect Secure Mobility Client: - -- [Blue screen on Windows computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) - -The following issue affects McAfee Application and Change Control (MACC): - -- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869) [Note 1](#bkmk_note1) - -The following issue affects Citrix applications: - -- Windows machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [Note 1](#bkmk_note1) - - - -> [!NOTE] -> **Note 1**: Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10, Windows 11, Windows Server 2016, or Windows Server 2019 machines to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage). -> -> For more technical information on LSAISO.exe, see [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes). - -## Vendor support - -For more information on Citrix support for Secure Boot, see [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/) - -Windows Defender Credential Guard isn't supported by the following products, products versions, computer systems, or Windows 10 versions: - -- [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kcm.trellix.com/corporate/index?page=content&id=KB86009KB86009) - -- [Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912) - -- ["VMware Workstation and Device/Credential Guard are not compatible" error in VMware Workstation on Windows 10 host (2146361)](https://kb.vmware.com/s/article/2146361) - -- [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows](https://support.lenovo.com/in/en/solutions/ht503039) - -- [Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121) - -This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard. - -Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements. - -## Previous known issues that have been fixed - -The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4): - -- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message: - - ```console - Task Scheduler failed to log on '\Test'. - Failure occurred in 'LogonUserExEx'. - User Action: Ensure the credentials for the task are correctly specified. - Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect). - ``` - -- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example: - - ```console - Log Name: Microsoft-Windows-NTLM/Operational - Source: Microsoft-Windows-Security-Netlogon - Event ID: 8004 - Task Category: Auditing NTLM - Level: Information - Description: - Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller. - Secure Channel name: - User name: - @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA - Domain name: NULL - ``` - - - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled. - - The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute. - - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account. - -The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017: - -- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722) - - This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles: - - - [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657) - - [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md deleted file mode 100644 index 086a008176..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ /dev/null @@ -1,304 +0,0 @@ ---- -title: Manage Windows Defender Credential Guard -description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy or the registry. -ms.date: 11/23/2022 -ms.collection: - - highpri - - tier2 -ms.topic: article ---- - -# Manage Windows Defender Credential Guard - -## Default Enablement - -Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This feature changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below. - -Known issues arising from default enablement are documented in [Windows Defender Credential Guard: Known issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2). - -### Requirements for automatic enablement - -Windows Defender Credential Guard will be enabled by default when a PC meets the following minimum requirements: - -|Component|Requirement| -|---|---| -|Operating System|**Windows 11 Enterprise, version 22H2** or **Windows 11 Education, version 22H2**| -|Existing Windows Defender Credential Guard Requirements|Only devices that meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.| -|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2 and Windows 11 Education 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default. - -> [!NOTE] -> If Windows Defender Credential Guard or VBS has previously been explicitly disabled, default enablement will not overwrite this setting. - -> [!NOTE] -> Devices running Windows 11 Pro 22H2 may have Virtualization-Based Security (VBS) and/or Windows Defender Credential Guard automaticaly enabled if they meet the other requirements for default enablement listed above and have previously run Windows Defender Credential Guard (for example if Windows Defender Credential Guard was running on an Enterprise device that later downgraded to Pro). -> -> To determine whether the Pro device is in this state, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. In this scenario, if you wish to disable VBS and Windows Defender Credential Guard, follow the instructions for [disabling Virtualization-Based Security](#disabling-virtualization-based-security). If you wish to disable only Windows Defender Credential Guard without disabling Virtualization-Based Security, use the procedures for [disabling Windows Defender Credential Guard](#disable-windows-defender-credential-guard). - -## Enable Windows Defender Credential Guard - -Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy) or the [registry](#enable-windows-defender-credential-guard-by-using-the-registry). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. -The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines. - -> [!NOTE] -> Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only. - -### Enable Windows Defender Credential Guard by using Group Policy - -You can use Group Policy to enable Windows Defender Credential Guard. When enabled, it will add and enable the virtualization-based security features for you if needed. - -1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. - -1. Select **Turn On Virtualization Based Security**, and then select the **Enabled** option. - -1. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. - -1. In the **Credential Guard Configuration** box, select **Enabled with UEFI lock**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**. - -1. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. For more information, see [System Guard Secure Launch and SMM protection](../../hardware-security/system-guard-secure-launch-and-smm-protection.md). - - :::image type="content" source="images/credguard-gp.png" alt-text="Windows Defender Credential Guard Group Policy setting."::: - -1. Select **OK**, and then close the Group Policy Management Console. - -To enforce processing of the group policy, you can run `gpupdate /force`. - -### Enable Windows Defender Credential Guard by using Microsoft Intune - -1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**. - -1. Select **Configuration Profiles**. - -1. Select **Create Profile** > **Windows 10 and later** > **Settings catalog** > **Create**. - - 1. Configuration settings: In the settings picker, select **Device Guard** as category and add the needed settings. - -> [!NOTE] -> Enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. - -> [!TIP] -> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings). - -### Enable Windows Defender Credential Guard by using the registry - -If you don't use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features that have to be enabled first on some operating systems. - -#### Add the virtualization-based security features - -Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security isn't necessary and this step can be skipped. - -If you're using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. -To enable, use the Control Panel or the Deployment Image Servicing and Management tool (DISM). - -> [!NOTE] -> If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you. - -##### Add the virtualization-based security features by using Programs and Features - -1. Open the Programs and Features control panel. - -1. Select **Turn Windows feature on or off**. - -1. Go to **Hyper-V** > **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. - -1. Select the **Isolated User Mode** check box at the top level of the feature selection. - -1. Select **OK**. - -##### Add the virtualization-based security features to an offline image by using DISM - -1. Open an elevated command prompt. - -1. Add the Hyper-V Hypervisor by running the following command: - - ```cmd - dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all - ``` - -1. Add the Isolated User Mode feature by running the following command: - - ```cmd - dism /image: /Enable-Feature /FeatureName:IsolatedUserMode - ``` - - > [!NOTE] - > In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. - -> [!TIP] -> You can also add these features to an online image by using either DISM or Configuration Manager. - -#### Enable virtualization-based security and Windows Defender Credential Guard - -1. Open Registry Editor. - -1. Enable virtualization-based security: - - 1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`. - - 1. Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. - - 1. Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. - -1. Enable Windows Defender Credential Guard: - - 1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`. - - 1. Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it. - -1. Close Registry Editor. - -> [!NOTE] -> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting. - -### Review Windows Defender Credential Guard performance - -#### Is Windows Defender Credential Guard running? - -You can view System Information to check that Windows Defender Credential Guard is running on a PC. - -1. Select **Start**, type **msinfo32.exe**, and then select **System Information**. - -1. Select **System Summary**. - -1. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**. - - :::image type="content" source="images/credguard-msinfo32.png" alt-text="The 'Virtualization-based security Services Running' entry lists Credential Guard in System Information (msinfo32.exe)."::: - -> [!NOTE] -> For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. - -- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard won't help to secure a device or identity that has already been compromised. So, we recommend turning on Credential Guard as early as possible. - -- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. You can use security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: - - - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials. - - - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0** - - - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run. - - - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**. - - - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel isn't running; continuing without Windows Defender Credential Guard. - - - **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\] - - - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] - -- You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs > Microsoft > Windows > Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you're running with a TPM, the TPM PCR mask value will be something other than 0. - -- You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command: - - ```powershell - (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning - ``` - - This command generates the following output: - - - **0**: Windows Defender Credential Guard is disabled (not running) - - - **1**: Windows Defender Credential Guard is enabled (running) - - > [!NOTE] - > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running. - -## Disable Windows Defender Credential Guard - -Windows Defender Credential Guard can be disabled via several methods explained below, depending on how the feature was enabled. For devices that had Windows Defender Credential Guard automatically enabled in the 22H2 update and didn't have it enabled prior to the update, it's sufficient to [disable via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy). - -If Windows Defender Credential Guard was enabled with UEFI Lock, the procedure described in [Disabling Windows Defender Credential Guard with UEFI Lock](#disabling-windows-defender-credential-guard-with-uefi-lock) must be followed. The default enablement change in eligible 22H2 devices does **not** use a UEFI Lock. - -If Windows Defender Credential Guard was enabled via Group Policy without UEFI Lock, Windows Defender Credential Guard should be [disabled via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy). - -Otherwise, Windows Defender Credential Guard can be [disabled by changing registry keys](#disabling-windows-defender-credential-guard-using-registry-keys). - -Windows Defender Credential Guard running in a virtual machine can be [disabled by the host](#disable-windows-defender-credential-guard-for-a-virtual-machine). - -For information on disabling Virtualization-Based Security (VBS), see [Disabling Virtualization-Based Security](#disabling-virtualization-based-security). - -### Disabling Windows Defender Credential Guard using Group Policy - -If Windows Defender Credential Guard was enabled via Group Policy and without UEFI Lock, disabling the same Group Policy setting will disable Windows Defender Credential Guard. - -1. Disable the Group Policy setting that governs Windows Defender Credential Guard. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**. In the "Credential Guard Configuration" section, set the dropdown value to "Disabled": - - :::image type="content" source="images/credguard-gp-disabled.png" alt-text="Windows Defender Credential Guard Group Policy set to Disabled."::: - -1. Restart the machine. - -### Disabling Windows Defender Credential Guard using Registry Keys - -If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard. - -1. Change the following registry settings to 0: - - - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags` - - - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags` - - > [!NOTE] - > Deleting these registry settings may not disable Windows Defender Credential Guard. They must be set to a value of 0. - -1. Restart the machine. - -### Disabling Windows Defender Credential Guard with UEFI Lock - -If Windows Defender Credential Guard was enabled with UEFI Lock enabled, then the following procedure must be followed since the settings are persisted in EFI (firmware) variables. This scenario will require physical presence at the machine to press a function key to accept the change. - -1. If Group Policy was used to enable Windows Defender Credential Guard, disable the relevant Group Policy setting. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**. In the "Credential Guard Configuration" section, set the dropdown value to "Disabled". - -1. Change the following registry settings to 0: - - - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags` - - - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags` - -1. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: - - ```cmd - mountvol X: /s - copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y - bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" - bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: - mountvol X: /d - ``` - -1. Restart the PC. Before the OS boots, a prompt will appear notifying that UEFI was modified, and asking for confirmation. This prompt must be confirmed for the changes to persist. This step requires physical access to the machine. - -### Disable Windows Defender Credential Guard for a virtual machine - -From the host, you can disable Windows Defender Credential Guard for a virtual machine: - -```powershell -Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true -``` - -## Disabling Virtualization-Based Security - -Instructions are given below for how to disable Virtualization-Based Security (VBS) entirely, rather than just Windows Defender Credential Guard. Disabling Virtualization-Based Security will automatically disable Windows Defender Credential Guard and other features that rely on VBS. - -> [!IMPORTANT] -> Other security features in addition to Windows Defender Credential Guard rely on Virtualization-Based Security in order to run. Disabling Virtualization-Based Security may have unintended side effects. - -1. If Group Policy was used to enable Virtualization-Based Security, set the Group Policy setting that was used to enable it (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**) to "Disabled". - -1. Delete the following registry settings: - - - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity` - - - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures` - - > [!IMPORTANT] - > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. - -1. If Windows Defender Credential Guard is running when disabling Virtualization-Based Security and either feature was enabled with UEFI Lock, the EFI (firmware) variables must be cleared using bcdedit. From an elevated command prompt, run the following bcdedit commands after turning off all Virtualization-Based Security Group Policy and registry settings as described in steps 1 and 2 above: - - > - > ```cmd - > bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS - > bcdedit /set vsmlaunchtype off - > ``` - -1. Restart the PC. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md deleted file mode 100644 index 6719b3db77..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Windows Defender Credential Guard protection limits -description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide. -ms.date: 08/17/2017 -ms.topic: article ---- -# Windows Defender Credential Guard protection limits - -Some ways to store credentials are not protected by Windows Defender Credential Guard, including: - -- Software that manages credentials outside of Windows feature protection -- Local accounts and Microsoft Accounts -- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS. -- Key loggers -- Physical attacks -- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. -- Third-party security packages -- Digest and CredSSP credentials - - When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. -- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.- -- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is. -- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host. -- Windows logon cached password verifiers (commonly called "cached credentials") -don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available. - -## See also - -**Deep Dive into Windows Defender Credential Guard: Related videos** - -[Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection: Manage Credential Guard](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/manage-credential-guard?u=3322) -> [!NOTE] -> - Note: Requires [LinkedIn Learning subscription](https://www.linkedin.com/learning/subscription/products) to view the full video diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md deleted file mode 100644 index e8e539e520..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ /dev/null @@ -1,138 +0,0 @@ ---- -title: Windows Defender Credential Guard requirements -description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security. -ms.date: 12/27/2021 -ms.topic: article ---- - -# Windows Defender Credential Guard requirements - -For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). - -## Hardware and software requirements - -To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses: - -- Support for Virtualization-based security (required) -- Secure boot (required) -- Trusted Platform Module (TPM, preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware -- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) - -The Virtualization-based security requires: - -- 64-bit CPU -- CPU virtualization extensions plus extended page tables -- Windows hypervisor (does not require Hyper-V Windows Feature to be installed) - -### Windows Defender Credential Guard deployment in virtual machines - -Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host. - -#### Requirements for running Windows Defender Credential Guard in Hyper-V virtual machines - -- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. -- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10. - - TPM is not a requirement, but we recommend that you implement TPM. - -For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/). - -For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](/windows/access-protection/remote-credential-guard#hardware-and-software-requirements). - -## Application requirements - -When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality. - -> [!WARNING] -> Enabling Windows Defender Credential Guard on domain controllers is not recommended at this time. -> Windows Defender Credential Guard does not provide any added security to domain controllers, and can cause application compatibility issues on domain controllers. - -> [!NOTE] -> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). - -Applications will break if they require: - -- Kerberos DES encryption support -- Kerberos unconstrained delegation -- Extracting the Kerberos TGT -- NTLMv1 - -Applications will prompt and expose credentials to risk if they require: - -- Digest authentication -- Credential delegation -- MS-CHAPv2 - -Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process. - -Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard. - -[!INCLUDE [windows-defender-credential-guard](../../../../includes/licensing/windows-defender-credential-guard.md)] - -## Security considerations - -All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard. -Computers that meet additional qualifications can provide additional protections to further reduce the attack surface. -The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. - -> [!NOTE] -> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers. -> -> If you are an OEM, see [PC OEM requirements for Windows Defender Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations). - -### Baseline protections - -|Baseline Protections|Description|Security benefits -|---|---|---| -|Hardware: **64-bit CPU** |A 64-bit computer is required for the Windows hypervisor to provide VBS.| -|Hardware: **CPU virtualization extensions**, plus **extended page tables**|**Requirements**:
        - These hardware features are required for VBS: One of the following virtualization extensions: - VT-x (Intel) or - AMD-V And: - Extended page tables, also called Second Level Address Translation (SLAT).|VBS provides isolation of secure kernel from normal operating system.

        Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation.| -|Hardware: **Trusted Platform Module (TPM)**|**Requirement**:
        - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../hardware-security/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.| -|Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**:
        - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.| -|Firmware: **Secure firmware update process**|**Requirements**:
        - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.| -|Software: Qualified **Windows operating system**|**Requirement**:
        - At least Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.| - -> [!IMPORTANT] -> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide. - -### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4 - -|Protections for Improved Security|Description| -|---|---| -|Hardware: **IOMMU** (input/output memory management unit)|**Requirement**:
        - VT-D or AMD Vi IOMMU

        **Security benefits**:
        - An IOMMU can enhance system resiliency against memory attacks. For more information, see [Advanced Configuration and Power Interface (ACPI) description tables](/windows-hardware/drivers/bringup/acpi-system-description-tables)| -|Firmware: **Securing Boot Configuration and Management**|**Requirements**:
        - BIOS password or stronger authentication must be supported.
        - In the BIOS configuration, BIOS authentication must be set.
        - There must be support for protected BIOS option to configure list of permitted boot devices (for example, "Boot only from internal hard drive") and boot device order, overriding BOOTORDER modification made by operating system.
        - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.| -|Firmware: **Secure MOR, revision 2 implementation**|**Requirement**:
        - Secure MOR, revision 2 implementation| - -### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016 - -> [!IMPORTANT] -> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections. - -|Protections for Improved Security|Description|Security Benefits| -|---|---|---| -|Firmware: **Hardware Rooted Trust Platform Secure Boot**|**Requirements**:
        - Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby
        - The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification).|Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
        - HSTI provides additional security assurance for correctly secured silicon and platform.| -|Firmware: **Firmware Update through Windows Update**|**Requirements**:
        - Firmware must support field updates through Windows Update and UEFI encapsulation update.|Helps ensure that firmware updates are fast, secure, and reliable.| -|Firmware: **Securing Boot Configuration and Management**|**Requirements**:
        - Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
        - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.|- Enterprises can choose to allow proprietary EFI drivers/applications to run.
        - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots.| - -### 2017 Additional security qualifications starting with Windows 10, version 1703 - -The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. - -|Protections for Improved Security|Description|Security Benefits -|---|---|---| -|Firmware: **VBS enablement of No-Execute (NX) protection for UEFI runtime services**|**Requirements**:
        - VBS will enable NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet these requirements:
        - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
        - PE sections must be page-aligned in memory (not required for in non-volatile storage).
        - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
        - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writable and non-executable.
        (**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
        - Reduces the attack surface to VBS from system firmware.| -|Firmware: **Firmware support for SMM protection**|**Requirements**:
        - The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.|- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
        - Reduces the attack surface to VBS from system firmware.
        - Blocks additional security attacks against SMM.| - -> [!IMPORTANT] -> -> Regarding **VBS enablement of NX protection for UEFI runtime services**: -> -> - This only applies to UEFI runtime service memory, and not UEFI boot service memory. -> -> - This protection is applied by VBS on OS page tables. -> -> Please also note the following: -> -> - Do not use sections that are both writable and executable -> -> - Do not attempt to directly modify executable system memory -> -> - Do not use dynamic code diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md deleted file mode 100644 index 519ec863c8..0000000000 --- a/windows/security/identity-protection/credential-guard/credential-guard.md +++ /dev/null @@ -1,35 +0,0 @@ ---- -title: Protect derived domain credentials with Windows Defender Credential Guard -description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.date: 11/22/2022 -ms.topic: article -ms.collection: - - highpri - - tier2 ---- - -# Protect derived domain credentials with Windows Defender Credential Guard - -Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. - -By enabling Windows Defender Credential Guard, the following features and solutions are provided: - -- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. -- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. -- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures. - -> [!NOTE] -> As of Windows 11, version 22H2, Windows Defender Credential Guard has been enabled by default on all devices which meet the minimum requirements as specified in the [Default Enablement](credential-guard-manage.md#default-enablement) section. For information about known issues related to default enablement, see [Credential Guard: Known Issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2). - -## Related topics - -- [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard) -- [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382) -- [What's New in Kerberos Authentication for Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)) -- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10)) -- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview) -- [Mitigating Credential Theft using the Windows 10 Isolated User Mode](/shows/seth-juarez/mitigating-credential-theft-using-windows-10-isolated-user-mode) -- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel](/shows/seth-juarez/isolated-user-mode-processes-features-in-windows-10-logan-gabriel) -- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert](/shows/seth-juarez/more-on-processes-features-in-windows-10-isolated-user-mode-dave-probert) -- [Isolated User Mode in Windows 10 with Dave Probert](/shows/seth-juarez/isolated-user-mode-in-windows-10-dave-probert) -- [Windows 10 Virtual Secure Mode with David Hepkin](/shows/seth-juarez/windows-10-virtual-secure-mode-david-hepkin) diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md new file mode 100644 index 0000000000..69eef9c3f9 --- /dev/null +++ b/windows/security/identity-protection/credential-guard/how-it-works.md @@ -0,0 +1,42 @@ +--- +ms.date: 08/31/2023 +title: How Credential Guard works +description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them. +ms.topic: conceptual +--- + +# How Credential Guard works + +Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-based security (VBS). Previous versions of Windows stored secrets in its process memory, in the Local Security Authority (LSA) process `lsass.exe`. With Credential Guard enabled, the LSA process in the operating system talks to a component called the *isolated LSA process* that stores and protects those secrets, `LSAIso.exe`. Data stored by the isolated LSA process is protected using VBS and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. + +For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All the binaries are signed with a certificate that VBS trusts, and the signatures are validated before launching the file in the protected environment. + +Here's a high-level overview on how the LSA is isolated by using Virtualization-based security: + +:::image type="content" source="images/credguard.png" alt-text="Diagram of the Credential Guard architecture."::: + +## Credential Guard protection limits + +Some ways to store credentials aren't protected by Credential Guard, including: + +- Software that manages credentials outside of Windows feature protection +- Local accounts and Microsoft Accounts +- Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS +- Key loggers +- Physical attacks +- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization +- Third-party security packages +- When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Credential Guard with any of these protocols + > [!CAUTION] + > It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. +- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well +- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is protected +- When Credential Guard is enabled, Kerberos doesn't allow *unconstrained Kerberos delegation* or *DES encryption*, not only for signed-in credentials, but also prompted or saved credentials +- When Credential Guard is enabled on a VM, it protects secrets from attacks inside the VM. However, it doesn't provide protection from privileged system attacks originating from the host +- Windows logon cached password verifiers (commonly called *cached credentials*) don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These *cached logons*, or more specifically, *cached domain account information*, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available + +## Next steps + +- Learn [how to configure Credential Guard](configure.md) +- Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article +- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md) diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png b/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png deleted file mode 100644 index bfb042a49d..0000000000 Binary files a/windows/security/identity-protection/credential-guard/images/credguard-gp-disabled.png and /dev/null differ diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp.png b/windows/security/identity-protection/credential-guard/images/credguard-gp.png deleted file mode 100644 index ad34b6deb3..0000000000 Binary files a/windows/security/identity-protection/credential-guard/images/credguard-gp.png and /dev/null differ diff --git a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png b/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png deleted file mode 100644 index c9737e3236..0000000000 Binary files a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png and /dev/null differ diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md new file mode 100644 index 0000000000..710f148343 --- /dev/null +++ b/windows/security/identity-protection/credential-guard/index.md @@ -0,0 +1,101 @@ +--- +title: Credential Guard overview +description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them. +ms.date: 08/31/2023 +ms.topic: overview +ms.collection: + - highpri + - tier1 +--- + +# Credential Guard overview + +Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. + +Credential Guard uses [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like *pass the hash* and *pass the ticket*. + +When enabled, Credential Guard provides the following benefits: + +- **Hardware security**: NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials +- **Virtualization-based security**: NTLM, Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system +- **Protection against advanced persistent threats**: when credentials are protected using VBS, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges can't extract secrets that are protected by VBS + +> [!NOTE] +> While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques, and you should also incorporate other security strategies and architectures. + +> [!IMPORTANT] +> Starting in Windows 11, version 22H2, VBS and Credential Guard are enabled by default on all devices that meet the system requirements.\ +> For information about known issues related to the default enablement of Credential Guard, see [Credential Guard: Known Issues](considerations-known-issues.md). + +## System requirements + +For Credential Guard to provide protection, the devices must meet certain hardware, firmware, and software requirements. + +Devices that meet more hardware and firmware qualifications than the minimum requirements, receive additional protections and are more hardened against certain threats. + +### Hardware and software requirements + +Credential Guard requires the features: + +- Virtualization-based security (VBS) + >[!NOTE] + > VBS has different requirements to enable it on different hardware platforms. For more information, see [Virtualization-based Security requirements](/windows-hardware/design/device-experiences/oem-vbs) +- [Secure Boot](../../operating-system-security/system-security/secure-the-windows-10-boot-process.md#secure-boot) + +While not required, the following features are recommended to provide additional protections: + +- Trusted Platform Module (TPM), as it provides binding to hardware. TPM versions 1.2 and 2.0 are supported, either discrete or firmware +- UEFI lock, as it prevents attackers from disabling Credential Guard with a registry key change + +For detailed information on protections for improved security that are associated with hardware and firmware options, see [additional security qualifications](additional-mitigations.md#additional-security-qualifications). + +#### Credential Guard in virtual machines + +Credential Guard can protect secrets in Hyper-V virtual machines, just as it would on a physical machine. When Credential Guard is enabled on a VM, secrets are protected from attacks *inside* the VM. Credential Guard doesn't provide protection from privileged system attacks originating from the host. + +The requirements to run Credential Guard in Hyper-V virtual machines are: + +- The Hyper-V host must have an IOMMU +- The Hyper-V virtual machine must be generation 2 + +> [!NOTE] +> Credential Guard is not supported on Hyper-V or Azure generation 1 VMs. Credential Guard is available on generation 2 VMs only. + +[!INCLUDE [credential-guard](../../../../includes/licensing/credential-guard.md)] + +## Application requirements + +When Credential Guard is enabled, certain authentication capabilities are blocked. Applications that require such capabilities break. We refer to these requirements as *application requirements*. + +Applications should be tested prior to deployment to ensure compatibility with the reduced functionality. + +> [!WARNING] +> Enabling Credential Guard on domain controllers isn't recommended. +> Credential Guard doesn't provide any added security to domain controllers, and can cause application compatibility issues on domain controllers. + +> [!NOTE] +> Credential Guard doesn't provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). + +Applications break if they require: + +- Kerberos DES encryption support +- Kerberos unconstrained delegation +- Extracting the Kerberos TGT +- NTLMv1 + +Applications prompt and expose credentials to risk if they require: + +- Digest authentication +- Credential delegation +- MS-CHAPv2 + +Applications may cause performance issues when they attempt to hook the isolated Credential Guard process `LSAIso.exe`. + +Services or protocols that rely on Kerberos, such as file shares or remote desktop, continue to work and aren't affected by Credential Guard. + +## Next steps + +- Learn [how Credential Guard works](how-it-works.md) +- Learn [how to configure Credential Guard](configure.md) +- Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article +- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md) \ No newline at end of file diff --git a/windows/security/identity-protection/credential-guard/toc.yml b/windows/security/identity-protection/credential-guard/toc.yml index 3661af7b0e..a4b737a9ec 100644 --- a/windows/security/identity-protection/credential-guard/toc.yml +++ b/windows/security/identity-protection/credential-guard/toc.yml @@ -1,17 +1,11 @@ items: -- name: Protect derived domain credentials with Credential Guard - href: credential-guard.md +- name: Overview + href: index.md - name: How Credential Guard works - href: credential-guard-how-it-works.md -- name: Requirements - href: credential-guard-requirements.md -- name: Manage Credential Guard - href: credential-guard-manage.md -- name: Credential Guard protection limits - href: credential-guard-protection-limits.md -- name: Considerations when using Credential Guard - href: credential-guard-considerations.md + href: how-it-works.md +- name: Configure Credential Guard + href: configure.md - name: Additional mitigations href: additional-mitigations.md -- name: Known issues - href: credential-guard-known-issues.md \ No newline at end of file +- name: Considerations and known issues + href: considerations-known-issues.md \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 744816323d..dbdfe3cab6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -1,7 +1,7 @@ --- title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust model description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business on-premises certificate trust model. -ms.date: 12/12/2022 +ms.date: 09/07/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index b3059ee0c0..8a414df385 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -4,7 +4,7 @@ description: Configure Windows Hello for Business Policy settings for Windows He ms.collection: - highpri - tier1 -ms.date: 12/12/2022 +ms.date: 09/07/2023 ms.topic: tutorial --- # Configure Windows Hello for Business group policy settings - on-premises certificate Trust diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 455d4055a2..220079357a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -1,7 +1,7 @@ --- title: Validate Active Directory prerequisites in an on-premises certificate trust description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a certificate trust model. -ms.date: 12/12/2022 +ms.date: 09/07/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index c7b67abec3..83576f884f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -1,7 +1,7 @@ --- title: Validate and Deploy MFA for Windows Hello for Business with certificate trust description: Validate and deploy multi-factor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model. -ms.date: 12/13/2022 +ms.date: 09/07/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index 6174ed348a..e98fede731 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -1,7 +1,7 @@ --- title: Configure and validate the Public Key Infrastructure in an on-premises certificate trust model description: Configure and validate the Public Key Infrastructure the Public Key Infrastructure when deploying Windows Hello for Business in a certificate trust model. -ms.date: 12/12/2022 +ms.date: 09/07/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index 70a5ee4feb..04edf25531 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business deployment guide for the on-premises certificate trust model description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust model. -ms.date: 12/12/2022 +ms.date: 09/07/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 35b4058caa..aef79952c9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -42,7 +42,7 @@ The trust model determines how you want users to authenticate to the on-premises - The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers. > [!Note] -> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Remote Credential Guard](../remote-credential-guard.md). Following are the various deployment guides and models included in this topic: diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 04b493aa73..ca9a3ac20d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -257,4 +257,4 @@ sections: In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle. - question: Can I use Windows Hello for Business key trust and RDP? answer: | - Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. + Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index d46d1075a5..ab35e717f2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -113,7 +113,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the | OMA-URI |Data type| Value| |-|-|-| -| `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery`| Boolean | Tue | +| `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery`| Boolean | True | >[!NOTE] > You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:: @@ -124,11 +124,12 @@ GET https://graph.microsoft.com/v1.0/organization?$select=id #### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) -[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**: +[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] +[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] -| Group policy setting | Value | -| - | - | -| **Use PIN Recovery** | **Enabled** | +| Group policy path | Group policy setting | Value | +| - | - | - | +|**Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**| Use PIN Recovery | Enabled | [!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)] diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 736e333462..58e5c14636 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -1,10 +1,10 @@ --- title: Remote Desktop description: Learn how Windows Hello for Business supports using biometrics with remote desktop -ms.date: 02/24/2021 +ms.date: 09/01/2023 ms.topic: conceptual ms.collection: - - tier1 +- tier1 --- # Remote Desktop @@ -14,7 +14,7 @@ ms.collection: - Hybrid and On-premises Windows Hello for Business deployments - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices -Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) to establish a remote desktop protocol connection. +Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md) to establish a remote desktop protocol connection. Microsoft continues to investigate supporting using keys trust for supplied credentials in a future release. @@ -30,31 +30,20 @@ The ability for users to authenticate to a remote desktop session using their Wi ### How does it work -Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP). Software-based keys are created and stored using the Microsoft Software Key Storage Provider. Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider. Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider. +Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP). Software-based keys are created and stored using the Microsoft Software Key Storage Provider. Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider. Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider. -A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) store the key storage provider used to create the key (remember the certificate contains the public key). +A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) stores the key storage provider used to create the key (remember the certificate contains the public key). -This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide this complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card). +The same concept applies to Windows Hello for Business, except that the keys are created using the Microsoft Passport KSP. The user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide the complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers direct the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card). -Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 or later no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows to prompt the user for their biometric gesture or PIN. +Windows Hello for Business emulates a smart card for application compatibility, and the Microsoft Passport KSP prompts the user for their biometric gesture or PIN. ### Compatibility -Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it. +Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it. > [!div class="mx-imgBorder"] > ![WHFB Certificate GP Setting.](images/rdpbio/rdpbiopolicysetting.png) > [!IMPORTANT] -> The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature. - -## Related topics - -- [Windows Hello for Business](hello-identity-verification.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) +> The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index be437d043f..cf93d23831 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -1,5 +1,5 @@ --- -ms.date: 12/12/2022 +ms.date: 09/07/2023 title: Prepare and deploy Active Directory Federation Services in an on-premises key trust description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business key trust model. appliesto: diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 3fd25ec607..ed52f1c594 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -1,5 +1,5 @@ --- -ms.date: 12/12/2022 +ms.date: 09/07/2023 title: Configure Windows Hello for Business Policy settings in an on-premises key trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario appliesto: @@ -20,7 +20,7 @@ If you configure the Group Policy for computers, all users that sign-in to those The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. -If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business . +If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. ## Create the GPO @@ -105,4 +105,4 @@ Before you continue with the deployment, validate your deployment progress by re ## Add users to the Windows Hello for Business Users group -Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. \ No newline at end of file +Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index 19fe709d3f..2537513f37 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -1,7 +1,7 @@ --- title: Validate Active Directory prerequisites in an on-premises key trust description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a key trust model. -ms.date: 12/12/2022 +ms.date: 09/07/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 4d089851ff..61aece97e7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -1,7 +1,7 @@ --- title: Validate and Deploy MFA for Windows Hello for Business with key trust description: Validate and deploy multi-factor authentication (MFA) for Windows Hello for Business in an on-premises key trust model. -ms.date: 12/12/2022 +ms.date: 09/07/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index e2f7510aac..ab932d9a99 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -1,7 +1,7 @@ --- title: Configure and validate the Public Key Infrastructure in an on-premises key trust model description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a key trust model. -ms.date: 12/12/2022 +ms.date: 09/07/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 0ce80daac5..8375e0ebd3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -88,7 +88,7 @@ The key trust type does not require issuing authentication certificates to end u The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. > [!NOTE] -> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Remote Credential Guard](../remote-credential-guard.md). #### Device registration diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index 4ba5142f01..24b362c125 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business Videos description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11. -ms.date: 03/09/2023 +ms.date: 09/07/2023 ms.topic: get-started --- # Windows Hello for Business Videos diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md index 86a2aa8e8d..e0d3b1306e 100644 --- a/windows/security/identity-protection/hello-for-business/index.md +++ b/windows/security/identity-protection/hello-for-business/index.md @@ -91,7 +91,7 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md). Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Azure AD as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller. -Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Remote Credential Guard](../remote-credential-guard.md). ## Learn more diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 9dafd8be5b..690c5f984c 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -317,7 +317,7 @@ The following image shows the SCRIL setting for a user in Active Directory Admin > 1. Enable the setting. > 1. Save changes again. > -> When you upgrade the domain to Windows Server 2016 domain forest functional level or later, the domain controller automatically does this action for you. +> When you upgrade the domain functional level to Windows Server 2016 or later, the domain controller automatically does this action for you. The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016: diff --git a/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png b/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png deleted file mode 100644 index f7767ac5f0..0000000000 Binary files a/windows/security/identity-protection/images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png and /dev/null differ diff --git a/windows/security/identity-protection/images/remote-credential-guard-gp.png b/windows/security/identity-protection/images/remote-credential-guard-gp.png deleted file mode 100644 index f7db3ee411..0000000000 Binary files a/windows/security/identity-protection/images/remote-credential-guard-gp.png and /dev/null differ diff --git a/windows/security/identity-protection/images/remote-credential-guard.gif b/windows/security/identity-protection/images/remote-credential-guard.gif new file mode 100644 index 0000000000..effe8a4bc2 Binary files /dev/null and b/windows/security/identity-protection/images/remote-credential-guard.gif differ diff --git a/windows/security/identity-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png b/windows/security/identity-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png deleted file mode 100644 index 56021d820e..0000000000 Binary files a/windows/security/identity-protection/images/windows-defender-remote-credential-guard-with-remote-admin-mode.png and /dev/null differ diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 41748c9408..7351dd93ae 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -1,11 +1,11 @@ --- -title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard -description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device. +title: Remote Credential Guard +description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device. ms.collection: - highpri -- tier2 -ms.topic: article -ms.date: 01/12/2018 +- tier1 +ms.topic: how-to +ms.date: 09/06/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -13,96 +13,112 @@ appliesto: - ✅ Windows Server 2019 - ✅ Windows Server 2016 --- -# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard -Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. +# Remote Credential Guard -Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device. +## Overview + +Remote Credential Guard helps protecting credentials over a Remote Desktop (RDP) connection by redirecting Kerberos requests back to the device that's requesting the connection. If the target device is compromised, the credentials aren't exposed because both credential and credential derivatives are never passed over the network to the target device. Remote Credential Guard also provides single sign-on experiences for Remote Desktop sessions. + +This article describes how to configure and use Remote Credential Guard. > [!IMPORTANT] > For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#remote-desktop-connections-and-helpdesk-support-scenarios) in this article. -## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options +## Compare Remote Credential Guard with other connection options -The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works: +Using a Remote Desktop session without Remote Credential Guard has the following security implications: -![RDP connection to a server without Windows Defender Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png) +- Credentials are sent to and stored on the remote host +- Credentials aren't protected from attackers on the remote host +- Attacker can use credentials after disconnection -The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option: +The security benefits of Remote Credential Guard include: -![Windows Defender Remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png) +- Credentials aren't sent to the remote host +- During the remote session you can connect to other systems using SSO +- An attacker can act on behalf of the user only when the session is ongoing -As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection. +The security benefits of [Restricted Admin mode][TECH-1] include: + +- Credentials aren't sent to the remote host +- The Remote Desktop session connects to other resources as the remote host's identity +- An attacker can't act on behalf of the user and any attack is local to the server Use the following table to compare different Remote Desktop connection security options: -| Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode | +| Feature | Remote Desktop | Remote Credential Guard | Restricted Admin mode | |--|--|--|--| -| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server | -| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.

        For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). | -| **Helps prevent**                    |      N/A          |

        • Pass-the-Hash
        • Use of a credential after disconnection
        |
        • Pass-the-Hash
        • Use of domain identity during connection
        | -| **Credentials supported from the remote desktop client device** |
        • Signed on credentials
        • Supplied credentials
        • Saved credentials
        |
        • Signed on credentials only |
          • Signed on credentials
          • Supplied credentials
          • Saved credentials
          | -| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. | -| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host's identity**. | -| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account | -| **Supported authentication** | Any negotiable protocol. | Kerberos only. | Any negotiable protocol | - -For further technical information, see [Remote Desktop Protocol](/windows/win32/termserv/remote-desktop-protocol) -and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/cc961963(v=technet.10)). - -## Remote Desktop connections and helpdesk support scenarios - -For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects. - -Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf). - -To further harden security, we also recommend that you implement Local Administrator Password Solution (LAPS), a Group Policy client-side extension (CSE) introduced in Windows 8.1 that automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks facilitated when customers use the same administrative local account and password combination on all their computers. You can download and install LAPS [here](https://www.microsoft.com/download/details.aspx?id=46899). - -For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/library/security/3062591.aspx). - -[!INCLUDE [windows-defender-remote-credential-guard](../../../includes/licensing/windows-defender-remote-credential-guard.md)] +| Single sign-on (SSO) to other systems as signed in user | ✅ | ✅ | ❌ | +| Multi-hop RDP | ✅ | ✅ | ❌ | +| Prevent use of user's identity during connection | ❌ | ❌ | ✅ | +| Prevent use of credentials after disconnection | ❌ | ✅ | ✅ | +| Prevent Pass-the-Hash (PtH) | ❌ | ✅ | ✅ | +| Supported authentication | Any negotiable protocol | Kerberos only | Any negotiable protocol | +| Credentials supported from the remote desktop client device | - Signed on credentials
          - Supplied credentials
          - Saved credentials | - Signed on credentials
          - Supplied credentials
          | - Signed on credentials
          - Supplied credentials
          - Saved credentials | +| RDP access granted with | Membership of **Remote Desktop Users** group on remote host | Membership of **Remote Desktop Users** group on remote host | Membership of **Administrators** group on remote host | ## Remote Credential Guard requirements -To use Windows Defender Remote Credential Guard, the Remote Desktop client and remote host must meet the following requirements: +To use Remote Credential Guard, the remote host and the client must meet the following requirements. -The Remote Desktop client device: +The remote host: -- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine -- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host -- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard -- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk +- Must allow the user to access via Remote Desktop connections +- Must allow delegation of nonexportable credentials to the client device -The Remote Desktop remote host: +The client device: -- Must be running at least Windows 10, version 1607 or Windows Server 2016. -- Must allow Restricted Admin connections. -- Must allow the client's domain user to access Remote Desktop connections. -- Must allow delegation of non-exportable credentials. +- Must be running the Remote Desktop Windows application. The Remote Desktop Universal Windows Platform (UWP) application doesn't support Remote Credential Guard +- Must use Kerberos authentication to connect to the remote host. If the client can't connect to a domain controller, then RDP attempts to fall back to NTLM. Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk -There are no hardware requirements for Windows Defender Remote Credential Guard. +[!INCLUDE [remote-credential-guard](../../../includes/licensing/remote-credential-guard.md)] -> [!NOTE] -> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain. -> -> GPO [Remote host allows delegation of non-exportable credentials](/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials. +## Enable delegation of nonexportable credentials on the remote hosts -- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication. -- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016. -- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard. +This policy is required on the remote hosts to support Remote Credential Guard and Restricted Admin mode. It allows the remote host to delegate nonexportable credentials to the client device.\ +If you disable or don't configure this setting, Restricted Admin and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host, exposing users to the risk of credential theft from attackers on the remote host. -## Enable Windows Defender Remote Credential Guard +To enable delegation of nonexportable credentials on the remote hosts, you can use: -You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry. +- Microsoft Intune/MDM +- Group policy +- Registry -1. Open Registry Editor on the remote host -1. Enable Restricted Admin and Windows Defender Remote Credential Guard: +[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] - - Go to `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa` - - Add a new DWORD value named **DisableRestrictedAdmin** - - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 +#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune) -1. Close Registry Editor +[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| **Administrative Templates > System > Credentials Delegation** | Remote host allows delegation of nonexportable credentials | Enabled | + +[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-3] with the [Policy CSP][CSP-1]. + +| Setting | +|--------| +| - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials`
          - **Data type:** string
          - **Value:** ``| + +#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) + +[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\System\Credentials Delegation** | Remote host allows delegation of nonexportable credentials | Enabled | + +[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)] +#### [:::image type="icon" source="../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) + +To configure devices using the registry, use the following settings: + +| Setting | +|-| +| - **Key path:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
          - **Key name:** `DisableRestrictedAdmin`
          - **Type:** `REG_DWORD`
          - **Value:** `0`| You can add this by running the following command from an elevated command prompt: @@ -110,44 +126,103 @@ You can add this by running the following command from an elevated command promp reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD ``` -## Using Windows Defender Remote Credential Guard +--- -Beginning with Windows 10 version 1703, you can enable Windows Defender Remote Credential Guard on the client device either by using Group Policy or by using a parameter with the Remote Desktop Connection. +## Configure delegation of credentials on the clients -### Turn on Windows Defender Remote Credential Guard by using Group Policy +To enable Remote Credential Guard on the clients, you can configure a policy that prevents the delegation of credentials to the remote hosts. -1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation** -1. Double-click **Restrict delegation of credentials to remote servers** - ![Windows Defender Remote Credential Guard Group Policy.](images/remote-credential-guard-gp.png) -1. Under **Use the following restricted mode**: - - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used +> [!TIP] +> If you don't want to configure your clients to enforce Remote Credential Guard, you can use the following command to use Remote Credential Guard for a specific RDP session: +> ```cmd +> mstsc.exe /remoteGuard +> ``` - > [!NOTE] - > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. - > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard. +The policy can have different values, depending on the level of security you want to enforce: - - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#remote-credential-guard-requirements) listed earlier in this topic. - - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-windows-defender-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic. - -1. Click **OK** -1. Close the Group Policy Management Console -1. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied - -### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection - -If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection. - -```cmd -mstsc.exe /remoteGuard -``` +- **Disabled**: *Restricted Admin* and *Remote Credential Guard* mode aren't enforced and the Remote Desktop Client can delegate credentials to remote devices +- **Require Restricted Admin**: the Remote Desktop Client must use Restricted Admin to connect to remote hosts +- **Require Remote Credential Guard**: Remote Desktop Client must use Remote Credential Guard to connect to remote hosts +- **Restrict credential delegation**: Remote Desktop Client must use Restricted Admin or Remote Credential Guard to connect to remote hosts. In this configuration, Remote Credential Guard is preferred, but it uses Restricted Admin mode (if supported) when Remote Credential Guard can't be used > [!NOTE] -> The user must be authorized to connect to the remote server using Remote Desktop Protocol, for example by being a member of the Remote Desktop Users local group on the remote computer. +> When *Restrict Credential Delegation* is enabled, the `/restrictedAdmin` switch will be ignored. Windows enforces the policy configuration instead and uses Remote Credential Guard. -## Considerations when using Windows Defender Remote Credential Guard +To configure your clients, you can use: -- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied -- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory -- Remote Desktop Credential Guard only works with the RDP protocol +- Microsoft Intune/MDM +- Group policy + +[!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] + +#### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/MDM**](#tab/intune) + +[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | Value | +|--|--|--| +| **Administrative Templates > System > Credentials Delegation** | Restrict delegation of credentials to remote servers | Select **Enabled** and in the dropdown, select one of the options:
          - **Restrict Credential Delegation**
          - **Require Remote Credential Guard**| + +[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)] + +Alternatively, you can configure devices using a [custom policy][INT-3] with the [Policy CSP][CSP-2]. + +| Setting | +|--| +|- **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/RestrictedRemoteAdministration`
          - **Data type:** string
          - **Value:** ``

          Possible values for `RestrictedRemoteAdministrationDrop` are:
          - `0`: Disabled
          - `1`: Require Restricted Admin
          - `2`: Require Remote Credential Guard
          - `3`: Restrict credential delegation | + +#### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **Group policy**](#tab/gpo) + +[!INCLUDE [gpo-settings-1](../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\System\Credentials Delegation** | Restrict delegation of credentials to remote servers| **Enabled** and in the dropdown, select one of the options:
          - **Restrict Credential Delegation**
          - **Require Remote Credential Guard**| + +[!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)] + +#### [:::image type="icon" source="../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) + +Not documented. + +--- + +## Use Remote Credential Guard + +Once a client receives the policy, you can connect to the remote host using Remote Credential Guard by opening the Remote Desktop Client (`mstsc.exe`). The user is automatically authenticated to the remote host: + +:::image type="content" source="images/remote-credential-guard.gif" alt-text="Animation showing a client connecting to a remote server using Remote Credential Guard with SSO."::: + +> [!NOTE] +> The user must be authorized to connect to the remote server using the Remote Desktop protocol, for example by being a member of the Remote Desktop Users local group on the remote host. + +## Remote Desktop connections and helpdesk support scenarios + +For helpdesk support scenarios in which personnel require administrative access via Remote Desktop sessions, it isn't recommended the use of Remote Credential Guard. If an RDP session is initiated to an already compromised client, the attacker could use that open channel to create sessions on the user's behalf. The attacker can access any of the user's resources for a limited time after the session disconnects. + +We recommend using Restricted Admin mode option instead. For helpdesk support scenarios, RDP connections should only be initiated using the `/RestrictedAdmin` switch. This helps to ensure that credentials and other user resources aren't exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2][PTH-1]. + +To further harden security, we also recommend that you implement Windows Local Administrator Password Solution (LAPS), which automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks facilitated when customers use the same administrative local account and password combination on all their computers. + +For more information about LAPS, see [What is Windows LAPS][LEARN-1]. + +## Additional considerations + +Here are some additional considerations for Remote Credential Guard: + +- Remote Credential Guard doesn't support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied +- Remote Credential Guard can be used only when connecting to a device that is joined to an Active Directory domain. It can't be used when connecting to remote devices joined to Azure Active Directory (Azure AD) +- Remote Credential Guard can be used from an Azure AD joined client to connect to an Active Directory joined remote host, as long as the client can authenticate using Kerberos +- Remote Credential Guard only works with the RDP protocol - No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own - The server and client must authenticate using Kerberos +- Remote Credential Guard is only supported for direct connections to the target machines and not for the ones via Remote Desktop Connection Broker and Remote Desktop Gateway + + + +[CSP-1]: /windows/client-management/mdm/policy-csp-credentialsdelegation +[CSP-2]: /windows/client-management/mdm/policy-csp-admx-credssp +[INT-3]: /mem/intune/configuration/settings-catalog +[LEARN-1]: /windows-server/identity/laps/laps-overview +[TECH-1]: https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx +[PTH-1]: https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml index d8e6726e39..2b006e3ca0 100644 --- a/windows/security/identity-protection/toc.yml +++ b/windows/security/identity-protection/toc.yml @@ -33,11 +33,11 @@ items: - name: Access Control href: access-control/access-control.md displayName: ACL/SACL - - name: Windows Defender Credential Guard + - name: Credential Guard href: credential-guard/toc.yml - - name: Windows Defender Remote Credential Guard + - name: Remote Credential Guard href: remote-credential-guard.md - - name: LSA Protection + - name: LSA Protection 🔗 href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection - name: Local Accounts href: access-control/local-accounts.md diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md index 891ad65444..191dfb47cb 100644 --- a/windows/security/includes/sections/identity.md +++ b/windows/security/includes/sections/identity.md @@ -24,5 +24,5 @@ ms.topic: include | **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. | | **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. | | **[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.

          Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. | -| **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.

          By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. | -| **[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.

          Administrator credentials are highly privileged and must be protected. When you use Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. | +| **[Credential Guard](/windows/security/identity-protection/credential-guard)** | Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.

          By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. | +| **[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.

          Administrator credentials are highly privileged and must be protected. When you use Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. | diff --git a/windows/security/index.yml b/windows/security/index.yml index fcb82babda..963c96d66e 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -7,6 +7,7 @@ brand: windows metadata: ms.topic: hub-page ms.prod: windows-client + ms.technology: itpro-security ms.collection: - highpri - tier1 @@ -72,8 +73,8 @@ productDirectory: links: - url: /windows/security/identity-protection/hello-for-business text: Windows Hello for Business - - url: /windows/security/identity-protection/credential-guard/credential-guard - text: Windows Defender Credential Guard + - url: /windows/security/identity-protection/credential-guard + text: Credential Guard - url: /windows-server/identity/laps/laps-overview text: Windows LAPS (Local Administrator Password Solution) - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection diff --git a/windows/security/introduction.md b/windows/security/introduction.md index a87668dc0e..69e2193bf2 100644 --- a/windows/security/introduction.md +++ b/windows/security/introduction.md @@ -1,7 +1,7 @@ --- title: Introduction to Windows security description: System security book. -ms.date: 08/01/2023 +ms.date: 09/01/2023 ms.topic: tutorial ms.author: paoloma content_well_notification: @@ -25,7 +25,7 @@ A Zero Trust security model gives the right people the right access at the right 1. When verified, give people and devices access to only necessary resources for the necessary amount of time 1. Use continuous analytics to drive threat detection and improve defenses -For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more. +For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enables timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more. ### Security, by default @@ -45,7 +45,7 @@ In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/d ### Secured identities -Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication. +Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Credential Guard](identity-protection/credential-guard/index.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication. ### Connecting to cloud services diff --git a/windows/security/security-foundations/certification/windows-platform-common-criteria.md b/windows/security/security-foundations/certification/windows-platform-common-criteria.md index 0e0bc1697c..0f426874c2 100644 --- a/windows/security/security-foundations/certification/windows-platform-common-criteria.md +++ b/windows/security/security-foundations/certification/windows-platform-common-criteria.md @@ -278,10 +278,6 @@ Certified against the Protection Profile for General Purpose Operating Systems. ### Windows Server 2003 Certificate Server - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf) -- [Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d) -- [Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2) -- [User's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e) -- [Evaluation Technical Report](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf) ### Windows Rights Management Services diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index c0f93ba219..e13121f3d9 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -1,7 +1,7 @@ --- title: Deprecated features in the Windows client -description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11. -ms.date: 08/17/2023 +description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11. +ms.date: 09/01/2023 ms.prod: windows-client ms.technology: itpro-fundamentals ms.localizationpriority: medium @@ -36,7 +36,8 @@ The features in this article are no longer being actively developed, and might b |Feature | Details and mitigation | Deprecation announced | | ----------- | --------------------- | ---- | -| AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://www.alljoyn.org/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 | +| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 | +| AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 | | TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023| | Cortana in Windows | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 | | Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 | @@ -50,7 +51,7 @@ The features in this article are no longer being actively developed, and might b | Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 | | Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 | | Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 | -| Microsoft BitLocker Administration and Monitoring (MBAM)| [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/), part of the [Microsoft Desktop Optimization Pack (MDOP)](/lifecycle/announcements/mdop-extended) is is no longer being developed. | September, 2019 | +| Microsoft BitLocker Administration and Monitoring (MBAM)| [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/), part of the [Microsoft Desktop Optimization Pack (MDOP)](/lifecycle/announcements/mdop-extended) is no longer being developed. | September, 2019 | | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | | Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
           
          The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web.
           
          PSR was removed in Windows 11.| 1909 | @@ -61,7 +62,6 @@ The features in this article are no longer being actively developed, and might b | Print 3D app | 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 | |Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this reason, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 | |OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 | -|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97). It provides the same screen snipping abilities plus other features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the "Screen snip" button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 | |[Software Restriction Policies](/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 | |[Offline symbol packages](/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](/archive/blogs/windbg/update-on-microsofts-symbol-server). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| 1803 | |Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. For more information, see [Error opening Help in Windows-based programs: "Feature not included" or "Help not supported"](https://support.microsoft.com/topic/error-opening-help-in-windows-based-programs-feature-not-included-or-help-not-supported-3c841463-d67c-6062-0ee7-1a149da3973b).| 1803 | diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index b2c710d264..99cf0f87aa 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -208,14 +208,14 @@ Windows Hello for Business now supports FIDO 2.0 authentication for Azure AD Joi For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) -#### Windows Defender Credential Guard +#### Credential Guard -Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. +Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. -Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. +Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. > [!NOTE] -> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. +> Credential Guard is available only to S mode devices or Enterprise and Education Editions. For more information, see [Credential Guard Security Considerations](/windows/security/identity-protection/credential-guard/credential-guard-requirements#security-considerations). diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index 48b3e3b651..c07ad692ea 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -74,7 +74,7 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)]( ### Virus and threat protection -[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL's and IP addresses. +[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URLs and IP addresses. [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) - Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. - Integrity enforcement capabilities - Enable remote runtime attestation of Windows 10 platform. - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities - Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers. @@ -149,9 +149,9 @@ Windows Hello enhancements include: ### Credential protection -#### Windows Defender Credential Guard +#### Credential Guard -[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. +[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. ### Privacy controls diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index 55b211215b..4f608c1dd6 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -80,7 +80,7 @@ The AssignedAccess CSP has been expanded to make it easy for administrators to c ## Security >[!NOTE] ->Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Windows Defender Credential Guard, and Windows Defender Firewall. +>Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Credential Guard, and Windows Defender Firewall. **Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10). diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index b617d899f5..ad971e7d6a 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -141,11 +141,11 @@ You can add specific rules for a WSL process in Windows Defender Firewall, just We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](/microsoft-edge/deploy/change-history-for-microsoft-edge). -### Windows Defender Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined +### Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined -Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. +Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. -Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns on this functionality by default when the machine has been Azure Active Directory-joined. This functionality provides an added level of security when connecting to domain resources not normally present on 10-S devices. Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions. +Credential Guard has always been an optional feature, but Windows 10-S turns on this functionality by default when the machine has been Azure Active Directory-joined. This functionality provides an added level of security when connecting to domain resources not normally present on 10-S devices. Credential Guard is available only to S-Mode devices or Enterprise and Education Editions. ### Windows 10 Pro S Mode requires a network connection diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index c0202f98fe..d40de13c9d 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -41,9 +41,9 @@ If you're using Windows Update for Business, you'll receive the Windows 10, vers ## Security -### Windows Defender Credential Guard +### Credential Guard -[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. +[Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. ### Microsoft BitLocker diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md index 4e91dc9a19..b09c1ab588 100644 --- a/windows/whats-new/whats-new-windows-11-version-22H2.md +++ b/windows/whats-new/whats-new-windows-11-version-22H2.md @@ -50,9 +50,9 @@ For more information, see [Smart App Control](/windows/security/threat-protectio ## Credential Guard -Compatible Windows 11 Enterprise version 22H2 devices will have **Windows Defender Credential Guard** turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. +Compatible Windows 11 Enterprise version 22H2 devices will have **Credential Guard** turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. -For more information, see [Manage Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage). +For more information, see [Manage Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage). ## Malicious and vulnerable driver blocking diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md index 5431f9f832..d6f384c4f5 100644 --- a/windows/whats-new/windows-licensing.md +++ b/windows/whats-new/windows-licensing.md @@ -67,7 +67,7 @@ The following table describes the unique Windows Enterprise edition features: | OS-based feature | Description | |-|-| -|**[Windows Defender Credential Guard][WIN-1]**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks.| +|**[Credential Guard][WIN-1]**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks.| |**[Managed Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**| Isolates enterprise-defined untrusted sites with virtualization-based security from Windows, protecting your organization while users browse the Internet.| |**[Modern BitLocker Management][WIN-2]** | Allows you to eliminate on-premises tools to monitor and support BitLocker recovery scenarios. | |**[Personal Data Encryption][WIN-3]**|Encrypts individual's content using Windows Hello for Business to link the encryption keys to user credentials.| @@ -135,13 +135,13 @@ In most cases, the Windows Pro edition comes pre-installed on a business-class d - A developer that is developing applications that must be tested and certified on Pro, as that is how it will be delivered to customers - A Windows Pro device that was pre-configured for a specific purpose and is certified on Pro only -In these cases, you want the PC to be configured, secured, monitored, and updated with the enterprise management and security tools that come with the Windows Enterprise user subscription. Your Windows Enterprise E3 subscriptions does not block these scenarios. +In these cases, you want the PC to be configured, secured, monitored, and updated with the enterprise management and security tools that come with the Windows Enterprise user subscription. Your Windows Enterprise E3 subscription doesn't block these scenarios. The following table lists the Windows 11 Enterprise features and their Windows edition requirements: | OS-based feature |Windows Pro|Windows Enterprise| |-|-|-| -|**[Windows Defender Credential Guard][WIN-1]**|❌|Yes| +|**[Credential Guard][WIN-1]**|❌|Yes| |**[Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**|Yes|Yes| |**[Modern BitLocker Management][WIN-2]**|Yes|Yes| |**[Personal data encryption (PDE)][WIN-3]**|❌|Yes|