deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 23:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into tvm-server

Browse Source
This commit is contained in:
Beth Levin 2020-03-13 11:00:17 -07:00
commit a9004e83fc
22 changed files with 531 additions and 582 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
devices/hololens/hololens-cortana.md
View File

@ -2,13 +2,13 @@
title: Use your voice with HoloLens
description: Cortana can help you do all kinds of things on your HoloLens
ms.assetid: fd96fb0e-6759-4dbe-be1f-58bedad66fed
ms.date: 11/8/2019
ms.date: 03/10/2020
keywords: hololens
ms.prod: hololens
ms.sitesec: library
author: v-miegge
author: Teresa-Motiv
audience: ITPro
ms.author: v-miegge
ms.author: v-tea
ms.topic: article
manager: jarrettr
ms.localizationpriority: high
@ -63,11 +63,11 @@ To use these commands, gaze at a 3D object, hologram, or app window.
### See it, say it
Many buttons and other elements on HoloLens also respond to your voice—for example, **Follow me** and **Close** on the app bar, or the **Back** button in Edge. To find out if a button is voice-enabled, rest your **gaze cursor** on it for a moment to see a voice tip.
Many buttons and other elements on HoloLens also respond to your voice—for example, **Follow me** and **Close** on the app bar, or the **Back** button in Edge. To find out if a button is voice-enabled, rest your **gaze cursor**,**touch cursor** or one **hand ray** on it for a moment. If the button is voice-enabled, you'll see a voice tip.
### Dictation mode
Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone button or say "Start dictating." To stop dictating, select the button again or say "Stop dictating." To delete what you just dictated, say "Delete that."
Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone button or say "Start dictating." To stop dictating, select the button again or say "Stop dictating." To delete what you just dictated, say "Delete that."
> [!NOTE]
> To use dictation mode, you have to have an internet connection.

114
devices/hololens/hololens-provisioning.md
View File

@ -1,5 +1,6 @@
---
title: Use a provisioning package to configure HoloLens
title: Configure HoloLens by using a provisioning package (HoloLens)
description: Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging.
ms.prod: hololens
ms.sitesec: library
@ -9,20 +10,23 @@ ms.custom:
author: dansimp
ms.author: dansimp
ms.topic: article
ms.custom:
- CI 115190
- CSSTroubleshooting
ms.localizationpriority: medium
ms.date: 11/13/2018
ms.reviewer:
ms.date: 03/10/2020
ms.reviewer: Teresa-Motiv
manager: dansimp
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
# Use a provisioning package to configure HoloLens
# Configure HoloLens by using a provisioning package
[Windows provisioning](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) makes it easy for IT administrators to configure end-user devices without imaging. Windows Configuration Designer is a tool for configuring images and runtime settings which are then built into provisioning packages.
Some of the HoloLens configurations that you can apply in a provisioning package:
Some of the HoloLens configurations that you can apply in a provisioning package include the following:
- Upgrade to Windows Holographic for Business [here](hololens1-upgrade-enterprise.md)
- Set up a local account
@ -38,43 +42,43 @@ The HoloLens wizard helps you configure the following settings in a provisioning
- Upgrade to the enterprise edition
> [!NOTE]
> This should only be used for HoloLens 1st Gen devices. Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
> This should only be used for HoloLens 1st gen devices. Settings in a provisioning package are only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
- Configure the HoloLens first experience (OOBE)
- Configure Wi-Fi network
- Enroll device in Azure Active Directory or create a local account
- Configure the Wi-Fi network
- Enroll the device in Azure Active Directory, or create a local account
- Add certificates
- Enable Developer Mode
- Configure kiosk mode. (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803)).
- Configure kiosk mode (for detailed instructions,see [Set up kiosk mode using a provisioning package](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803)
> [!WARNING]
> You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
Provisioning packages can include management instructions and policies, customization of network connections and policies, and more.
Provisioning packages can include management instructions and policies, custom network connections and policies, and more.
> [!TIP]
> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
## Steps for Creating Provisioning Packages
## Steps for creating provisioning packages
### 1. Install Windows Configuration Designer on your PC. (There are two ways to do this).
### 1. Install Windows Configuration Designer on your PC.
You can do this in either of the following ways:
- **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22)
- **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
1. **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22)
2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
### 2. Create the Provisioning Package
### 2. Create the provisioning package
Use the Windows Configuration Designer tool to create a provisioning package.
1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
2. Click **Provision HoloLens devices**.
2. Select **Provision HoloLens devices**.
![ICD start options](images/icd-create-options-1703.png)
3. Name your project and click **Finish**.
3. Name your project and select **Finish**.
4. Read the instructions on the **Getting started** page and select **Next**. The pages for desktop provisioning will walk you through the following steps.
4. Read the instructions on the **Getting started** page and select **Next**. The pages for desktop provisioning walk you through the following steps.
> [!IMPORTANT]
> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
@ -83,108 +87,110 @@ Use the Windows Configuration Designer tool to create a provisioning package.
<table>
<tr><td style="width:45%" valign="top"><a id="one"></a><img src="images/one.png" alt="step one"/><img src="images/set-up-device.png" alt="set up device"/></br></br>Browse to and select the enterprise license file to upgrade the HoloLens edition.</br></br>You can also toggle <strong>Yes</strong> or <strong>No</strong> to hide parts of the first experience.</br></br>To set up the device without the need to connect to a Wi-Fi network, toggle <strong>Skip Wi-Fi setup</strong> to <strong>On</strong>.</br></br>Select a region and timezone in which the device will be used. </td><td><img src="images/set-up-device-details.png" alt="Select enterprise licence file and configure OOBE"/></td></tr>
<tr><td style="width:45%" valign="top"><a id="two"></a><img src="images/two.png" alt="step two"/> <img src="images/set-up-network.png" alt="set up network"/></br></br>In this section, you can enter the details of the Wi-Fi wireless network that the device should connect to automatically. To do this, select <strong>On</strong>, enter the SSID, the network type (<strong>Open</strong> or <strong>WPA2-Personal</strong>), and (if <strong>WPA2-Personal</strong>) the password for the wireless network.</td><td><img src="images/set-up-network-details-desktop.png" alt="Enter network SSID and type"/></td></tr>
<tr><td style="width:45%" valign="top"><a id="three"></a><img src="images/three.png" alt="step three"/> <img src="images/account-management.png" alt="account management"/></br></br>You can enroll the device in Azure Active Directory, or create a local account on the device</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, <a href="https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup" data-raw-source="[set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup)">set up Azure AD join in your organization</a>. The <strong>maximum number of devices per user</strong> setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click <strong>Get bulk token</strong>. In the <strong>Let&#39;s get you signed in</strong> window, enter an account that has permissions to join a device to Azure AD, and then the password. Click <strong>Accept</strong> to give Windows Configuration Designer the necessary permissions. </br></br>To create a local account, select that option and enter a user name and password. </br></br><strong>Important:</strong> (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the <strong>Settings</strong> app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. </td><td><img src="images/account-management-details.png" alt="join Azure AD or create a local account"/></td></tr>
<tr><td style="width:45%" valign="top"><a id="two"></a><img src="images/two.png" alt="step two"/> <img src="images/set-up-network.png" alt="set up network"/></br></br>In this section, you can enter the details of the Wi-Fi wireless network that the device should automatically connect to. To do this, select <strong>On</strong>, enter the SSID, the network type (<strong>Open</strong> or <strong>WPA2-Personal</strong>), and (if <strong>WPA2-Personal</strong>) the password for the wireless network.</td><td><img src="images/set-up-network-details-desktop.png" alt="Enter network SSID and type"/></td></tr>
<tr><td style="width:45%" valign="top"><a id="three"></a><img src="images/three.png" alt="step three"/> <img src="images/account-management.png" alt="account management"/></br></br>You can enroll the device in Azure Active Directory, or create a local account on the device</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, <a href="https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup" data-raw-source="[set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup)">set up Azure AD join in your organization</a>. The <strong>maximum number of devices per user</strong> setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Select <strong>Get bulk token</strong>. In the <strong>Let&#39;s get you signed in</strong> window, enter an account that has permissions to join a device to Azure AD, and then the password. Select <strong>Accept</strong> to give Windows Configuration Designer the necessary permissions. </br></br>To create a local account, select that option and enter a user name and password. </br></br><strong>Important:</strong> <br />(For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the <strong>Settings</strong> app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. </td><td><img src="images/account-management-details.png" alt="join Azure AD or create a local account"/></td></tr>
<tr><td style="width:45%" valign="top"><a id="four"></a><img src="images/four.png" alt="step four"/> <img src="images/add-certificates.png" alt="add certificates"/></br></br>To provision the device with a certificate, click <strong>Add a certificate</strong>. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td><img src="images/add-certificates-details.png" alt="add a certificate"/></td></tr>
<tr><td style="width:45%" valign="top"><a id="five"></a><img src="images/five.png" alt="step five"/> <img src="images/developer-setup.png" alt="Developer Setup"/></br></br>Toggle <strong>Yes</strong> or <strong>No</strong> to enable Developer Mode on the HoloLens. <a href="https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode" data-raw-source="[Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)">Learn more about Developer Mode.</a></td><td><img src="images/developer-setup-details.png" alt="Enable Developer Mode"/></td></tr>
<tr><td style="width:45%" valign="top"><a id="six"></a><img src="images/six.png" alt="step six"/> <img src="images/finish.png" alt="finish"/></br></br>Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail.</td><td><img src="images/finish-details.png" alt="Protect your package"/></td></tr>
</table>
After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
After you're done, select **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
### 3. Create a provisioning package for HoloLens using advanced provisioning
### 3. Create a provisioning package for HoloLens by using advanced provisioning
> [!NOTE]
> Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
> A provisioning package that you create in **Advanced provisioning** does not need to include an edition upgrade license to Windows Holographic for Business to succesfully apply to a HoloLens (1st gen). [See more on Windows Holographic for Business for HoloLens (1st gen)](hololens1-upgrade-enterprise.md).
1. On the Windows Configuration Designer start page, select **Advanced provisioning**.
2. In the **Enter project details** window, specify a name for your project and the location for your project. Optionally, enter a brief description to describe your project.
3. Click **Next**.
3. Select **Next**.
4. In the **Choose which settings to view and configure** window, select **Windows 10 Holographic**, and then click **Next**.
4. In the **Choose which settings to view and configure** window, select **Windows 10 Holographic**, and then select **Next**.
6. Click **Finish**.
5. Select **Finish**.
7. Expand **Runtime settings** and customize the package with any of the settings [described below](#what-you-can-configure).
6. Expand **Runtime settings** and customize the package by using any of the settings [described later in this article](#what-you-can-configure).
> [!IMPORTANT]
> (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens#perform_a_full_device_recovery).
8. On the **File** menu, click **Save**.
7. Select **File** > **Save**.
4. Read the warning that project files may contain sensitive information, and click **OK**.
8. Read the warning that project files may contain sensitive information, and select **OK**.
> [!IMPORTANT]
> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
3. On the **Export** menu, click **Provisioning package**.
9. Select **Export** > **Provisioning package**.
4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next**.
10. Change **Owner** to **IT Admin**. This sets the precedence of this provisioning package higher than provisioning packages applied to this device from other sources. Select **Next**.
5. Set a value for **Package Version**.
11. Set a value for **Package Version**.
> [!TIP]
> You can make changes to existing packages and change the version number to update previously applied packages.
6. On the **Select security details for the provisioning package**, click **Next**.
12. On the **Select security details for the provisioning package**, select **Next**.
> [!WARNING]
> If you encrypt the provisioning package, provisioning the HoloLens device will fail.
7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location.
13. Select **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
Optionally, you can select **Browse** to change the default output location.
8. Click **Next**.
14. Select **Next**.
9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
15. Select **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
10. When the build completes, click **Finish**.
16. When the build completes, select **Finish**.
<span id="apply" />
## Apply a provisioning package to HoloLens during setup
1. Connect the device via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box).
1. Use the USB cable to connect the device to a PC, and then start the device. Do not continue past the **First interactable moment** page of OOBE.
- On HoloLens (1st gen), this page contains a blue box.
- On HoloLens 2, this page contains the hummingbird.
2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously. (This step isn't needed in Windows 10, version 1803.)
2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously.
3. HoloLens will show up as a device in File Explorer on the PC.
3. HoloLens shows up as a device in File Explorer on the PC.
4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
5. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the **fit** page.
6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
6. The device asks you if you trust the package and would like to apply it. Confirm that you trust the package.
7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
> [!NOTE]
> If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package.
> If the device was purchased before August 2016, you will need to sign in to the device by using a Microsoft account, get the latest operating system update, and then reset the operating system in order to apply the provisioning package.
### 4. Apply a provisioning package to HoloLens after setup
> [!NOTE]
> Windows 10, version 1809 only
> These steps apply only toWindows 10, version 1809.
On your PC:
On your PC, follow these steps:
1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md).
2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC.
2. Connect the HoloLens device to a PC by using a USB cable. HoloLens shows up as a device in File Explorer on the PC.
3. Drag and drop the provisioning package to the Documents folder on the HoloLens.
On your HoloLens:
1. Go to **Settings > Accounts > Access work or school**.
On your HoloLens, follow these steps:
1. Go to **Settings** > **Accounts** > **Access work or school**.
2. In **Related Settings**, select **Add or remove a provisioning package**.
3. On the next page, select **Add a package** to launch the file picker and select your provisioning package. If the folder is empty, make sure you select **This Device** and select **Documents**.
After your package has been applied, it will show in the list of **Installed packages**. To view package details or to remove the package from the device, select the listed package.
After your package has been applied, it shows up in the list of **Installed packages**. To view the package details or to remove the package from the device, select the listed package.
## What you can configure
Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://docs.microsoft.com/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers).
In Windows Configuration Designer, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens). The following table describes settings that you might want to configure for HoloLens.
In Windows Configuration Designer, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices). The following table describes settings that you might want to configure for HoloLens.
![Common runtime settings for HoloLens](images/icd-settings.png)
@ -193,9 +199,9 @@ In Windows Configuration Designer, when you create a provisioning package for Wi
| **Certificates** | Deploy a certificate to HoloLens. |
| **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens. |
| **EditionUpgrade** | [Upgrade to Windows Holographic for Business.](hololens1-upgrade-enterprise.md) |
| **Policies** | Allow or prevent developer mode on HoloLens. [Policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies) |
| **Policies** | Allow or prevent developer mode on HoloLens. [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#hololenspolicies) |
> [!NOTE]
> App installation (**UniversalAppInstall**) using a provisioning package is not currently supported for HoloLens.
> HoloLens does not currently support installing apps (**UniversalAppInstall**) by using a provisioning package.
## Next Step: [Enroll your device](hololens-enroll-mdm.md)

4
windows/client-management/mdm/policy-csp-defender.md
View File

@ -1725,9 +1725,9 @@ Valid values: 090
<!--Description-->
This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off.
If you enable this setting, catch-up scans for scheduled full scans will be disabled.
Supported values:

5
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.date: 03/12/2020
ms.reviewer:
manager: dansimp
---
@ -76,9 +76,6 @@ manager: dansimp
<!--Description-->
This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
> [!NOTE]
> DeviceEnroller.exe will not elevate the user if a pre-configured local admin group already exists on the device. This is a security measure in the executable where it checks for other non-disabled Administrators' membership(s). If at least one already exists, the tool will exit without elevating.
> [!CAUTION]
> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.

44
windows/client-management/mdm/policy-csp-update.md
View File

@ -1204,19 +1204,19 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
@ -1233,8 +1233,8 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
Added in Windows 10, version 1709. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -1275,19 +1275,19 @@ Default value is 7.
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
@ -1304,7 +1304,8 @@ Default value is 7.
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
Added in Windows 10, version 1709. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -1345,19 +1346,19 @@ Default value is 7.
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
@ -1374,7 +1375,9 @@ Default value is 7.
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
Added in Windows 10, version 1709. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -1415,19 +1418,19 @@ Default value is 2.
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
@ -1444,7 +1447,8 @@ Default value is 2.
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
Added in Windows 10, version 1709. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline.
<!--/Description-->

7
windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
View File

@ -18,11 +18,14 @@ ms.topic: article
# Use VAMT in Windows PowerShell
The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to perform the same functions as the Vamt.exe command-line tool.
**To install PowerShell 3.0**
- VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=218356).
**To install the Windows Assessment and Deployment Kit**
**To install the Windows Assessment and Deployment Kit**
- In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK).
**To prepare the VAMT PowerShell environment**
**To prepare the VAMT PowerShell environment**
- To open PowerShell with administrative credentials, click **Start** and type “PowerShell” to locate the program. Right-click **Windows PowerShell**, and then click **Run as administrator**. To open PowerShell in Windows 7, click **Start**, click **All Programs**, click **Accessories**, click **Windows PowerShell**, right-click **Windows PowerShell**, and then click **Run as administrator**.
**Important**

2
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -25,7 +25,7 @@ ms.reviewer:
## Enable Windows Defender Credential Guard
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](#hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.

6
windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
View File

@ -23,10 +23,8 @@ ms.reviewer:
**Requirements:**
* Windows Hello for Business deployment (Hybrid or On-premises)
* Azure AD joined device (Cloud and Hybrid deployments)
* Hybrid Azure AD joined (Hybrid deployments)
* Domain Joined (on-premises deployments)
* Windows 10, version 1709
* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
* Windows 10, version 1709 or newer
* Bluetooth, Bluetooth capable phone - optional
Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.

2
windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
View File

@ -285,7 +285,7 @@ A TPM implements controls that meet the specification described by the Trusted C
- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-recommendations).
Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0.

5
windows/security/threat-protection/TOC.md
View File

@ -315,8 +315,10 @@
###### [Set preferences](microsoft-defender-atp/mac-preferences.md)
###### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
##### [Troubleshoot]()
###### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md)
###### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md)
###### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md)
###### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md)
##### [Privacy](microsoft-defender-atp/mac-privacy.md)
##### [Resources](microsoft-defender-atp/mac-resources.md)
@ -409,6 +411,7 @@
#### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
##### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
##### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md)
##### [Shadow protection](windows-defender-antivirus/shadow-protection.md)
@ -604,7 +607,7 @@
### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md)
### [Access the Microsoft Defender ATP Community Center](microsoft-defender-atp/community.md)

BIN
windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx
View File

Binary file not shown.

BIN
windows/security/threat-protection/microsoft-defender-atp/images/no-license-found.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

54
windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md Normal file
View File

@ -0,0 +1,54 @@
---
title: Troubleshoot installation issues for Microsoft Defender ATP for Mac
description: Troubleshoot installation issues in Microsoft Defender ATP for Mac.
keywords: microsoft, defender, atp, mac, install
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot installation issues for Microsoft Defender ATP for Mac
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
## Installation failed
For manual installation, it is Summary page of the installation wizard that says "An error occurred during installation. The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance". For MDM deployments it would be exposed as a generic installation failure as well.
While we do not expose exact error to the end user, we keep a log file with installation progress in `/Library/Logs/Microsoft/mdatp/install.log`. Each installation session appends to this log file, you can use `sed` to output the last installation session only:
```bash
$ sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}' /Library/Logs/Microsoft/mdatp/install.log
preinstall com.microsoft.wdav begin [2020-03-11 13:08:49 -0700] 804
INSTALLER_SECURE_TEMP=/Library/InstallerSandboxes/.PKInstallSandboxManager/CB509765-70FC-4679-866D-8A14AD3F13CC.activeSandbox/89FA879B-971B-42BF-B4EA-7F5BB7CB5695
correlation id=CB509765-70FC-4679-866D-8A14AD3F13CC
[ERROR] Downgrade from 100.88.54 to 100.87.80 is not permitted
preinstall com.microsoft.wdav end [2020-03-11 13:08:49 -0700] 804 => 1
```
In the example above the actual reason is prefixed with `[ERROR]`.
The installation failed because a downgrade between these versions is not supported.
## No MDATP's install log
In rare cases installation leaves no trace in MDATP's /Library/Logs/Microsoft/mdatp/install.log file.
You can verify that installation happened and analyze possible errors by querying macOS logs (this can be helpful in case of MDM deployment, when there is no client UI). It is recommended to have a narrow time window to query and filter by the logging process name, as there will be huge amount of information;
```bash
grep '^2020-03-11 13:08' /var/log/install.log
log show --start '2020-03-11 13:00:00' --end '2020-03-11 13:08:50' --info --debug --source --predicate 'processImagePath CONTAINS[C] "install"' --style syslog
```

46
windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md Normal file
View File

@ -0,0 +1,46 @@
---
title: Troubleshoot license issues for Microsoft Defender ATP for Mac
description: Troubleshoot license issues in Microsoft Defender ATP for Mac.
keywords: microsoft, defender, atp, mac, performance
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot license issues for Microsoft Defender ATP for Mac
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
While you are going through [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md) and [Manual deployment](mac-install-manually.md) testing or a Proof Of Concept (PoC), you might get the following error:
![Image of license error](images/no-license-found.png)
**Message:**
No license found
Looks like your organization does not have a license for Microsoft 365 Enterprise subscription.
Contact your administrator for help.
**Cause:**
You deployed and/or installed the MDATP for macOS package ("Download installation package") but you might have run the configuration script ("Download onboarding package").
**Solution:**
Follow the WindowsDefenderATPOnboarding.py instructions documented here:
[Client configuration](mac-install-manually.md#client-configuration)

3
windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
View File

@ -28,7 +28,7 @@ There are some minimum requirements for onboarding machines to the service. Lear
>[!TIP]
>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Learn about the latest enhancements in Microsoft Defender ATP:[Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced).
>- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
## Licensing requirements
@ -40,6 +40,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
- Microsoft 365 E5 Security
- Microsoft 365 A5 (M365 A5)
For detailed licensing information, see the [Product terms page](https://www.microsoft.com/en-us/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product.
For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).

3
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -44,6 +44,7 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
- [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md) <br> Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux.
- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list) <BR>Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information.
@ -53,7 +54,7 @@ The following features are included in the preview release:
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization.
- [Machine health and compliance report](machine-reports.md) <br/> The machine health and compliance report provides high-level information about the devices in your organization.
- [Information protection](information-protection-in-windows-overview.md)<BR>
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.

328
windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
View File

@ -20,7 +20,8 @@ ms.date: 04/19/2017
# Administer security policy settings
**Applies to**
- Windows 10
- Windows 10
This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
@ -30,90 +31,46 @@ Security settings policies are rules that you can configure on a device, or mult
Security settings can control:
- User authentication to a network or device.
- The resources that users are permitted to access.
- Whether to record a users or groups actions in the event log.
- Membership in a group.
- User authentication to a network or device.
- The resources that users are permitted to access.
- Whether to record a user's or group's actions in the event log.
- Membership in a group.
For info about each setting, including descriptions, default settings, and management and security considerations, see [Security policy settings reference](security-policy-settings-reference.md).
To manage security configurations for multiple computers, you can use one of the following options:
- Edit specific security settings in a GPO.
- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security.
## <a href="" id="what-s-changed-in-how-settings-are-administered-"></a>Whats changed in how settings are administered?
- Edit specific security settings in a GPO.
- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security.
## <a href="" id="what-s-changed-in-how-settings-are-administered-"></a>What's changed in how settings are administered
Over time, new ways to manage security policy settings have been introduced, which include new operating system features and the addition of new settings. The following table lists different means by which security policy settings can be administered.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Tool or feature</th>
<th align="left">Description and use</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p><a href="#bkmk-secpol" data-raw-source="[Security Policy snap-in](#bkmk-secpol)">Security Policy snap-in</a></p></td>
<td align="left"><p>Secpol.msc</p>
<p>MMC snap-in designed to manage only security policy settings.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="#bkmk-secedit" data-raw-source="[Security editor command line tool](#bkmk-secedit)">Security editor command line tool</a></p></td>
<td align="left"><p>Secedit.exe</p>
<p>Configures and analyzes system security by comparing your current configuration to specified security templates.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="#bkmk-scm" data-raw-source="[Security Compliance Manager](#bkmk-scm)">Security Compliance Manager</a></p></td>
<td align="left"><p>Tool download</p>
<p>A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="#bkmk-scw" data-raw-source="[Security Configuration Wizard](#bkmk-scw)">Security Configuration Wizard</a></p></td>
<td align="left"><p>Scw.exe</p>
<p>SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="#bkmk-scmtool" data-raw-source="[Security Configuration Manager tool](#bkmk-scmtool)">Security Configuration Manager tool</a></p></td>
<td align="left"><p>This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="#bkmk-grouppolicy" data-raw-source="[Group Policy](#bkmk-grouppolicy)">Group Policy</a></p></td>
<td align="left"><p>Gpmc.msc and Gpedit.msc</p>
<p>The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Software Restriction Policies</p>
<p>See <a href="https://technet.microsoft.com/library/hh994606.aspx" data-raw-source="[Administer Software Restriction Policies](https://technet.microsoft.com/library/hh994606.aspx)">Administer Software Restriction Policies</a>.</p></td>
<td align="left"><p>Gpedit.msc</p>
<p>Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.</p></td>
</tr>
<tr class="even">
<td align="left"><p>AppLocker</p>
<p>See <a href="/windows/device-security/applocker/administer-applocker" data-raw-source="[Administer AppLocker](/windows/device-security/applocker/administer-applocker)">Administer AppLocker</a>.</p></td>
<td align="left"><p>Gpedit.msc</p>
<p>Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications.</p></td>
</tr>
</tbody>
</table>
|Tool or feature |Description and use |
|---------|---------|
|[Security Policy snap-in](#using-the-local-security-policy-snap-in)|Secpol.msc <br> MMC snap-in designed to manage only security policy settings.|
|[Security editor command line tool](#using-the-secedit-command-line-tool) |Secedit.exe <br> Configures and analyzes system security by comparing your current configuration to specified security templates.|
|[Security Compliance Manager](#using-the-security-compliance-manager)|Tool download <br> A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications.|
|[Security Configuration Wizard](#using-the-security-configuration-wizard)|Scw.exe <br> SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles.|
|[Security Configuration Manager tool](#working-with-the-security-configuration-manager)|This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.|
|[Group Policy](#working-with-group-policy-tools)|Gpmc.msc and Gpedit.msc <br> The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device.|
|Software Restriction Policies <br> See [Administer Software Restriction Policies](https://docs.microsoft.com/windows-server/identity/software-restriction-policies/administer-software-restriction-policies)|Gpedit.msc <br> Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.|
|Administer AppLocker <br> See [Administer AppLocker](/windows/device-security/applocker/administer-applocker)|Gpedit.msc <br> Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications.|
## <a href="" id="bkmk-secpol"></a>Using the Local Security Policy snap-in
The Local Security Policy snap-in (Secpol.msc) restricts the view of local policy objects to the following policies and features:
- Account Policies
- Local Policies
- Windows Firewall with Advanced Security
- Network List Manager Policies
- Public Key Policies
- Software Restriction Policies
- Application Control Policies
- IP Security Policies on Local Computer
- Advanced Audit Policy Configuration
- Account Policies
- Local Policies
- Windows Firewall with Advanced Security
- Network List Manager Policies
- Public Key Policies
- Software Restriction Policies
- Application Control Policies
- IP Security Policies on Local Computer
- Advanced Audit Policy Configuration
Policies set locally might be overwritten if the computer is joined to the domain.
@ -123,12 +80,12 @@ The Local Security Policy snap-in is part of the Security Configuration Manager
The secedit command-line tool works with security templates and provides six primary functions:
- The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server.
- The **Analyze** parameter compares the servers security configuration with the selected template.
- The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also.
- The **Export** parameter allows you to export the settings from a database into a security settings template.
- The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue.
- The **Generate Rollback** parameter saves the servers current security settings into a security template so it can be used to restore most of the servers security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template.
- The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server.
- The **Analyze** parameter compares the server's security configuration with the selected template.
- The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also.
- The **Export** parameter allows you to export the settings from a database into a security settings template.
- The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue.
- The **Generate Rollback** parameter saves the server's current security settings into a security template so it can be used to restore most of the server's security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template.
## <a href="" id="bkmk-scm"></a>Using the Security Compliance Manager
@ -136,10 +93,10 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl
**To administer security policies by using the Security Compliance Manager**
1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](https://blogs.technet.com/b/secguide/) blog.
2. Read the relevant security baseline documentation that is included in this tool.
3. Download and import the relevant security baselines. The installation process steps you through baseline selection.
4. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](https://blogs.technet.com/b/secguide/) blog.
1. Read the relevant security baseline documentation that is included in this tool.
1. Download and import the relevant security baselines. The installation process steps you through baseline selection.
1. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
## <a href="" id="bkmk-scw"></a>Using the Security Configuration Wizard
@ -155,62 +112,36 @@ The following are considerations for using SCW:
- SCW detects server role dependencies. If you select a server role, it automatically selects dependent server roles.
- All apps that use the IP protocol and ports must be running on the server when you run SCW.
- In some cases, you must be connected to the Internet to use the links in the SCW help.
> **Note** The SCW is available only on Windows Server and only applicable to server installations.
> [!NOTE]
> The SCW is available only on Windows Server and only applicable to server installations.
The SCW can be accessed through Server Manager or by running scw.exe. The wizard steps you through server security configuration to:
- Create a security policy that can be applied to any server on your network.
- Edit an existing security policy.
- Apply an existing security policy.
- Roll back the last applied security policy.
- Create a security policy that can be applied to any server on your network.
- Edit an existing security policy.
- Apply an existing security policy.
- Roll back the last applied security policy.
The Security Policy Wizard configures services and network security based on the servers role, as well as configures auditing and registry settings.
The Security Policy Wizard configures services and network security based on the server's role, as well as configures auditing and registry settings.
For more information about SCW, including procedures, see [Security Configuration Wizard](https://technet.microsoft.com/library/cc754997.aspx).
For more information about SCW, including procedures, see [Security Configuration Wizard](https://docs.microsoft.com/previous-versions/orphan-topics/ws.11/cc754997(v=ws.11)).
## <a href="" id="bkmk-scmtool"></a>Working with the Security Configuration Manager
The Security Configuration Manager tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.
For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](https://technet.microsoft.com/library/cc758219(WS.10).aspx).
For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc758219(v=ws.10)).
The following table lists the features of the Security Configuration Manager.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Security Configuration Manager tools</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p><a href="#bkmk-seccfgana" data-raw-source="[Security Configuration and Analysis](#bkmk-seccfgana)">Security Configuration and Analysis</a></p></td>
<td align="left"><p>Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="#bkmk-sectmpl" data-raw-source="[Security templates](#bkmk-sectmpl)">Security templates</a></p></td>
<td align="left"><p>Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="#bkmk-secextensions" data-raw-source="[Security Settings extension to Group Policy](#bkmk-secextensions)">Security Settings extension to Group Policy</a></p></td>
<td align="left"><p>Edits individual security settings on a domain, site, or organizational unit.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="#bkmk-localsecpol" data-raw-source="[Local Security Policy](#bkmk-localsecpol)">Local Security Policy</a></p></td>
<td align="left"><p>Edits individual security settings on your local computer.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Secedit</p></td>
<td align="left"><p>Automates security configuration tasks at a command prompt.</p></td>
</tr>
</tbody>
</table>
|Security Configuration Manager tools |Description |
|---------|---------|
|[Security Configuration and Analysis](#security-configuration-and-analysis) |Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.|
|[Security templates](#security-templates) |Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.|
|[Security Settings extension to Group Policy](#security-settings-extension-to-group-policy) |Edits individual security settings on a domain, site, or organizational unit.|
|[Local Security Policy](#local-security-policy)|Edits individual security settings on your local computer.|
|Secedit |Automates security configuration tasks at a command prompt.|
### <a href="" id="bkmk-seccfgana"></a>Security Configuration and Analysis
Security Configuration and Analysis is an MMC snap-in for analyzing and configuring local system security.
@ -238,19 +169,19 @@ To apply a security template to your local device, you can use Security Configur
Security templates can be used to define:
- Account Policies
- Password Policy
- Account Lockout Policy
- Kerberos Policy
- Local Policies
- Audit Policy
- User Rights Assignment
- Security Options
- Event Log: Application, system, and security Event Log settings
- Restricted Groups: Membership of security-sensitive groups
- System Services: Startup and permissions for system services
- Registry: Permissions for registry keys
- File System: Permissions for folders and files
- Account Policies
- Password Policy
- Account Lockout Policy
- Kerberos Policy
- Local Policies
- Audit Policy
- User Rights Assignment
- Security Options
- Event Log: Application, system, and security Event Log settings
- Restricted Groups: Membership of security-sensitive groups
- System Services: Startup and permissions for system services
- Registry: Permissions for registry keys
- File System: Permissions for folders and files
Each template is saved as a text-based .inf file. This enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template.
@ -260,15 +191,15 @@ Organizational units, domains, and sites are linked to Group Policy Objects. The
Security settings or security policies are rules that are configured on a device or multiple device for protecting resources on a device or network. Security settings can control:
- How users are authenticated to a network or device
- What resources users are authorized to use.
- Whether or not a user's or group's actions are recorded in the event log.
- Group membership.
- How users are authenticated to a network or device
- What resources users are authorized to use.
- Whether or not a user's or group's actions are recorded in the event log.
- Group membership.
You can change the security configuration on multiple computers in two ways:
- Create a security policy by using a security template with Security Templates, and then import the template through security settings to a Group Policy Object.
- Change a few select settings with security settings.
- Create a security policy by using a security template with Security Templates, and then import the template through security settings to a Group Policy Object.
- Change a few select settings with security settings.
### <a href="" id="bkmk-localsecpol"></a>Local Security Policy
@ -276,59 +207,61 @@ A security policy is a combination of security settings that affect the security
With the local security policy, you can control:
- Who accesses your device.
- What resources users are authorized to use on your device.
- Whether or not a users or group's actions are recorded in the event log.
- Who accesses your device.
- What resources users are authorized to use on your device.
- Whether or not a user's or group's actions are recorded in the event log.
If your local device is joined to a domain, you are subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you are a member of. If you are getting a policy from more than one source, conflicts are resolved in the following order of precedence.
1. Organizational unit policy
2. Domain policy
3. Site policy
4. Local computer policy
1. Organizational unit policy
1. Domain policy
1. Site policy
1. Local computer policy
If you modify the security settings on your local device by using the local security policy, then you are directly modifying the settings on your device. Therefore, the settings take effect immediately, but this may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts.
### Using the Security Configuration Manager
For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](https://technet.microsoft.com/library/cc784762(WS.10).aspx). This section contains information in this topic about:
For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784762(v=ws.10)). This section contains information in this topic about:
- [Applying security settings](#bkmk-applysecsettings)
- [Importing and exporting security templates](#bkmk-impexpsectmpl)
- [Analyzing security and viewing results](#bkmk-anasecviewresults)
- [Resolving security discrepancies](#bkmk-resolvesecdiffs)
- [Automating security configuration tasks](#bkmk-autoseccfgtasks)
- [Applying security settings](#applying-security-settings)
- [Importing and exporting security templates](#importing-and-exporting-security-templates)
- [Analyzing security and viewing results](#analyzing-security-and-viewing-results)
- [Resolving security discrepancies](#resolving-security-discrepancies)
- [Automating security configuration tasks](#automating-security-configuration-tasks)
### <a href="" id="bkmk-applysecsettings"></a>Applying security settings
Once you have edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object:
- When a device is restarted, the settings on that device will be refreshed.
- To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe.
- When a device is restarted, the settings on that device will be refreshed.
- To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe.
**Precedence of a policy when more than one policy is applied to a computer**
For security settings that are defined by more than one policy, the following order of precedence is observed:
1. Organizational Unit Policy
2. Domain Policy
3. Site Policy
4. Local computer Policy
1. Organizational Unit Policy
1. Domain Policy
1. Site Policy
1. Local computer Policy
For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override
both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence.
> **Note**  Use gpresult.exe to find out what policies are applied to a device and in what order.
> [!NOTE]
> Use gpresult.exe to find out what policies are applied to a device and in what order.
For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.
**Persistence in security settings**
Security settings may still persist even if a setting is no longer defined in the policy that originally applied it.
Persistence in security settings occurs when:
- The setting has not been previously defined for the device.
- The setting is for a registry object.
- The setting is for a file system object.
- The setting has not been previously defined for the device.
- The setting is for a registry object.
- The setting is for a file system object.
All settings applied through local policy or a Group Policy Object are stored in a local database on your device. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database, then the setting does not revert to anything and remains defined as is. This behavior is sometimes called "tattooing."
@ -350,42 +283,14 @@ Security Configuration and Analysis performs security analysis by comparing the
Security Configuration and Analysis displays the analysis results by security area, using visual flags to indicate problems. It displays the current system and base configuration settings for each security attribute in the security areas. To change the analysis database settings, right-click the entry, and then click **Properties**.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Visual flag</th>
<th align="left">Meaning</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Red X</p></td>
<td align="left"><p>The entry is defined in the analysis database and on the system, but the security setting values do not match.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Green check mark</p></td>
<td align="left"><p>The entry is defined in the analysis database and on the system and the setting values match.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Question mark</p></td>
<td align="left"><p>The entry is not defined in the analysis database and, therefore, was not analyzed.</p>
<p>If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Exclamation point</p></td>
<td align="left"><p>This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>No highlight</p></td>
<td align="left"><p>The item is not defined in the analysis database or on the system.</p></td>
</tr>
</tbody>
</table>
|Visual flag |Meaning |
|---------|---------|
|Red X |The entry is defined in the analysis database and on the system, but the security setting values do not match.|
|Green check mark |The entry is defined in the analysis database and on the system and the setting values match.|
|Question mark |The entry is not defined in the analysis database and, therefore, was not analyzed. <br> If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.|
|Exclamation point |This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system.|
|No highlight |The item is not defined in the analysis database or on the system.|
If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis.
To avoid continued flagging of settings that you have investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template.
@ -394,11 +299,12 @@ To avoid continued flagging of settings that you have investigated and determine
You can resolve discrepancies between analysis database and system settings by:
- Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**.
- Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels.
- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
- Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**.
- Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels.
- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies.
In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
### <a href="" id="bkmk-autoseccfgtasks"></a>Automating security configuration tasks

321
windows/security/threat-protection/security-policy-settings/security-policy-settings.md
View File

@ -20,7 +20,8 @@ ms.date: 04/19/2017
# Security policy settings
**Applies to**
- Windows 10
- Windows 10
This reference topic describes the common scenarios, architecture, and processes for security settings.
@ -28,43 +29,43 @@ Security policy settings are rules that administrators configure on a computer o
Security settings can control:
- User authentication to a network or device.
- The resources that users are permitted to access.
- Whether to record a users or groups actions in the event log.
- Membership in a group.
- User authentication to a network or device.
- The resources that users are permitted to access.
- Whether to record a user's or group's actions in the event log.
- Membership in a group.
To manage security configurations for multiple devices, you can use one of the following options:
- Edit specific security settings in a GPO.
- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, applied to a local device, or used to analyze security.
- Edit specific security settings in a GPO.
- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, applied to a local device, or used to analyze security.
For more info about managing security configurations, see [Administer security policy settings](administer-security-policy-settings.md).
The Security Settings extension of the Local Group Policy Editor includes the following types of security policies:
- **Account Policies.** These polices are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies:
- **Account Policies.** These polices are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies:
- **Password Policy.** These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts.
- **Account Lockout Policy.** These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts.
- **Kerberos Policy.** These policies are used for domain user accounts; they determine Kerberos-related settings, such as ticket lifetimes and enforcement.
- **Password Policy.** These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts.
- **Account Lockout Policy.** These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts.
- **Kerberos Policy.** These policies are used for domain user accounts; they determine Kerberos-related settings, such as ticket lifetimes and enforcement.
- **Local Policies.** These policies apply to a computer and include the following types of policy settings:
- **Local Policies.** These policies apply to a computer and include the following types of policy settings:
- **Audit Policy.** Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both).
>**Note:**  For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies.
- **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device
- **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on.
- **Audit Policy.** Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both).
- **Windows Firewall with Advanced Security.** Specify settings to protect the device on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your device and the network.
- **Network List Manager Policies.** Specify settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices.
- **Public Key Policies.** Specify settings to control Encrypting File System, Data Protection, and BitLocker Drive Encryption in addition to certain certificate paths and services settings.
- **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site.
- **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files.
- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address.
- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under
Local Policies.
> [!NOTE]
> For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies.
- **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device
- **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on.
- **Windows Firewall with Advanced Security.** Specify settings to protect the device on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your device and the network.
- **Network List Manager Policies.** Specify settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices.
- **Public Key Policies.** Specify settings to control Encrypting File System, Data Protection, and BitLocker Drive Encryption in addition to certain certificate paths and services settings.
- **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site.
- **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files.
- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address.
- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies.
## Policy-based security settings management
@ -80,72 +81,72 @@ As part of your security strategy, you can create GPOs with security settings po
You can create an organizational unit (OU) structure that groups devices according to their roles. Using OUs is the best method for separating specific security requirements for the different roles in your network. This approach also allows you to apply customized security templates to each class of server or computer. After creating the security templates, you create a new GPO for each of the OUs, and then import the security template (.inf file) into the new GPO.
Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the templates security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random
offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred.
Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template's security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred.
> [!NOTE]
> These refresh settings vary between versions of the operating system and can be configured.
>**Note:**  These refresh settings vary between versions of the operating system and can be configured.
By using Group Policybased security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update a number of servers with any additional changes required in the future.
### Dependencies on other operating system technologies
For devices that are members of a Windows Server 2008 or later domain, security settings policies depend on the following technologies:
- **Active Directory Domain Services (AD DS)**
- **Active Directory Domain Services (AD DS)**
The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon.
The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon.
- **Group Policy**
- **Group Policy**
The infrastructure within AD DS that enables directory-based configuration management of user and computer settings on devices running Windows Server. By using Group Policy, you can define configurations for groups of users and computers, including policy settings, registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security.
The infrastructure within AD DS that enables directory-based configuration management of user and computer settings on devices running Windows Server. By using Group Policy, you can define configurations for groups of users and computers, including policy settings, registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security.
- **Domain Name System (DNS)**
- **Domain Name System (DNS)**
A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses.
A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses.
- **Winlogon**
- **Winlogon**
A part of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a credential provider, and any number of network providers.
A part of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a credential provider, and any number of network providers.
- **Setup**
- **Setup**
Security configuration interacts with the operating system setup process during a clean installation or upgrade from earlier versions of Windows Server.
Security configuration interacts with the operating system setup process during a clean installation or upgrade from earlier versions of Windows Server.
- **Security Accounts Manager (SAM)**
- **Security Accounts Manager (SAM)**
A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs.
A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs.
- **Local Security Authority (LSA)**
- **Local Security Authority (LSA)**
A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system.
A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system.
- **Windows Management Instrumentation (WMI)**
- **Windows Management Instrumentation (WMI)**
A feature of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI provides access to information about objects in a managed environment. Through WMI and the WMI application programming interface (API), applications can query for and make changes to static information in the Common Information Model (CIM) repository and dynamic information maintained by the various types of providers.
A feature of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI provides access to information about objects in a managed environment. Through WMI and the WMI application programming interface (API), applications can query for and make changes to static information in the Common Information Model (CIM) repository and dynamic information maintained by the various types of providers.
- **Resultant Set of Policy (RSoP)**
- **Resultant Set of Policy (RSoP)**
An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device.
An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device.
- **Service Control Manager (SCM)**
- **Service Control Manager (SCM)**
Used for configuration of service startup modes and security.
Used for configuration of service startup modes and security.
- **Registry**
- **Registry**
Used for configuration of registry values and security.
Used for configuration of registry values and security.
- **File system**
- **File system**
Used for configuration of security.
Used for configuration of security.
- **File system conversions**
- **File system conversions**
Security is set when an administrator converts a file system from FAT to NTFS.
Security is set when an administrator converts a file system from FAT to NTFS.
- **Microsoft Management Console (MMC)**
- **Microsoft Management Console (MMC)**
The user interface for the Security Settings tool is an extension of the Local Group Policy Editor MMC snap-in.
The user interface for the Security Settings tool is an extension of the Local Group Policy Editor MMC snap-in.
### Security settings policies and Group Policy
@ -153,25 +154,25 @@ The Security Settings extension of the Local Group Policy Editor is part of the
The following diagram shows Security Settings and related features.
**Security Settings Policies and Related Features**
#### Security Settings Policies and Related Features
![components related to security policies](images/secpol-components.gif)
- **Scesrv.dll**
- **Scesrv.dll**
Provides the core security engine functionality.
Provides the core security engine functionality.
- **Scecli.dll**
- **Scecli.dll**
Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set of Policy (RSoP).
Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set of Policy (RSoP).
- **Wsecedit.dll**
- **Wsecedit.dll**
The Security Settings extension of Local Group Policy Editor. scecli.dll is loaded into wsecedit.dll to support the Security Settings user interface.
The Security Settings extension of Local Group Policy Editor. scecli.dll is loaded into wsecedit.dll to support the Security Settings user interface.
- **Gpedit.dll**
- **Gpedit.dll**
The Local Group Policy Editor MMC snap-in.
The Local Group Policy Editor MMC snap-in.
## <a href="" id="w2k3tr-gpssp-how-ebls"></a>Security Settings extension architecture
@ -185,57 +186,56 @@ The security settings configuration and analysis tools include a security config
The following list describes these primary features of the security configuration engine and other Security Settingsrelated features.
- **scesrv.dll**
- **scesrv.dll**
This .dll is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation.
This .dll is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation.
Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry.
Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry.
Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it is not.
Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it is not.
Communication between parts of the Security Settings extension occurs by using the following methods:
Communication between parts of the Security Settings extension occurs by using the following methods:
- Component Object Model (COM) calls
- Local Remote Procedure Call (LRPC)
- Lightweight Directory Access Protocol (LDAP)
- Active Directory Service Interfaces (ADSI)
- Server Message Block (SMB)
- Win32 APIs
- Windows Management Instrumentation (WMI) calls
- Component Object Model (COM) calls
- Local Remote Procedure Call (LRPC)
- Lightweight Directory Access Protocol (LDAP)
- Active Directory Service Interfaces (ADSI)
- Server Message Block (SMB)
- Win32 APIs
- Windows Management Instrumentation (WMI) calls
On domain controllers, scesrv.dll receives notifications of changes made to SAM and the LSA that need to be synchronized across domain controllers. Scesrv.dll incorporates those changes into the Default Domain Controller Policy GPO by using in-process scecli.dll template modification APIs.
Scesrv.dll also performs configuration and analysis operations.
On domain controllers, scesrv.dll receives notifications of changes made to SAM and the LSA that need to be synchronized across domain controllers. Scesrv.dll incorporates those changes into the Default Domain Controller Policy GPO by using in-process scecli.dll template modification APIs.
Scesrv.dll also performs configuration and analysis operations.
- **Scecli.dll**
- **Scecli.dll**
This is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files.
This is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files.
The command-line version of the security configuration and analysis user interfaces, secedit.exe, uses scecli.dll.
The command-line version of the security configuration and analysis user interfaces, secedit.exe, uses scecli.dll.
Scecli.dll implements the client-side extension for Group Policy.
Scecli.dll implements the client-side extension for Group Policy.
Scesrv.dll uses scecli.dll to download applicable Group Policy files from SYSVOL in order to apply Group Policy security settings to the local device.
Scesrv.dll uses scecli.dll to download applicable Group Policy files from SYSVOL in order to apply Group Policy security settings to the local device.
Scecli.dll logs application of security policy into WMI (RSoP).
Scecli.dll logs application of security policy into WMI (RSoP).
Scesrv.dll policy filter uses scecli.dll to update Default Domain Controller Policy GPO when changes are made to SAM and LSA.
Scesrv.dll policy filter uses scecli.dll to update Default Domain Controller Policy GPO when changes are made to SAM and LSA.
- **Wsecedit.dll**
- **Wsecedit.dll**
The Security Settings extension of the Group Policy Object Editor snap-in. You use this tool to configure security settings in a Group Policy Object for a site, domain, or organizational unit. You can also use Security Settings to import security templates to a GPO.
The Security Settings extension of the Group Policy Object Editor snap-in. You use this tool to configure security settings in a Group Policy Object for a site, domain, or organizational unit. You can also use Security Settings to import security templates to a GPO.
- **Secedit.sdb**
- **Secedit.sdb**
This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes.
This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes.
- **User databases**
- **User databases**
A user database is any database other than the system database created by administrators for the purposes of configuration or analysis of security.
A user database is any database other than the system database created by administrators for the purposes of configuration or analysis of security.
- **.Inf Templates**
- **.Inf Templates**
These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into
the system database during policy propagation.
These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into the system database during policy propagation.
## <a href="" id="w2k3tr-gpssp-how-hjxe"></a>Security settings policy processes and interactions
@ -245,39 +245,39 @@ For a domain-joined device, where Group Policy is administered, security setting
When a computer starts and a user logs on, computer policy and user policy are applied according to the following sequence:
1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start.
2. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors:
1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start.
1. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors:
- Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory.
- The location of the device in Active Directory.
- Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
- Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory.
- The location of the device in Active Directory.
- Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
3. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed.
4. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior.
5. The user presses CTRL+ALT+DEL to log on.
6. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect.
7. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors:
1. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed.
1. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior.
1. The user presses CTRL+ALT+DEL to log on.
1. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect.
1. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors:
- Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory.
- Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting.
- The location of the user in Active Directory.
- Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
- Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory.
- Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting.
- The location of the user in Active Directory.
- Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
8. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed.
9. Logon scripts run. Group Policybased logon scripts are hidden and asynchronous by default. The user object script runs last.
10. The operating system user interface that is prescribed by Group Policy appears.
1. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed.
1. Logon scripts run. Group Policybased logon scripts are hidden and asynchronous by default. The user object script runs last.
1. The operating system user interface that is prescribed by Group Policy appears.
### Group Policy Objects storage
A Group Policy Object (GPO) is a virtual object that is identified by a Globally Unique Identifier (GUID) and stored at the domain level. The policy setting information of a GPO is stored in the following two locations:
- **Group Policy containers in Active Directory.**
- **Group Policy containers in Active Directory.**
The Group Policy container is an Active Directory container that contains GPO properties, such as version information, GPO status, plus a list of other component settings.
The Group Policy container is an Active Directory container that contains GPO properties, such as version information, GPO status, plus a list of other component settings.
- **Group Policy templates in a domains system volume folder (SYSVOL).**
- **Group Policy templates in a domain's system volume folder (SYSVOL).**
The Group Policy template is a file system folder that includes policy data specified by .admx files, security settings, script files, and information about applications that are available for installation. The Group Policy template is located in the SYSVOL folder in the domain\\Policies subfolder.
The Group Policy template is a file system folder that includes policy data specified by .admx files, security settings, script files, and information about applications that are available for installation. The Group Policy template is located in the SYSVOL folder in the \<domain\>\\Policies subfolder.
The **GROUP\_POLICY\_OBJECT** structure provides information about a GPO in a GPO list, including the version number of the GPO, a pointer to a string that indicates the Active Directory portion of the GPO, and a pointer to a string that specifies the path to the file system portion of the GPO.
@ -285,21 +285,21 @@ The **GROUP\_POLICY\_OBJECT** structure provides information about a GPO in a GP
Group Policy settings are processed in the following order:
1. **Local Group Policy Object.**
1. **Local Group Policy Object.**
Each device running a Windows operating system beginning with Windows XP has exactly one Group Policy Object that is stored locally.
Each device running a Windows operating system beginning with Windows XP has exactly one Group Policy Object that is stored locally.
2. **Site.**
1. **Site.**
Any Group Policy Objects that have been linked to the site are processed next. Processing is synchronous and in an order that you specify.
Any Group Policy Objects that have been linked to the site are processed next. Processing is synchronous and in an order that you specify.
3. **Domain.**
1. **Domain.**
Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy.
Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy.
4. **Organizational units.**
1. **Organizational units.**
Group Policy Objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy Objects that are linked to its child organizational unit, and so on. Finally, the Group Policy Objects that are linked to the organizational unit that contains the user or device are processed.
Group Policy Objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy Objects that are linked to its child organizational unit, and so on. Finally, the Group Policy Objects that are linked to the organizational unit that contains the user or device are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no Group Policy Objects can be linked. If several Group Policy Objects are linked to an organizational unit, their processing is synchronous and in an order that you specify.
@ -311,34 +311,34 @@ This is the default processing order and administrators can specify exceptions t
In the context of Group Policy processing, security settings policy is processed in the following order.
1. During Group Policy processing, the Group Policy engine determines which security settings policies to apply.
2. If security settings policies exist in a GPO, Group Policy invokes the Security Settings client-side extension.
3. The Security Settings extension downloads the policy from the appropriate location such as a specific domain controller.
4. The Security Settings extension merges all security settings policies according to precedence rules. The processing is according to the Group Policy processing order of local, site, domain, and organizational unit (OU), as described earlier in the “Group Policy processing order” section. If multiple GPOs are in effect for a given device and there are no conflicting policies, then the policies are cumulative and are merged.
1. During Group Policy processing, the Group Policy engine determines which security settings policies to apply.
1. If security settings policies exist in a GPO, Group Policy invokes the Security Settings client-side extension.
1. The Security Settings extension downloads the policy from the appropriate location such as a specific domain controller.
1. The Security Settings extension merges all security settings policies according to precedence rules. The processing is according to the Group Policy processing order of local, site, domain, and organizational unit (OU), as described earlier in the "Group Policy processing order" section. If multiple GPOs are in effect for a given device and there are no conflicting policies, then the policies are cumulative and are merged.
This example uses the Active Directory structure shown in the following figure. A given computer is a member of OU2, to which the **GroupMembershipPolGPO** GPO is linked. This computer is also subject to the **UserRightsPolGPO** GPO, which is linked to OU1, higher in the hierarchy. In this case, no conflicting policies exist so the device receives all of the policies contained in both the **UserRightsPolGPO** and the **GroupMembershipPolGPO** GPOs.
This example uses the Active Directory structure shown in the following figure. A given computer is a member of OU2, to which the **GroupMembershipPolGPO** GPO is linked. This computer is also subject to the **UserRightsPolGPO** GPO, which is linked to OU1, higher in the hierarchy. In this case, no conflicting policies exist so the device receives all of the policies contained in both the **UserRightsPolGPO** and the **GroupMembershipPolGPO** GPOs.
**Multiple GPOs and Merging of Security Policy**
**Multiple GPOs and Merging of Security Policy**
![multiple gpos and merging of security policy](images/secpol-multigpomerge.gif)
![multiple gpos and merging of security policy](images/secpol-multigpomerge.gif)
5. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb.
6. The security settings policies are applied to devices.
1. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb.
1. The security settings policies are applied to devices.
The following figure illustrates the security settings policy processing.
**Security Settings Policy Processing**
![process and interactions of security policy settin](images/secpol-processes.gif)
![process and interactions of security policy settings](images/secpol-processes.gif)
### Merging of security policies on domain controllers
Password policies, Kerberos, and some security options are only merged from GPOs that are linked at the root level on the domain. This is done to keep those settings synchronized across all domain controllers in the domain. The following security options are merged:
- Network Security: Force logoff when logon hours expire
- Accounts: Administrator account status
- Accounts: Guest account status
- Accounts: Rename administrator account
- Accounts: Rename guest account
- Network Security: Force logoff when logon hours expire
- Accounts: Administrator account status
- Accounts: Guest account status
- Accounts: Rename administrator account
- Accounts: Rename guest account
Another mechanism exists that allows security policy changes made by administrators by using net accounts to be merged into the Default Domain Policy GPO. User rights changes that are made by using Local Security Authority (LSA) APIs are filtered into the Default Domain Controllers Policy GPO.
@ -350,9 +350,9 @@ If an application is installed on a primary domain controller (PDC) with operati
After you have edited the security settings policies, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object in the following instances:
- When a device is restarted.
- Every 90 minutes on a workstation or server and every 5 minutes on a domain controller. This refresh interval is configurable.
- By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO has not changed.
- When a device is restarted.
- Every 90 minutes on a workstation or server and every 5 minutes on a domain controller. This refresh interval is configurable.
- By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO has not changed.
### Persistence of security settings policy
@ -360,12 +360,12 @@ Security settings can persist even if a setting is no longer defined in the poli
Security settings might persist in the following cases:
- The setting has not been previously defined for the device.
- The setting is for a registry security object.
- The settings are for a file system security object.
- The setting has not been previously defined for the device.
- The setting is for a registry security object.
- The settings are for a file system security object.
All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is.
This behavior is sometimes referred to as “tattooing.”
All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is.
This behavior is sometimes referred to as "tattooing".
Registry and file security settings will maintain the values applied through Group Policy until that setting is set to other values.
@ -377,8 +377,9 @@ Both Apply Group Policy and Read permissions are required to have the settings f
By default, all GPOs have Read and Apply Group Policy both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. Security settings policies are computer-based. To specify which client computers will or will not have a Group Policy Object applied to them, you can deny them either the Apply Group Policy or Read permission on that Group Policy Object. Changing these permissions allows you to limit the scope of the GPO to a specific set of computers within a site, domain, or OU.
**Note:**  Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.
> [!NOTE]
> Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.
### Migration of GPOs containing security settings
In some situations, you might want to migrate GPOs from one domain environment to another environment. The two most common scenarios are test-to-production migration, and production-to-production migration. The GPO copying process has implications for some types of security settings.
@ -387,12 +388,12 @@ Data for a single GPO is stored in multiple locations and in various formats; so
The following security policies can contain security principals and might require some additional work to successfully move them from one domain to another.
- User rights assignment
- Restricted groups
- Services
- File system
- Registry
- The GPO DACL, if you choose to preserve it during a copy operation
- User rights assignment
- Restricted groups
- Services
- File system
- Registry
- The GPO DACL, if you choose to preserve it during a copy operation
To ensure that data is copied correctly, you can use Group Policy Management Console (GPMC). When migrating a GPO from one domain to another, GPMC ensures that all relevant data is properly copied. GPMC also offers migration tables, which can be used to update domain-specific data to new values as part of the migration process. GPMC hides much of the complexity involved in the migrating GPO operations, and it provides simple and reliable mechanisms for performing operations such as copy and backup of GPOs.
@ -400,6 +401,6 @@ To ensure that data is copied correctly, you can use Group Policy Management Con
| Topic | Description |
| - | - |
| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.|
| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.|
| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|
| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.|
| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.|
| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|

2
windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
View File

@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 02/05/2020
ms.date: 03/12/2020
ms.reviewer:
manager: dansimp
---

122
windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
View File

@ -12,7 +12,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 12/10/2018
ms.reviewer:
manager: dansimp
---
@ -33,7 +32,7 @@ You can exclude certain files from Windows Defender Antivirus scans by modifying
> [!NOTE]
> Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
This topic describes how to configure exclusion lists for the files and folders.
This article describes how to configure exclusion lists for the files and folders.
Exclusion | Examples | Exclusion list
---|---|---
@ -90,21 +89,22 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
4. Double-click the **Path Exclusions** setting and add the exclusions:
4. Double-click the **Path Exclusions** setting and add the exclusions.
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**.
3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png)
6. Double-click the **Extension Exclusions** setting and add the exclusions:
6. Double-click the **Extension Exclusions** setting and add the exclusions.
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**.
3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**.
@ -116,13 +116,13 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
The format for the cmdlets is:
The format for the cmdlets is as follows:
```PowerShell
<cmdlet> -<exclusion list> "<item>"
```
The following are allowed as the \<cmdlet>:
The following are allowed as the `<cmdlet>`:
Configuration action | PowerShell cmdlet
---|---
@ -130,7 +130,7 @@ Create or overwrite the list | `Set-MpPreference`
Add to the list | `Add-MpPreference`
Remove item from the list | `Remove-MpPreference`
The following are allowed as the \<exclusion list>:
The following are allowed as the `<exclusion list>`:
Exclusion type | PowerShell parameter
---|---
@ -168,6 +168,7 @@ For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.c
See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
<a id="wildcards"></a>
## Use wildcards in the file name and folder path or extension exclusion lists
You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations.
@ -180,91 +181,21 @@ You can use the asterisk `*`, question mark `?`, or environment variables (such
>- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
<table>
<tr>
<th>Wildcard</th>
<th>Use in file name and file extension exclusions</th>
<th>Use in folder exclusions</th>
<th>Example use</th>
<th>Example matches</th>
</tr>
<tr>
<td><b>*</b> (asterisk)</td>
<td>Replaces any number of characters. <br />Only applies to files in the last folder defined in the argument. </td>
<td>Replaces a single folder. <br />Use multiple <b>*</b> with folder slashes <b>\</b> to indicate multiple, nested folders. </br>After matching the number of wild carded and named folders, all subfolders will also be included.</td>
<td>
<ol>
<li>C:\MyData\<b>*</b>.txt</li>
<li>C:\somepath\<b>*</b>\Data</li>
<li>C:\Serv\<b>*</b>\<b>*</b>\Backup
</ol>
</td>
<td>
<ol>
<li>C:\MyData\<b>notes</b>.txt</li>
<li>Any file in:
<ul>
<li>C:\somepath\<b>Archives</b>\Data and its subfolders</li>
<li>C:\somepath\<b>Authorized</b>\Data and its subfolders</li>
</ul>
<li>Any file in:
<ul>
<li>C:\Serv\<b>Primary</b>\<b>Denied</b>\Backup and its subfolders</li>
<li>C:\Serv\<b>Secondary</b>\<b>Allowed</b>\Backup and its subfolders</li>
</ul>
</ol>
</td>
</tr>
<tr>
<td>
<b>?</b> (question mark)
</td>
<td>
Replaces a single character. <br />
Only applies to files in the last folder defined in the argument.
</td>
<td>
Replaces a single character in a folder name. </br>
After matching the number of wild carded and named folders, all subfolders will also be included.
</td>
<td>
<ol>
<li>C:\MyData\my<b>?</b>.zip</li>
<li>C:\somepath\<b>?</b>\Data</li>
<li>C:\somepath\test0<b>?</b>\Data</li>
</ol>
</td>
<td>
<ol>
<li>C:\MyData\my<b>1</b>.zip</li>
<li>Any file in C:\somepath\<b>P</b>\Data and its subfolders</li>
<li>Any file in C:\somepath\test0<b>1</b>\Data and its subfolders</li>
</ol>
</td>
</tr>
<tr>
<td>Environment variables</td>
<td>The defined variable will be populated as a path when the exclusion is evaluated.</td>
<td>Same as file and extension use. </td>
<td>
<ol>
<li><b>%ALLUSERSPROFILE%</b>\CustomLogFiles</li>
</ol>
</td>
<td>
<ol>
<li><b>C:\ProgramData</b>\CustomLogFiles\Folder1\file1.txt</li>
</ol>
</td>
</tr>
</table>
|Wildcard |Examples |
|---------|---------|
|`*` (asterisk) <br/><br/>In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`<br/><br/>`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders` <br/><br/>`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
|`?` (question mark) <br/><br/>In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip` <br/><br/>`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders <br/><br/>`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
|Environment variables <br/><br/>The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
>[!IMPORTANT]
>If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
>
>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument <b>c:\data\\\*\marked\date*.\*</b>.
>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
>
>This argument, however, will not match any files in **subfolders** under `c:\data\final\marked` or `c:\data\review\marked`.
>This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
<a id="review"></a>
@ -361,7 +292,4 @@ You can also copy the string into a blank text file and attempt to save it with
- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Handling false positives/negatives](antivirus-false-positives-negatives.md)
- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)

1
windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
View File

@ -12,7 +12,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 12/10/2018
ms.reviewer:
manager: dansimp
---

34
windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
View File

@ -14,14 +14,13 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 08/17/2017
---
# Basic Firewall Policy Design
**Applies to**
- Windows 10
- Windows Server 2016
- Windows 10
- Windows Server 2016
Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization.
@ -31,19 +30,20 @@ Traffic can be blocked or permitted based on the characteristics of each network
Many network administrators do not want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs do not require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy:
- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device.
- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device.
- When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you.
- When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you.
For example, when you install a server role, the appropriate firewall rules are created and enabled automatically.
For example, when you install a server role, the appropriate firewall rules are created and enabled automatically.
- For other standard network behavior, the predefined rules that are built into Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista can easily be configured in a GPO and deployed to the devices in your organization.
- For other standard network behavior, the predefined rules that are built into Windows 10, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, and Windows 7 can easily be configured in a GPO and deployed to the devices in your organization.
For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network.
>**Caution:**  Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft.
> [!CAUTION]
> Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft.
By default, in new installations, Windows Defender Firewall with Advanced Security is turned on in Windows Server 2012, Windows 8, and later.
@ -55,20 +55,22 @@ An organization typically uses this design as a first step toward a more compreh
After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization.
>**Important:**  If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.
> [!IMPORTANT]
> If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.
The basic firewall design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules.
For more information about this design:
- This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md).
- This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md).
- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md).
- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md).
- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md).
- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md).
- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
**Next:** [Domain Isolation Policy Design](domain-isolation-policy-design.md)
> [!div class="nextstepaction"]
> [Domain Isolation Policy Design](domain-isolation-policy-design.md)