diff --git a/browsers/internet-explorer/TOC.yml b/browsers/internet-explorer/TOC.yml index 077879a18d..2c6602e1de 100644 --- a/browsers/internet-explorer/TOC.yml +++ b/browsers/internet-explorer/TOC.yml @@ -356,6 +356,6 @@ - name: KB Troubleshoot items: - name: Internet Explorer and Microsoft Edge FAQ for IT Pros - href: kb-support/ie-edge-faqs.md + href: kb-support/ie-edge-faqs.yml - name: Microsoft Edge and Internet Explorer troubleshooting href: /troubleshoot/browsers/welcome-browsers diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md deleted file mode 100644 index 3e2d6c100e..0000000000 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md +++ /dev/null @@ -1,220 +0,0 @@ ---- -title: IE and Microsoft Edge FAQ for IT Pros -description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. -audience: ITPro -manager: msmets -author: ramakoni1 -ms.author: ramakoni -ms.reviewer: ramakoni, DEV_Triage -ms.prod: internet-explorer -ms.technology: -ms.topic: kb-support -ms.custom: CI=111020 -ms.localizationpriority: medium -ms.date: 01/23/2020 ---- -# Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros - -## Cookie-related questions - -### What is a cookie? - -An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol. - -### How does Internet Explorer handle cookies? - -For more information about how Internet Explorer handles cookies, see the following articles: - -- [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios) -- [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p) -- [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq) -- [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content) -- [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies) - -### Where does Internet Explorer store cookies? - -To see where Internet Explorer stores its cookies, follow these steps: - -1. Start File Explorer. -2. Select **Views** \> **Change folder and search options**. -3. In the **Folder Options** dialog box, select **View**. -4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**. -5. Clear **Hide protected operation system files (Recommended)**. -6. Select **Apply**. -7. Select **OK**. - -The following are the folder locations where the cookies are stored: - -**In Windows 10** -C:\Users\username\AppData\Local\Microsoft\Windows\INetCache - -**In Windows 8 and Windows 8.1** -C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies - -**In Windows 7** -C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies -C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low - -### What is the per-domain cookie limit? - -Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie. - -There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value. - -The JavaScript limitation was updated to 10 KB from 4 KB. - -For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq). - -#### Additional information about cookie limits - -**What does the Cookie RFC allow?** -RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following: - -- At least 300 cookies total -- At least 20 cookies per unique host or domain name - -For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer. - -### Cookie size limit per domain - -Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies. - -## Proxy Auto Configuration (PAC)-related questions - -### Is an example Proxy Auto Configuration (PAC) file available? - -Here is a simple PAC file: - -```vb -function FindProxyForURL(url, host) -{ - return "PROXY proxyserver:portnumber"; -} -``` - -> [!NOTE] -> The previous PAC always returns the **proxyserver:portnumber** proxy. - -For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/). - -**Third-party information disclaimer** -The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. - -### How to improve performance by using PAC scripts - -- [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr) -- [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/) - -## Other questions - -### How to set home and start pages in Microsoft Edge and allow user editing - -For more information, see the following blog article: - -[How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/) - -### How to add sites to the Enterprise Mode (EMIE) site list - -For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md). - -### What is Content Security Policy (CSP)? - -By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites. - -Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly. - -CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run. - -For more information, see the following articles: - -- [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/) -- [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) - -### Where to find Internet Explorer security zones registry entries - -Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users). - -This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11. - -The default Zone Keys are stored in the following locations: - -- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones -- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones - -### Why don't HTML5 videos play in Internet Explorer 11? - -To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**. - -- 0 (the default value): Allow -- 3: Disallow - -This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone. - -For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie). - -For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions). - -For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running) - -### What is the Enterprise Mode Site List Portal? - -This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). - -### What is Enterprise Mode Feature? - -For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md). - -### Where can I obtain a list of HTTP Status codes? - -For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes). - -### What is end of support for Internet Explorer 11? - -Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed. - -For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer). - -### How to configure TLS (SSL) for Internet Explorer - -For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380). - -### What is Site to Zone? - -Site to Zone usually refers to one of the following: - -**Site to Zone Assignment List** -This is a Group Policy policy setting that can be used to add sites to the various security zones. - -The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones: - -- Intranet zone -- Trusted Sites zone -- Internet zone -- Restricted Sites zone - -If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site. - -**Site to Zone Mapping** -Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list: - -- HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap -- HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey - -**Site to Zone Assignment List policy** -This policy setting is available for both Computer Configuration and User Configuration: - -- Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page -- User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page - -**References** -[How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices) - -### What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer? - -For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)). - -### What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting? - -The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server. - -For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer). \ No newline at end of file diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml new file mode 100644 index 0000000000..50862d688d --- /dev/null +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml @@ -0,0 +1,245 @@ +### YamlMime:FAQ +metadata: + title: IE and Microsoft Edge FAQ for IT Pros + description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. + audience: ITPro + manager: msmets + author: ramakoni1 + ms.author: ramakoni + ms.reviewer: ramakoni, DEV_Triage + ms.prod: internet-explorer + ms.technology: + ms.topic: kb-support + ms.custom: CI=111020 + ms.localizationpriority: medium + ms.date: 01/23/2020 + +title: Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros +summary: | + +sections: + - name: Cookie-related questions + questions: + - question: | + What is a cookie? + answer: | + An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol. + + - question: | + How does Internet Explorer handle cookies? + answer: | + For more information about how Internet Explorer handles cookies, see the following articles: + + - [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios) + - [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p) + - [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq) + - [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content) + - [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies) + + - question: | + Where does Internet Explorer store cookies? + answer: | + To see where Internet Explorer stores its cookies, follow these steps: + + 1. Start File Explorer. + 2. Select **Views** \> **Change folder and search options**. + 3. In the **Folder Options** dialog box, select **View**. + 4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**. + 5. Clear **Hide protected operation system files (Recommended)**. + 6. Select **Apply**. + 7. Select **OK**. + + The following are the folder locations where the cookies are stored: + + **In Windows 10** + C:\Users\username\AppData\Local\Microsoft\Windows\INetCache + + **In Windows 8 and Windows 8.1** + C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies + + **In Windows 7** + C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies + C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low + + - question: | + What is the per-domain cookie limit? + answer: | + Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie. + + There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value. + + The JavaScript limitation was updated to 10 KB from 4 KB. + + For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq). + + - name: Additional information about cookie limits + questions: + - question: | + What does the Cookie RFC allow? + answer: | + RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following: + + - At least 300 cookies total + - At least 20 cookies per unique host or domain name + + For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer. + + - question: | + Cookie size limit per domain + answer: | + Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies. + + - name: Proxy Auto Configuration (PAC)-related questions + questions: + - question: | + Is an example Proxy Auto Configuration (PAC) file available? + answer: | + Here is a simple PAC file: + + ```vb + function FindProxyForURL(url, host) + { + return "PROXY proxyserver:portnumber"; + } + ``` + + > [!NOTE] + > The previous PAC always returns the **proxyserver:portnumber** proxy. + + For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/). + + **Third-party information disclaimer** + The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. + + - question: | + How to improve performance by using PAC scripts + answer: | + - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/en-us/topic/effa1aa0-8e95-543d-6606-03ac68e3f490) + - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](/troubleshoot/browsers/optimize-pac-performance) + + - name: Other questions + questions: + - question: | + How to set home and start pages in Microsoft Edge and allow user editing + answer: | + For more information, see the following blog article: + + [How do I set the home page in Microsoft Edge?](https://support.microsoft.com/en-us/microsoft-edge/change-your-browser-home-page-a531e1b8-ed54-d057-0262-cc5983a065c6) + + - question: | + How to add sites to the Enterprise Mode (EMIE) site list + answer: | + For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md). + + - question: | + What is Content Security Policy (CSP)? + answer: | + By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites. + + Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly. + + CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run. + + For more information, see the following articles: + + - [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/) + - [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) + + - question: | + Where to find Internet Explorer security zones registry entries + answer: | + Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users). + + This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11. + + The default Zone Keys are stored in the following locations: + + - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones + - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones + + - question: | + Why don't HTML5 videos play in Internet Explorer 11? + answer: | + To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**. + + - 0 (the default value): Allow + - 3: Disallow + + This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone. + + For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie). + + For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions). + + For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running) + + - question: | + What is the Enterprise Mode Site List Portal? + answer: | + This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). + + - question: | + What is Enterprise Mode Feature? + answer: | + For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md). + + - question: | + Where can I obtain a list of HTTP Status codes? + answer: | + For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes). + + - question: | + What is end of support for Internet Explorer 11? + answer: | + Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed. + + For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer). + + - question: | + How to configure TLS (SSL) for Internet Explorer + answer: | + For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380). + + - question: | + What is Site to Zone? + answer: | + Site to Zone usually refers to one of the following: + + **Site to Zone Assignment List** + This is a Group Policy policy setting that can be used to add sites to the various security zones. + + The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones: + + - Intranet zone + - Trusted Sites zone + - Internet zone + - Restricted Sites zone + + If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site. + + **Site to Zone Mapping** + Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list: + + - HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap + - HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey + + **Site to Zone Assignment List policy** + This policy setting is available for both Computer Configuration and User Configuration: + + - Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page + - User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page + + **References** + [How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices) + + - question: | + What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer? + answer: | + For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)). + + - question: | + What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting? + answer: | + The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server. + + For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer). diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index dc786fd289..95053b27f0 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r metadata: title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about managing applications in Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Learn about managing applications in Windows 10. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 90f132759c..bf7cad50de 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -71,7 +71,7 @@ Additional lists: cross mark check mark4 - cross mark + check mark4 check mark4 check mark4 cross mark @@ -97,7 +97,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -123,7 +123,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark cross mark @@ -149,7 +149,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -201,7 +201,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -227,7 +227,7 @@ Additional lists: cross mark check mark3 - + check mark check mark check mark cross mark @@ -253,7 +253,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -305,7 +305,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark cross mark @@ -331,7 +331,7 @@ Additional lists: check mark3 check mark3 - + check mark3 check mark3 check mark3 check mark @@ -358,7 +358,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark1 @@ -384,7 +384,7 @@ Additional lists: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark @@ -410,7 +410,7 @@ Additional lists: check mark3 check mark3 - + check mark3 check mark3 check mark3 check mark @@ -436,7 +436,7 @@ Additional lists: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark @@ -462,7 +462,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -514,7 +514,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -540,7 +540,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark cross mark @@ -566,7 +566,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -592,7 +592,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -618,7 +618,7 @@ Additional lists: check mark check mark - + check mark check mark check mark cross mark @@ -644,7 +644,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -670,7 +670,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -722,7 +722,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -748,7 +748,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -774,7 +774,6 @@ Additional lists: check mark check mark - check mark check mark check mark @@ -802,7 +801,6 @@ Additional lists: check mark check mark - check mark check mark check mark @@ -829,7 +827,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -882,7 +880,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -934,7 +932,7 @@ Additional lists: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark @@ -960,7 +958,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1012,7 +1010,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1037,9 +1035,9 @@ Additional lists: check mark -Only for mobile application management (MAM) +A + check mark check mark - check mark check mark check mark @@ -1065,10 +1063,9 @@ Additional lists: cross mark check mark - check mark check mark - cross mark + check mark cross mark @@ -1092,7 +1089,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1118,7 +1115,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1144,7 +1141,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1168,7 +1165,7 @@ Additional lists: Mobile - + cross mark check mark3 check mark3 check mark3 @@ -1196,10 +1193,10 @@ Additional lists: cross mark cross mark - cross mark cross mark - check mark (Provisioning only) + cross mark + check markB @@ -1248,7 +1245,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1274,7 +1271,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1300,7 +1297,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1378,7 +1375,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1404,7 +1401,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1482,7 +1479,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1534,7 +1531,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1560,7 +1557,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1586,7 +1583,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1638,7 +1635,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1664,7 +1661,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1688,12 +1685,12 @@ Additional lists: Mobile - check mark (Provisioning only) - check mark (Provisioning only) - - check mark (Provisioning only) - check mark (Provisioning only) - check mark (Provisioning only) + check markB + check markB + check markB + check markB + check markB + check markB @@ -1716,7 +1713,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1742,7 +1739,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1768,7 +1765,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1794,7 +1791,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1820,7 +1817,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1846,7 +1843,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1872,7 +1869,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1898,7 +1895,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1924,7 +1921,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1950,7 +1947,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -1976,7 +1973,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2002,7 +1999,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -2028,7 +2025,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -2159,7 +2156,7 @@ Additional lists: cross mark cross mark - + check mark check mark check mark cross mark @@ -2185,7 +2182,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2211,7 +2208,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -2237,7 +2234,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2290,7 +2287,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2316,7 +2313,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -2368,7 +2365,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -2421,7 +2418,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2447,7 +2444,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -2503,7 +2500,6 @@ Additional lists: check mark - @@ -2555,7 +2551,7 @@ The following list shows the CSPs supported in HoloLens devices: [PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | @@ -2627,6 +2623,8 @@ The following list shows the CSPs supported in HoloLens devices:
Footnotes: +- A - Only for mobile application management (MAM). +- B - Provisioning only. - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. @@ -2635,5 +2633,6 @@ The following list shows the CSPs supported in HoloLens devices: - 6 - Added in Windows 10, version 1903. - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. -- 9 - Added in Windows 10 Team 2020 Update -- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) \ No newline at end of file +- 9 - Added in Windows 10 Team 2020 Update. +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2). + diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 2c20894dcf..eeb53adf0b 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -94,11 +94,11 @@ The data type is integer. The following list shows the supported values: -- 0 = Unknown -- 1 = Low -- 2 = Moderate -- 4 = High -- 5 = Severe +- 0 = Unknown +- 1 = Low +- 2 = Moderate +- 4 = High +- 5 = Severe Supported operation is Get. @@ -171,17 +171,17 @@ The data type is integer. The following list shows the supported values: -- 0 = Active -- 1 = Action failed -- 2 = Manual steps required -- 3 = Full scan required -- 4 = Reboot required -- 5 = Remediated with noncritical failures -- 6 = Quarantined -- 7 = Removed -- 8 = Cleaned -- 9 = Allowed -- 10 = No Status ( Cleared) +- 0 = Active +- 1 = Action failed +- 2 = Manual steps required +- 3 = Full scan required +- 4 = Reboot required +- 5 = Remediated with noncritical failures +- 6 = Quarantined +- 7 = Removed +- 8 = Cleaned +- 9 = Allowed +- 10 = No Status ( Cleared) Supported operation is Get. @@ -542,4 +542,4 @@ Supported operations are Get and Execute. ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index a63f4dec92..7aa0520e15 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -10,7 +10,6 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 08/11/2020 --- # Defender DDF file @@ -757,6 +756,7 @@ The XML below is the current version for this CSP. + Scan diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 9e1150cd20..775e72cacd 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -128,7 +128,7 @@ Requirements: > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. > > The default behavior for older releases is to revert to **User Credential**. - > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device. + > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop. When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 60cff29616..78f0b5cb28 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -20,6 +20,7 @@ The EnterpriseDesktopAppManagement configuration service provider is used to han Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example). The following shows the EnterpriseDesktopAppManagement CSP in tree format. + ``` ./Device/Vendor/MSFT EnterpriseDesktopAppManagement @@ -37,6 +38,7 @@ EnterpriseDesktopAppManagement --------UpgradeCode ------------Guid ``` + **./Device/Vendor/MSFT/EnterpriseDesktopAppManagement** The root node for the EnterpriseDesktopAppManagement configuration service provider. @@ -194,15 +196,15 @@ The following table describes the fields in the previous sample: The following table describes the fields in the previous sample: -| Name | Description | -|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application. | -| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | +| Name | Description | +|--------|-----------------------| +| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.| +| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | -**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to preceed the Exec command.** +**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.** ```xml @@ -292,7 +294,8 @@ The following table describes the fields in the previous sample: -> **Note**  Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at . +> [!Note] +> Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx). @@ -401,7 +404,7 @@ The following table MsiInstallJob describes the schema elements. Command-line options to be used when calling MSIEXEC.exe -Timeout +TimeOut Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation. @@ -550,21 +553,18 @@ Here's a list of references: ```xml - 4 - 1224 - - - ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall - - - Reversed-Domain-Name:com.microsoft.mdm.win32csp_install - int - informational - - 0 - + 4 + 1224 + + + ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall + + + Reversed-Domain-Name:com.microsoft.mdm.win32csp_install + int + informational + + 0 + ``` - - - diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 3463de078b..9f691cab8c 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -502,8 +502,8 @@ The following list of data points are verified by the DHA-Service in DHA-Report - [HealthStatusMismatchFlags](#healthstatusmismatchflags) \* TPM 2.0 only -** Reports if Bitlocker was enabled during initial boot. -*** The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot. +\*\* Reports if BitLocker was enabled during initial boot. +\*\*\* The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot. Each of these are described in further detail in the following sections, along with the recommended actions to take. @@ -547,8 +547,8 @@ Each of these are described in further detail in the following sections, along w - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. -**BitlockerStatus** (at boot time) -

When Bitlocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

+**BitLockerStatus** (at boot time) +

When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.

@@ -614,7 +614,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling VSM using WMI or a Powershell script. +- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. **OSKernelDebuggingEnabled**

OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.

@@ -659,7 +659,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI and MBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling test signing using WMI or a Powershell script. +- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. **SafeMode**

Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.

@@ -1176,4 +1176,3 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio [Configuration service provider reference](configuration-service-provider-reference.md) - diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 234f5f9d6c..352dd76846 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -4521,7 +4521,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives. -If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. +If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents (open the files in the folders or see the files in the folders). Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list. @@ -5356,4 +5356,4 @@ ADMX Info: > [!NOTE] > These policies are currently only available as part of a Windows Insider release. - \ No newline at end of file + diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index d62b5b232d..1b75bd9a6b 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -542,7 +542,7 @@ Value type is integer. Supported values: > [!Warning] > This policy is in preview mode only and therefore not meant or recommended for production purposes. -"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML). +"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass. > [!Note] > Web Sign-in is only supported on Azure AD Joined PCs. diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 60d4832fae..35190895c9 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -51,7 +51,7 @@ manager: dansimp Pro - cross mark + check mark6 Business @@ -115,7 +115,7 @@ The following list shows the supported values: Pro - cross mark + check mark6 Business @@ -178,7 +178,7 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to Pro - cross mark + check mark6 Business diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index a0b1076deb..0d4580ee4b 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 05/02/2021 ms.reviewer: manager: dansimp --- @@ -1045,9 +1045,7 @@ GP Info: -Valid values: -- 0 - disabled -- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit) +Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it is set to zero (0), the setting is disabled. @@ -1243,7 +1241,8 @@ If you click Force Logoff in the Properties dialog box for this policy, the user If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. -Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. +> [!NOTE] +> Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default: This policy is not defined, which means that the system treats it as No action. @@ -2459,7 +2458,8 @@ If you select "Enable auditing for all accounts", the server will log events for This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2537,7 +2537,8 @@ If you select "Deny all accounts," the server will deny NTLM authentication requ This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2615,7 +2616,8 @@ If you select "Deny all," the client computer cannot authenticate identities to This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2899,7 +2901,9 @@ This policy setting controls the behavior of the elevation prompt for administra The options are: -- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. +- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. + > [!NOTE] + > Use this option only in the most constrained environments. - 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. @@ -3170,11 +3174,12 @@ User Account Control: Only elevate UIAccess applications that are installed in s This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: -- …\Program Files\, including subfolders -- …\Windows\system32\ -- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows +- .\Program Files\, including subfolders +- .\Windows\system32\ +- .\Program Files (x86)\, including subfolders for 64-bit versions of Windows -Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. +> [!NOTE] +> Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. @@ -3242,7 +3247,9 @@ User Account Control: Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: -- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. +- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. + > [!NOTE] + > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. - 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. @@ -3467,4 +3474,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index a3d2099a3e..e55afed42c 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -719,7 +719,7 @@ ADMX Info: Example for setting the device custom OMA-URI setting to enable this policy: -To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```.\[device|user]\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1. +To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1. See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles. @@ -740,4 +740,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 61558a2ca2..4d1e1393b7 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -49,6 +49,9 @@ manager: dansimp
System/AllowTelemetry
+
+ System/AllowUpdateComplianceProcessing +
System/AllowUserToResetPhone
@@ -738,21 +741,15 @@ The following list shows the supported values for Windows 8.1: In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. -The following list shows the supported values for Windows 10 version 1809 and older: +The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets): +- 0 – **Off (Security)** This turns Windows diagnostic data off. + **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. +- 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. +- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. + **Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1. +- 3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. -- 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender. - **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. -- 1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data. -- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data. -- 3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices. - -Most restricted value is 0. - -The following list shows the supported values for Windows 10 version 19H1 and later: - -- **Diagnostic data off** - No Windows diagnostic data sent. -- **Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected. -- **Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. +Most restrictive value is 0. +
+ + +**System/AllowUpdateComplianceProcessing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark6
Businesscheck mark6
Enterprisecheck mark6
Educationcheck mark6
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance. + +If you enable this setting, it enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. + +If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance. + + + +ADMX Info: +- GP English name: *Allow Update Compliance Processing* +- GP name: *AllowUpdateComplianceProcessing* +- GP element: *AllowUpdateComplianceProcessing* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +The following list shows the supported values: + +- 0 - Disabled. +- 16 - Enabled. + + + +
@@ -856,6 +924,7 @@ The following list shows the supported values:
+ **System/BootStartDriverInitialization** @@ -1614,13 +1683,13 @@ To enable this behavior, you must complete two steps: - Enable this policy setting - Set the **AllowTelemetry** level: - - For Windows 10 version 1809 and older: set **AllowTelemetry** to (Enhanced) + - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1) - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full) When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics. -Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. +Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. @@ -1784,5 +1853,7 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. +- 9 - Available in Windows 10, version 20H2. +- 10 - Available in Windows 10, version 21H1. - \ No newline at end of file + diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index ff96d2c80a..9755457f60 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -61,9 +61,9 @@ SurfaceHub --------SleepTimeout --------AllowSessionResume --------AllowAutoProxyAuth +--------ProxyServers --------DisableSigninSuggestions --------DoNotShowMyMeetingsAndFiles -----ProxyServers ----Management --------GroupName --------GroupSid @@ -571,6 +571,11 @@ SurfaceHub

If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.

The data type is boolean. Supported operation is Get and Replace. + +**Properties/ProxyServers** +

Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://). + +

The data type is string. Supported operation is Get and Replace. **Properties/DisableSigninSuggestions**

Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 89c8d33d45..094b56add7 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -17,7 +17,7 @@ ms.date: 02/23/2018 The Update configuration service provider enables IT administrators to manage and control the rollout of new updates. > [!NOTE] -> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies. +> The Update CSP functionality of 'ApprovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies. The following shows the Update configuration service provider in tree format. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 15c30be7f5..1fed240483 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -390,6 +390,9 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile. The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. +> [!NOTE] +> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT. + **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId A sequential integer identifier for the Domain Name information. Sequencing must start at 0. @@ -419,8 +422,8 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers** Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet. -> [!NOTE] -> Currently only one web proxy server is supported. +> [!NOTE] +> Currently only one web proxy server is supported. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -1600,4 +1603,3 @@ Servers - diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 4c034921b7..b7bccbb684 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -125,7 +125,7 @@ Deployment scheduling controls are always available, but to take advantage of th > Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect. - Diagnostic data is set to *Required* or *Optional*. -- The **AllowWUfBCloudProcessing** policy is set to **1**. +- The **AllowWUfBCloudProcessing** policy is set to **8**. #### Set the **AllowWUfBCloudProcessing** policy @@ -148,8 +148,8 @@ Following is an example of setting the policy using Microsoft Endpoint Manager: - Name: **AllowWUfBCloudProcessing** - Description: Enter a description. - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing` - - Data type: **String** - - Value: **1** + - Data type: **Integer** + - Value: **8** 6. In **Assignments**, select the groups that will receive the profile, and then select **Next**. 7. In **Review + create**, review your settings, and then select **Create**. 8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**. diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index e3accdee77..771a7648f8 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -53,7 +53,7 @@ Use **Peer Cache** to help manage deployment of content to clients in remote loc If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. -%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini +**%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini** ``` [SetupConfig] @@ -62,7 +62,7 @@ Priority=Normal You can use the new [Run Scripts](/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. -``` +```powershell #Parameters Param( [string] $PriorityValue = "Normal" @@ -91,6 +91,7 @@ foreach ($k in $iniSetupConfigKeyValuePair.Keys) #Write content to file New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force +<# Disclaimer Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without @@ -100,162 +101,164 @@ Microsoft, its authors, or anyone else involved in the creation, production, or for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script or documentation, even if Microsoft has been advised of the possibility of such damages. +#> ``` ->[!NOTE] ->If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. +> [!NOTE] +> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. ## Manually deploy feature updates The following sections provide the steps to manually deploy a feature update. ### Step 1: Specify search criteria for feature updates -There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. +There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. 3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: - - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. + - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. -4. Save the search for future use. +4. Save the search for future use. -### Step 2: Download the content for the feature update(s) -Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. +### Step 2: Download the content for the feature updates +Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. -1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. -2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**. - The **Download Software Updates Wizard** opens. -3. On the **Deployment Package** page, configure the following settings: - **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: - - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. - - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. - - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + The **Download Software Updates Wizard** opens. +3. On the **Deployment Package** page, configure the following settings: + **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. - >[!NOTE] - >The deployment package source location that you specify cannot be used by another software deployment package. + > [!NOTE] + > The deployment package source location that you specify cannot be used by another software deployment package. - >[!IMPORTANT] - >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + > [!IMPORTANT] + > The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. - >[!IMPORTANT] - >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + > [!IMPORTANT] + > You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. - Click **Next**. -4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). + Click **Next**. +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). - >[!NOTE] - >The Distribution Points page is available only when you create a new software update deployment package. -5. On the **Distribution Settings** page, specify the following settings: + > [!NOTE] + > The Distribution Points page is available only when you create a new software update deployment package. +5. On the **Distribution Settings** page, specify the following settings: - - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. - - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). - - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: - - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. + - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. - - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. - - For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). - Click **Next**. -6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + + For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + Click **Next**. +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. - - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - - >[!NOTE] - >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - Click **Next**. -7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. -8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. -9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. + > [!NOTE] + > When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + + Click **Next**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. #### To monitor content status -1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. -2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. -3. Select the feature update package that you previously identified to download the feature updates. +1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. +2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. +3. Select the feature update package that you previously identified to download the feature updates. 4. On the **Home** tab, in the Content group, click **View Status**. -### Step 3: Deploy the feature update(s) -After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). +### Step 3: Deploy the feature update(s) +After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. 3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. - The **Deploy Software Updates Wizard** opens. -4. On the General page, configure the following settings: - - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** - - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. - - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. - - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. - - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. -5. On the Deployment Settings page, configure the following settings: + The **Deploy Software Updates Wizard** opens. +4. On the General page, configure the following settings: + - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** + - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. + - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. + - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. + - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. +5. On the Deployment Settings page, configure the following settings: - - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - - >[!IMPORTANT] - > After you create the software update deployment, you cannot later change the type of deployment. - - >[!NOTE] - >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. + - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. + > [!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. - >[!WARNING] - >Before you can use this option, computers and networks must be configured for Wake On LAN. + > [!NOTE] + > A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. - - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. + - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. + + > [!WARNING] + > Before you can use this option, computers and networks must be configured for Wake On LAN. + + - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. 6. On the Scheduling page, configure the following settings: - - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - - >[!NOTE] - >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. + - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: - - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. - - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - - >[!NOTE] - >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + > [!NOTE] + > When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. - - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. + - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: + - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. + - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - >[!NOTE] - >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](/sccm/core/clients/deploy/about-client-settings#computer-agent). -7. On the User Experience page, configure the following settings: - - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. - - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](/sccm/core/clients/manage/collections/use-maintenance-windows). - - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. + > [!NOTE] + > You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. - >[!IMPORTANT] - >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. - - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. - >[!NOTE] - >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. - - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. -8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + > [!NOTE] + > The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](/sccm/core/clients/deploy/about-client-settings#computer-agent). +7. On the User Experience page, configure the following settings: + - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. + - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](/sccm/core/clients/manage/collections/use-maintenance-windows). + - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. - >[!NOTE] - >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. -9. On the Download Settings page, configure the following settings: - - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. - - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. - - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). + > [!IMPORTANT] + > Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + + > [!NOTE] + > When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + > [!NOTE] + > You can review recent software updates alerts from the Software Updates node in the Software Library workspace. +9. On the Download Settings page, configure the following settings: + - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. + - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. + - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. - - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. + - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. - >[!NOTE] - >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). -10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. -11. Click **Next** to deploy the feature update(s). + > [!NOTE] + > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source priority](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#content-source-priority). +10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. +11. Click **Next** to deploy the feature update(s). ### Step 4: Monitor the deployment status + After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: -1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. -2. Click the software update group or software update for which you want to monitor the deployment status. -3. On the **Home** tab, in the **Deployment** group, click **View Status**. \ No newline at end of file +1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. +2. Click the software update group or software update for which you want to monitor the deployment status. +3. On the **Home** tab, in the **Deployment** group, click **View Status**. diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 1ae3f99648..fc45328c40 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -18,6 +18,8 @@ ms.custom: seo-marvel-apr2020 > Applies to: Windows 10 +In Windows 10 version 21H2, non-Administrator user accounts can add both a display language and its corresponding language features. + As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS. The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions. @@ -28,4 +30,4 @@ In Windows 10 version 1809 and beyond, changing the **Specify settings for optio For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location. -Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/). \ No newline at end of file +Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/). diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 34ef7cc00f..2664d3f9d8 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -84,6 +84,9 @@ This table shows the correct sequence for applying the various tasks to the file > [!NOTE] > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). +> [!NOTE] +> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). + ### Multiple Windows editions The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last. @@ -456,4 +459,4 @@ Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null Write-Output "$(Get-TS): Media refresh completed!" -``` \ No newline at end of file +``` diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index 4438c95e54..2e4ab4fd64 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -40,8 +40,7 @@ For the complete detailed list of all settings and their values, see the MSFT Wi ## How do I get started? -The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) from the Download Center. +The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. Today, the Update Baseline toolkit is currently only available for use with Group Policy. - diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index c4ce3579f9..01de3567bf 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -40,7 +40,7 @@ Take the following steps to create a configuration profile that will set require 2. Add a setting for **Commercial ID** ) with the following values: - **Name**: Commercial ID - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace. - - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID` + - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID` - **Data type**: String - **Value**: *Set this to your Commercial ID* 2. Add a setting configuring the **Windows Diagnostic Data level** for devices: diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 692cfa0a09..9514d43951 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -50,7 +50,7 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience ## Behaviorial changes -In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be migrated to the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see the section named, **Services that rely on Enhanced diagnostic data**, later in this topic. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see the section named **Configure a Windows 10 device to limit crash dumps and logs**. For more information on services that rely on Enhanced diagnostic data, see **Services that rely on Enhanced diagnostic data**. +In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see the section named, **Services that rely on Enhanced diagnostic data**, later in this topic. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see the section named **Configure a Windows 10 device to limit crash dumps and logs**. For more information on services that rely on Enhanced diagnostic data, see **Services that rely on Enhanced diagnostic data**. Additionally, you will see the following policy changes in an upcoming release of Windows 10: diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index eb89236d09..405b6710ad 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -69,9 +69,9 @@ sections: answer: | It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users. - - question: Can I use an external camera when my laptop is closed or docked? + - question: Can I use an external Windows Hello compatible camera when my laptop is closed or docked? answer: | - No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. + Yes. Starting with Windows 10, version 21H2 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - question: Why does authentication fail immediately after provisioning hybrid key trust? answer: | @@ -118,7 +118,7 @@ sections: Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. - question: | - Which is better or more secure: key trust or certificate trust? + Which is better or more secure, key trust or certificate trust? answer: | The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types are: - Required domain controllers diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index cb9d870d46..789da743aa 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -80,8 +80,12 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf ## Changing the PIN -The PIN for virtual smart card can be changed by pressing Ctrl+Alt+Del, and then selecting the TPM virtual smart card under **Sign in options**. - +The PIN for a virtual smart card can be changed by following these steps: +- Sign in with the old PIN or password. +- Press Ctrl+Alt+Del and choose **Change a password**. +- Select **Sign-in Options**. +- Select the virtual smart card icon. +- Enter and confirm the new PIN. ## Resolving issues ### TPM not provisioned @@ -100,4 +104,4 @@ Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter ## See also -For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md). \ No newline at end of file +For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md). diff --git a/windows/security/information-protection/TOC.yml b/windows/security/information-protection/TOC.yml index 9965f322db..bcaa9d74d7 100644 --- a/windows/security/information-protection/TOC.yml +++ b/windows/security/information-protection/TOC.yml @@ -29,6 +29,8 @@ href: bitlocker\bitlocker-using-with-other-programs-faq.yml - name: "Prepare your organization for BitLocker: Planning and policies" href: bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md + - name: BitLocker deployment comparison + href: bitlocker\bitlocker-deployment-comparison.md - name: BitLocker basic deployment href: bitlocker\bitlocker-basic-deployment.md - name: "BitLocker: How to deploy on Windows Server 2012 and later" diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md new file mode 100644 index 0000000000..0fbc7f9f48 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -0,0 +1,65 @@ +--- +title: BitLocker deployment comparison (Windows 10) +description: This article shows the BitLocker deployment comparison chart. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: lovina-saldanha +ms.author: v-lsaldanha +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 05/20/2021 +ms.custom: bitlocker +--- + +# BitLocker deployment comparison + +**Applies to** + +- Windows 10 + +This article depicts the BitLocker deployment comparison chart. + +## BitLocker deployment comparison chart + +| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) | +|---------|---------|---------|---------| +|**Requirements**|||| +|Minimum client operating system version |Windows 10 | Windows 10 and Windows 8.1 | Windows 7 and later | +|Supported Windows 10 SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise | +|Minimum Windows 10 version |1909 | None | None | +|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | +|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | +|Cloud or on premises | Cloud | On premises | On premises | +|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | +|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | +|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | +|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | +|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | +|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | +|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | | +|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | diff --git a/windows/security/information-protection/bitlocker/images/yes-icon.png b/windows/security/information-protection/bitlocker/images/yes-icon.png new file mode 100644 index 0000000000..bbae7d3052 Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/yes-icon.png differ diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c10b2990b3..62291e7f81 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -52,9 +52,9 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or ## Create a WIP policy -1. Sign in to the Azure portal. +1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). -2. Open Microsoft Intune and click **Client apps** > **App protection policies** > **Create policy**. +2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**. ![Open Client apps](images/create-app-protection-policy.png) @@ -486,7 +486,7 @@ Specify the proxy servers your devices will go through to reach your cloud resou Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in your Internal proxy servers list. -Internal proxy servers must be used only for WIP-protected (enterprise) traffic. +Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. Separate multiple resources with the ";" delimiter. ```console @@ -497,8 +497,8 @@ proxy.contoso.com:80;proxy2.contoso.com:443 Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. -This list shouldn’t include any servers listed in your Proxy servers list. -Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. +This list shouldn’t include any servers listed in your Proxy servers list. +Internal proxy servers must be used only for WIP-protected (enterprise) traffic. Separate multiple resources with the ";" delimiter. ```console @@ -507,8 +507,6 @@ contoso.internalproxy1.com;contoso.internalproxy2.com ### IPv4 ranges -Starting with Windows 10, version 1703, this field is optional. - Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. Classless Inter-Domain Routing (CIDR) notation isn’t supported. diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index 10a7cb1c8c..5541fc0f63 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -44,51 +44,51 @@ set this value to **No auditing**, in the **Properties** dialog box for this pol You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. -| Account management events | Description | -|---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 624 | A user account was created. | -| 627 | A user password was changed. | -| 628 | A user password was set. | -| 630 | A user account was deleted. | -| 631 | A global group was created. | -| 632 | A member was added to a global group. | -| 633 | A member was removed from a global group. | -| 634 | A global group was deleted. | -| 635 | A new local group was created. | -| 636 | A member was added to a local group. | -| 637 | A member was removed from a local group. | -| 638 | A local group was deleted. | -| 639 | A local group account was changed. | -| 641 | A global group account was changed. | -| 642 | A user account was changed. | -| 643 | A domain policy was modified. | -| 644 | A user account was auto locked. | -| 645 | A computer account was created. | -| 646 | A computer account was changed. | -| 647 | A computer account was deleted. | -| 648 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | -| 649 | A local security group with security disabled was changed. | -| 650 | A member was added to a security-disabled local security group. | -| 651 | A member was removed from a security-disabled local security group. | -| 652 | A security-disabled local group was deleted. | -| 653 | A security-disabled global group was created. | -| 645 | A security-disabled global group was changed. | -| 655 | A member was added to a security-disabled global group. | -| 656 | A member was removed from a security-disabled global group. | -| 657 | A security-disabled global group was deleted. | -| 658 | A security-enabled universal group was created. | -| 659 | A security-enabled universal group was changed. | -| 660 | A member was added to a security-enabled universal group. | -| 661 | A member was removed from a security-enabled universal group. | -| 662 | A security-enabled universal group was deleted. | -| 663 | A security-disabled universal group was created. | -| 664 | A security-disabled universal group was changed. | -| 665 | A member was added to a security-disabled universal group. | -| 666 | A member was removed from a security-disabled universal group. | -| 667 | A security-disabled universal group was deleted. | -| 668 | A group type was changed. | -| 684 | Set the security descriptor of members of administrative groups. | -| 685 | Set the security descriptor of members of administrative groups.
**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. | +| Account management events | Description | +| :-----------------------: | :---------- | +| 4720 | A user account was created. | +| 4723 | A user password was changed. | +| 4724 | A user password was set. | +| 4726 | A user account was deleted. | +| 4727 | A global group was created. | +| 4728 | A member was added to a global group. | +| 4729 | A member was removed from a global group. | +| 4730 | A global group was deleted. | +| 4731 | A new local group was created. | +| 4732 | A member was added to a local group. | +| 4733 | A member was removed from a local group. | +| 4734 | A local group was deleted. | +| 4735 | A local group account was changed. | +| 4737 | A global group account was changed. | +| 4738 | A user account was changed. | +| 4739 | A domain policy was modified. | +| 4740 | A user account was auto locked. | +| 4741 | A computer account was created. | +| 4742 | A computer account was changed. | +| 4743 | A computer account was deleted. | +| 4744 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks | +| 4745 | A local security group with security disabled was changed. | +| 4746 | A member was added to a security-disabled local security group. | +| 4747 | A member was removed from a security-disabled local security group. | +| 4748 | A security-disabled local group was deleted. | +| 4749 | A security-disabled global group was created. | +| 4750 | A security-disabled global group was changed. | +| 4751 | A member was added to a security-disabled global group. | +| 4752 | A member was removed from a security-disabled global group. | +| 4753 | A security-disabled global group was deleted. | +| 4754 | A security-enabled universal group was created. | +| 4755 | A security-enabled universal group was changed. | +| 4756 | A member was added to a security-enabled universal group. | +| 4757 | A member was removed from a security-enabled universal group. | +| 4758 | A security-enabled universal group was deleted. | +| 4759 | A security-disabled universal group was created. | +| 4760 | A security-disabled universal group was changed. | +| 4761 | A member was added to a security-disabled universal group. | +| 4762 | A member was removed from a security-disabled universal group. | +| 4763 | A security-disabled universal group was deleted. | +| 4764 | A group type was changed. | +| 4780 | Set the security descriptor of members of administrative groups. | +| 685 | Set the security descriptor of members of administrative groups.
**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. | ## Related topics diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index f63ab02819..ec7a4064e5 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -166,13 +166,78 @@ The most common values: > Table 6. Kerberos ticket flags. -- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event: +- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the error codes for this event as defined in [RFC 4120](https://tools.ietf.org/html/rfc4120#section-7.5.9): | Code | Code Name | Description | Possible causes | |------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). | -| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. | -| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. | +| 0x0 | KDC\_ERR\_NONE | No error | +| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired | +| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired | +| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported | +| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | +| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | +| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | +| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | +| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database | +| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key | +| 0xa | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating | +| 0xb | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time | +| 0xc | KDC\_ERR\_POLICY | KDC policy rejects request | +| 0xd | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | +| 0xe | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type | +| 0xf | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | +| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). +| 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type | +| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked | +| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | +| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | +| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid; try again later | +| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid; try again later | +| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user’s password has expired. +| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided. +| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | +| 0x1a | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match | +| 0x1b | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | +| 0x1c | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path | +| 0x1d | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available | +| 0x1f | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | +| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | Ticket expired | +| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | Ticket not yet valid | +| 0x22 | KRB\_AP\_ERR\_REPEAT | Request is a replay | +| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket isn't for us | +| 0x24 | KRB\_AP\_ERR\_BADMATCH | Ticket and authenticator don't match | +| 0x25 | KRB\_AP\_ERR\_SKEW | Clock skew too great | +| 0x26 | KRB\_AP\_ERR\_BADADDR | Incorrect net address | +| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version mismatch | +| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Invalid msg type | +| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified | +| 0x2a | KRB\_AP\_ERR\_BADORDER | Message out of order | +| 0x2c | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | +| 0x2d | KRB\_AP\_ERR\_NOKEY | Service key not available | +| 0x2e | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | +| 0x2f | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | +| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | +| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | +| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message | +| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Policy rejects transited path | +| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Response too big for UDP; retry with TCP | +| 0x3c | KRB\_ERR\_GENERIC | Generic error (description in e-text) | +| 0x3d | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | +| 0x3e | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x3f | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x40 | KDC\_ERROR\_INVALID\_SIG | Reserved for PKINIT | +| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | Reserved for PKINIT | +| 0x42 | KDC\_ERR\_CERTIFICATE\_MISMATCH | Reserved for PKINIT | +| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT available to validate USER-TO-USER | +| 0x44 | KDC\_ERR\_WRONG\_REALM | Reserved for future use | +| 0x45 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | Ticket must be for USER-TO-USER | +| 0x46 | KDC\_ERR\_CANT\_VERIFY\_CERTIFICATE | Reserved for PKINIT | +| 0x47 | KDC\_ERR\_INVALID\_CERTIFICATE | Reserved for PKINIT | +| 0x48 | KDC\_ERR\_REVOKED\_CERTIFICATE | Reserved for PKINIT | +| 0x49 | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN | Reserved for PKINIT | +| 0x4a | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT | +| 0x4b | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT | +| 0x4c | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT | - **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)) type that was used in TGT request. diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 39371c3da0..e2029f3c2c 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -99,7 +99,7 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with ## Defeating fileless malware -At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index 4f7f59f8ff..5a04348f87 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -26,9 +26,9 @@ The trend towards increasingly sophisticated malware behavior, highlighted by th Most ransomware infections start with: -* Email messages with attachments that try to install ransomware. +- Email messages with attachments that try to install ransomware. -* Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware. +- Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware. Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4. @@ -38,11 +38,11 @@ Ransomware is one of the most lucrative revenue channels for cybercriminals, so Sophisticated ransomware like **Spora**, **WannaCrypt** (also known as WannaCry), and **Petya** (also known as NotPetya) spread to other computers via network shares or exploits. -* Spora drops ransomware copies in network shares. +- Spora drops ransomware copies in network shares. -* WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. +- WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. -* A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks. +- A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks. Older ransomware like **Reveton** (nicknamed "Police Trojan" or "Police ransomware") locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they're effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and a fine needs to be paid. @@ -52,16 +52,26 @@ Ransomware like **Cerber** and **Locky** search for and encrypt specific file ty ## How to protect against ransomware - Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets and attackers can demand bigger ransoms. +Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets because attackers can demand bigger ransoms. -We recommend: +To provide the best protection against ransomware attacks, Microsoft recommends that you: -* Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite. +- Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite. -* Apply the latest updates to your operating systems and apps. +- Apply the latest updates to your operating systems and apps. -* Educate your employees so they can identify social engineering and spear-phishing attacks. +- Educate your employees so they can identify social engineering and spear-phishing attacks. -* [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom. +- [Implement controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom. -For more general tips, see [prevent malware infection](prevent-malware-infection.md). \ No newline at end of file +For more general tips, see [prevent malware infection](prevent-malware-infection.md). + +## Human-operated ransomware + +Unlike auto-spreading ransomware like WannaCry or NotPetya, human-operated ransomware is the result of active and ongoing attacks that target an organization rather than a single device. Cybercriminals use their knowledge of common system and security misconfigurations and vulnerabilities to infiltrate the organization, navigate the enterprise network, adapt to the environment, and exploit its weaknesses as they go. + +Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement and can result in deployment of ransomware payloads to high business impact resources that attackers choose. Once deployed, the attackers contact the organization with their ransom demands. + +The same primary prevention techniques described in this article should be implemented to prevent human-operated ransomware. For additional preventative measures against human-operated ransomware, see this [article](/security/compass/human-operated-ransomware). + +See [this blog post](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) from the Microsoft 365 Defender Threat Intelligence Team for more information and attack chain analysis of actual human-operated ransomware attacks. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml index c77a91d3e5..ee887e168a 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml @@ -12,4 +12,4 @@ - name: Microsoft Defender Application Guard Extension href: md-app-guard-browser-extension.md - name: FAQ - href: faq-md-app-guard.md + href: faq-md-app-guard.yml diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md deleted file mode 100644 index 0e4406aaa5..0000000000 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ /dev/null @@ -1,210 +0,0 @@ ---- -title: FAQ - Microsoft Defender Application Guard (Windows 10) -description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 05/12/2021 -ms.reviewer: -manager: dansimp -ms.custom: asr -ms.technology: mde ---- - -# Frequently asked questions - Microsoft Defender Application Guard - -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration. - -## Frequently Asked Questions - -### Can I enable Application Guard on machines equipped with 4-GB RAM? - -We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. - -`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) - -### Can employees download documents from the Application Guard Edge session onto host devices? - -In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. - -In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. - -### Can employees copy and paste between the host device and the Application Guard Edge session? - -Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. - -### Why don't employees see their favorites in the Application Guard Edge session? - -Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard) - -### Why aren’t employees able to see their extensions in the Application Guard Edge session? - -Make sure to enable the extensions policy on your Application Guard configuration. - -### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? - -Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. - -### Which Input Method Editors (IME) in 19H1 are not supported? - -The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard: - -- Vietnam Telex keyboard -- Vietnam number key-based keyboard -- Hindi phonetic keyboard -- Bangla phonetic keyboard -- Marathi phonetic keyboard -- Telugu phonetic keyboard -- Tamil phonetic keyboard -- Kannada phonetic keyboard -- Malayalam phonetic keyboard -- Gujarati phonetic keyboard -- Odia phonetic keyboard -- Punjabi phonetic keyboard - -### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? - -This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. - -### What is the WDAGUtilityAccount local account? - -WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error: - -**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** - -We recommend that you do not modify this account. - -### How do I trust a subdomain in my site list? - -To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. - -### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? - -When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). - -### Is there a size limit to the domain lists that I need to configure? - -Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. - -### Why does my encryption driver break Microsoft Defender Application Guard? - -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). - -### Why do the Network Isolation policies in Group Policy and CSP look different? - -There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. - -- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** - -- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** - -- For EnterpriseNetworkDomainNames, there is no mapped CSP policy. - -Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). - -### Why did Application Guard stop working after I turned off hyperthreading? - -If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. - -### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? - -Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. - -### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file? - -This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: - -- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) -- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) - -#### First rule (DHCP Server) -1. Program path: `%SystemRoot%\System32\svchost.exe` - -2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` - -3. Protocol UDP - -4. Port 67 - -#### Second rule (DHCP Client) -This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: - -1. Right-click on inbound rules, and then create a new rule. - -2. Choose **custom rule**. - -3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`. - -4. Specify the following settings: - - Protocol Type: UDP - - Specific ports: 67 - - Remote port: any - -5. Specify any IP addresses. - -6. Allow the connection. - -7. Specify to use all profiles. - -8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. - -9. In the **Programs and services** tab, under the **Services** section, select **settings**. - -10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - -### Why can I not launch Application Guard when Exploit Guard is enabled? - -There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. - -### How can I disable portions of ICS without breaking Application Guard? - -ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. - -1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. - -2. Disable IpNat.sys from ICS load as follows:
-`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` - -3. Configure ICS (SharedAccess) to enabled as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` - -4. (This is optional) Disable IPNAT as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` - -5. Reboot the device. - -### Why doesn't the container fully load when device control policies are enabled? - -Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly. - -Policy: Allow installation of devices that match any of the following device IDs: - -- `SCSI\DiskMsft____Virtual_Disk____` -- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` -- `VMS_VSF` -- `root\Vpcivsp` -- `root\VMBus` -- `vms_mp` -- `VMS_VSP` -- `ROOT\VKRNLINTVSP` -- `ROOT\VID` -- `root\storvsp` -- `vms_vsmp` -- `VMS_PP` - -Policy: Allow installation of devices using drivers that match these device setup classes -- `{71a27cdd-812a-11d0-bec7-08002be2092f}` - -## See also - -[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml new file mode 100644 index 0000000000..03baa2d537 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -0,0 +1,246 @@ +### YamlMime:FAQ +metadata: + title: FAQ - Microsoft Defender Application Guard (Windows 10) + description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. + ms.prod: m365-security + ms.mktglfcycl: manage + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: denisebmsft + ms.author: deniseb + ms.date: 06/16/2021 + ms.reviewer: + manager: dansimp + ms.custom: asr + ms.technology: mde + +title: Frequently asked questions - Microsoft Defender Application Guard +summary: | + **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration. + + ## Frequently Asked Questions + +sections: + - name: Frequently Asked Questions + questions: + - question: | + Can I enable Application Guard on machines equipped with 4-GB RAM? + answer: | + We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. + + `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) + + `HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) + + `HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) + + - question: | + My network configuration uses a proxy and I’m running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that? + answer: | + The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements. + + To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: + + - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. + - It must be a FQDN. A simple IP address will not work. + - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. + + - question: | + Can employees download documents from the Application Guard Edge session onto host devices? + answer: | + In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. + + In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. + + - question: | + Can employees copy and paste between the host device and the Application Guard Edge session? + answer: | + Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. + + - question: | + Why don't employees see their favorites in the Application Guard Edge session? + answer: | + Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard). + + - question: | + Why aren’t employees able to see their extensions in the Application Guard Edge session? + answer: | + Make sure to enable the extensions policy on your Application Guard configuration. + + - question: | + How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? + answer: | + Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. + + - question: | + Which Input Method Editors (IME) in 19H1 are not supported? + answer: | + The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard: + + - Vietnam Telex keyboard + - Vietnam number key-based keyboard + - Hindi phonetic keyboard + - Bangla phonetic keyboard + - Marathi phonetic keyboard + - Telugu phonetic keyboard + - Tamil phonetic keyboard + - Kannada phonetic keyboard + - Malayalam phonetic keyboard + - Gujarati phonetic keyboard + - Odia phonetic keyboard + - Punjabi phonetic keyboard + + - question: | + I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? + answer: | + This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. + + - question: | + What is the WDAGUtilityAccount local account? + answer: | + WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error: + + **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** + + We recommend that you do not modify this account. + + - question: | + How do I trust a subdomain in my site list? + answer: | + To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. + + - question: | + Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? + answer: | + When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). + + - question: | + Is there a size limit to the domain lists that I need to configure? + answer: | + Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. + + - question: | + Why does my encryption driver break Microsoft Defender Application Guard? + answer: | + Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). + + - question: | + Why do the Network Isolation policies in Group Policy and CSP look different? + answer: | + There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. + + - Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** + + - Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** + + - For EnterpriseNetworkDomainNames, there is no mapped CSP policy. + + Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). + + - question: | + Why did Application Guard stop working after I turned off hyperthreading? + answer: | + If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. + + - question: | + Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? + answer: | + Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. + + - question: | + Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file? + answer: | + This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: + + - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) + - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) + + ### First rule (DHCP Server) + - Program path: `%SystemRoot%\System32\svchost.exe` + + - Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` + + - Protocol UDP + + - Port 67 + + ### Second rule (DHCP Client) + This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: + + 1. Right-click on inbound rules, and then create a new rule. + + 2. Choose **custom rule**. + + 3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`. + + 4. Specify the following settings: + - Protocol Type: UDP + - Specific ports: 67 + - Remote port: any + + 5. Specify any IP addresses. + + 6. Allow the connection. + + 7. Specify to use all profiles. + + 8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. + + 9. In the **Programs and services** tab, under the **Services** section, select **settings**. + + 10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. + + - question: | + Why can I not launch Application Guard when Exploit Guard is enabled? + answer: | + There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. + + - question: | + How can I disable portions of ICS without breaking Application Guard? + answer: | + ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. + + 1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. + + 2. Disable IpNat.sys from ICS load as follows:
+ `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` + + 3. Configure ICS (SharedAccess) to enabled as follows:
+ `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` + + 4. (This is optional) Disable IPNAT as follows:
+ `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` + + 5. Reboot the device. + + - question: | + Why doesn't the container fully load when device control policies are enabled? + answer: | + Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly. + + Policy: Allow installation of devices that match any of the following device IDs: + + - `SCSI\DiskMsft____Virtual_Disk____` + - `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` + - `VMS_VSF` + - `root\Vpcivsp` + - `root\VMBus` + - `vms_mp` + - `VMS_VSP` + - `ROOT\VKRNLINTVSP` + - `ROOT\VID` + - `root\storvsp` + - `vms_vsmp` + - `VMS_PP` + + Policy: Allow installation of devices using drivers that match these device setup classes + - `{71a27cdd-812a-11d0-bec7-08002be2092f}` + +additionalContent: | + + ## See also + + [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 9c41f91b39..83850f5a21 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -52,5 +52,5 @@ Application Guard has been created to target several types of devices: |[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | -|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| +|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| |[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md index d20934b1f3..55c80b17f7 100644 --- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md @@ -14,17 +14,20 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 06/11/2021 ms.technology: mde --- # Access this computer from the network - security policy setting **Applies to** -- Windows 10 +- Windows 10, Azure Stack HCI, Windows Server 2022, Windows Server 2019, Windows Server 2016 Describes the best practices, location, values, policy management, and security considerations for the **Access this computer from the network** security policy setting. +> [!WARNING] +> If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the **Access this computer from the network** policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service won't have sufficient rights to function or start properly. + ## Reference The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). @@ -43,6 +46,7 @@ Constant: SeNetworkLogonRight - On desktop devices or member servers, grant this right only to users and administrators. - On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators. +- On failover clusters, make sure this right is granted to authenticated users. - This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead. ### Location @@ -104,6 +108,8 @@ from servers in the domain if members of the **Domain Users** group are included If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network. +If running Windows Server or Azure Stack HCI Failover Clustering, do not remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service will not have sufficient rights to function or start properly. + ## Related topics [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 80ef49b096..1f9364ad64 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -101,7 +101,11 @@ To deploy policies locally using the new multiple policy format, follow these st ### Deploying multiple policies via ApplicationControl CSP -Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. +Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
+ +However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. + +See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. > [!NOTE] > WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index c97df0f805..6ac3422250 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -26,6 +26,9 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind - Event IDs beginning with 80 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script** +> [!NOTE] +> These event IDs are not applicable on Windows Server Core edition. + ## Microsoft Windows CodeIntegrity Operational log event IDs | Event ID | Explanation | @@ -41,6 +44,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |--------|-----------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | +| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events @@ -109,7 +113,7 @@ A list of other relevant event IDs and their corresponding description. | 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | | 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. | | 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. | -| 3086 | COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs| +| 3086 | The file under validation does not meet the signing requirements for an isolated user mode (IUM) process. | | 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | | 3097 | The Code Integrity policy cannot be refreshed. | | 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. | diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index add268e0ee..c3a43bac96 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -71,6 +71,17 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | +The following options are valid for supplemental policies. However, option 5 is not implemented as it is reserved for future work, and option 7 is not supported. + +| Rule option | Description | +|------------ | ----------- | +| 5 | Enabled: Inherit Default Policy | +| **6** | **Enabled: Unsigned System Integrity Policy** | +| 7 | Allowed: Debug Policy Augmented | +| **13** | **Enabled: Managed Installer** | +| **14** | **Enabled: Intelligent Security Graph Authorization** | +| **18** | **Disabled: Runtime FilePath Rule Protection** | + ## Windows Defender Application Control file rule levels File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary or as general as a CA certificate. You specify file rule levels when using WDAC PowerShell cmdlets to create and modify policies. @@ -98,7 +109,8 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the > When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate. > [!NOTE] -> WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. +> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. +> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP. ## Example of file rule levels in use @@ -126,6 +138,9 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. +> [!NOTE] +> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later. + ## More information about hashes ### Why does scan create four hash rules per XML file? diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index c1121baa73..90d5fd2514 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -67,7 +67,7 @@ To enable a specific audit event, run the corresponding command in an administra |**Audit #**|**Enable command**|**Link**| |:-----|:-----|:-----| |**5157**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5157(F): The Windows Filtering Platform has blocked a connection.](../auditing/event-5157.md)| -|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)| +|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Packet Drop" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)| ## Example flow of debugging packet drops with filter origin @@ -168,4 +168,4 @@ For more information on how to debug drops caused by UWP default block filters, **WSH default** -Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected. \ No newline at end of file +Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected. diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index 417dd71e21..dc7c58f214 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -77,4 +77,16 @@ LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files It can export local policy to a GPO backup. It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. -Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/lgpo-exe-local-group-policy-object-utility-v1-0) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). \ No newline at end of file +Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/lgpo-exe-local-group-policy-object-utility-v1-0) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). + +## What is the Set Object Security tool? + +SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object, such as files, directories, registry keys, event logs, services, and SMB shares. For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value. + +Documentation for the Set Object Security tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). + +## What is the GPO to Policy Rules tool? + +Automate the conversion of GPO backups to Policy Analyzer .PolicyRules files and skip the GUI. GPO2PolicyRules is a command-line tool that is included with the Policy Analyzer download. + +Documentation for the GPO to PolicyRules tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index c56c65dac3..70725f4a9b 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -47,7 +47,7 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft ### Windows Assessment and Deployment Toolkit (ADK) -There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). +There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). ## Device management @@ -60,7 +60,7 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf WDAG performance is improved with optimized document opening times: - An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link. -- A memory issue is fixed that could casue a WDAG container to use almost 1 GB of working set memory when the container is idle. +- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle. - The performance of Robocopy is improved when copying files over 400 MB in size. ### Windows Hello @@ -136,4 +136,4 @@ This release includes the following enhancements and issues fixed: [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
\ No newline at end of file +[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.