From ada63f8164d2a638956393fe9d612259954528cf Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 18 Jun 2020 14:27:46 -0700 Subject: [PATCH 001/137] Acrolinx spelling: "sesnsitive" and "ogranization" --- windows/security/information-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md index 84ea720232..e72f8d6c68 100644 --- a/windows/security/information-protection/index.md +++ b/windows/security/information-protection/index.md @@ -1,6 +1,6 @@ --- title: Information protection (Windows 10) -description: Learn more about how to protect sesnsitive data across your ogranization. +description: Learn more about how to protect sensitive data across your organization. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library From 3b16e01e520aabec17ad05ef3aebce755dc90e2d Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Fri, 5 Mar 2021 12:04:09 -0800 Subject: [PATCH 002/137] pencil edit --- .../threat-protection/microsoft-defender-atp/machine-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md index 1370c628f9..1826c31d95 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md @@ -1,6 +1,6 @@ --- title: Create and manage device groups in Microsoft Defender ATP -description: Create device groups and set automated remediation levels on them by confiring the rules that apply on the group +description: Create device groups and set automated remediation levels on them by confirming the rules that apply on the group keywords: device groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh search.appverid: met150 From d0b796a849b273ba7018052b64bae1572d11d1a3 Mon Sep 17 00:00:00 2001 From: Thomas G Date: Wed, 17 Mar 2021 10:55:08 +0100 Subject: [PATCH 003/137] Adding all Failure Code for event 4771 according to RFC 4120 Adding all error codes for event 4771 according to RFC 4120 https://tools.ietf.org/html/rfc4120#section-7.5.9 --- .../threat-protection/auditing/event-4771.md | 73 ++++++++++++++++++- 1 file changed, 69 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index 840d05eefb..1da05686b7 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -166,13 +166,78 @@ The most common values: > Table 6. Kerberos ticket flags. -- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event: +- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the error codes for this event as defined in [RFC 4120](https://tools.ietf.org/html/rfc4120#section-7.5.9): | Code | Code Name | Description | Possible causes | |------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). | -| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. | -| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. | +| 0x00 | KDC\_ERR\_NONE | No error | +| 0x01 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired | +| 0x02 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired | +| 0x03 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported | +| 0x04 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | +| 0x05 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | +| 0x06 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | +| 0x07 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | +| 0x08 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database | +| 0x09 | KDC\_ERR\_NULL\_KEY | The client or server has a null key | +| 0x0A | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating | +| 0x0B | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time | +| 0x0C | KDC\_ERR\_POLICY | KDC policy rejects request | +| 0x0D | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | +| 0x0E | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type | +| 0x0F | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | +| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). +| 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type | +| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked | +| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | +| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | +| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid; try again later | +| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid; try again later | +| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user’s password has expired. +| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided. +| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | +| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match | +| 0x1B | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | +| 0x1C | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path | +| 0x1D | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available | +| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | +| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | Ticket expired | +| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | Ticket not yet valid | +| 0x22 | KRB\_AP\_ERR\_REPEAT | Request is a replay | +| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket isn't for us | +| 0x24 | KRB\_AP\_ERR\_BADMATCH | Ticket and authenticator don't match | +| 0x25 | KRB\_AP\_ERR\_SKEW | Clock skew too great | +| 0x26 | KRB\_AP\_ERR\_BADADDR | Incorrect net address | +| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version mismatch | +| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Invalid msg type | +| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified | +| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order | +| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | +| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | +| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | +| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | +| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | +| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | +| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message | +| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Policy rejects transited path | +| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Response too big for UDP; retry with TCP | +| 0x3C | KRB\_ERR\_GENERIC | Generic error (description in e-text) | +| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | +| 0x3E | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x3F | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x40 | KDC\_ERROR\_INVALID\_SIG | Reserved for PKINIT | +| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | Reserved for PKINIT | +| 0x42 | KDC\_ERR\_CERTIFICATE\_MISMATCH | Reserved for PKINIT | +| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT available to validate USER-TO-USER | +| 0x44 | KDC\_ERR\_WRONG\_REALM | Reserved for future use | +| 0x45 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | Ticket must be for USER-TO-USER | +| 0x46 | KDC\_ERR\_CANT\_VERIFY\_CERTIFICATE | Reserved for PKINIT | +| 0x47 | KDC\_ERR\_INVALID\_CERTIFICATE | Reserved for PKINIT | +| 0x48 | KDC\_ERR\_REVOKED\_CERTIFICATE | Reserved for PKINIT | +| 0x49 | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN | Reserved for PKINIT | +| 0x4A | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT | +| 0x4B | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT | +| 0x4C | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT | - **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type that was used in TGT request. From a7e6af7ebe8ae09198fef13df68536867f3ec518 Mon Sep 17 00:00:00 2001 From: Thomas G Date: Wed, 17 Mar 2021 12:28:09 +0100 Subject: [PATCH 004/137] fix codes to lowercase --- .../threat-protection/auditing/event-4771.md | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index 1da05686b7..8aba6b4428 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -170,22 +170,22 @@ The most common values: | Code | Code Name | Description | Possible causes | |------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x00 | KDC\_ERR\_NONE | No error | -| 0x01 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired | -| 0x02 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired | -| 0x03 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported | -| 0x04 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | -| 0x05 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | -| 0x06 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | -| 0x07 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | -| 0x08 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database | -| 0x09 | KDC\_ERR\_NULL\_KEY | The client or server has a null key | -| 0x0A | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating | -| 0x0B | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time | -| 0x0C | KDC\_ERR\_POLICY | KDC policy rejects request | -| 0x0D | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | -| 0x0E | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type | -| 0x0F | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | +| 0x0 | KDC\_ERR\_NONE | No error | +| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in database has expired | +| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in database has expired | +| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested protocol version number not supported | +| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | +| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | +| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | +| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | +| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in database | +| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key | +| 0xa | KDC\_ERR\_CANNOT\_POSTDATE | Ticket not eligible for postdating | +| 0xb | KDC\_ERR\_NEVER\_VALID | Requested starttime is later than end time | +| 0xc | KDC\_ERR\_POLICY | KDC policy rejects request | +| 0xd | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | +| 0xe | KDC\_ERR\_ETYPE\_NOSUPP | KDC has no support for encryption type | +| 0xf | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | | 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). | 0x11 | KDC\_ERR\_TRTYPE\_NOSUPP | KDC has no support for transited type | | 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked | @@ -196,11 +196,11 @@ The most common values: | 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset |The user’s password has expired. | 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid |The wrong password was provided. | 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | -| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match | -| 0x1B | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | -| 0x1C | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path | -| 0x1D | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available | -| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | +| 0x1a | KDC\_ERR\_SERVER\_NOMATCH | Requested server and ticket don't match | +| 0x1b | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | +| 0x1c | KDC\_ERR\_PATH\_NOT\_ACCEPTED | KDC Policy rejects transited path | +| 0x1d | KDC\_ERR\_SVC\_UNAVAILABLE | A service is not available | +| 0x1f | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | | 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | Ticket expired | | 0x21 | KRB\_AP\_ERR\_TKT\_NYV | Ticket not yet valid | | 0x22 | KRB\_AP\_ERR\_REPEAT | Request is a replay | @@ -211,20 +211,20 @@ The most common values: | 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version mismatch | | 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Invalid msg type | | 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified | -| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order | -| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | -| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | -| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | -| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | +| 0x2a | KRB\_AP\_ERR\_BADORDER | Message out of order | +| 0x2c | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | +| 0x2d | KRB\_AP\_ERR\_NOKEY | Service key not available | +| 0x2e | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | +| 0x2f | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | | 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | | 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | | 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message | | 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Policy rejects transited path | | 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Response too big for UDP; retry with TCP | -| 0x3C | KRB\_ERR\_GENERIC | Generic error (description in e-text) | -| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | -| 0x3E | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT | -| 0x3F | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x3c | KRB\_ERR\_GENERIC | Generic error (description in e-text) | +| 0x3d | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | +| 0x3e | KDC\_ERROR\_CLIENT\_NOT\_TRUSTED | Reserved for PKINIT | +| 0x3f | KDC\_ERROR\_KDC\_NOT\_TRUSTED | Reserved for PKINIT | | 0x40 | KDC\_ERROR\_INVALID\_SIG | Reserved for PKINIT | | 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | Reserved for PKINIT | | 0x42 | KDC\_ERR\_CERTIFICATE\_MISMATCH | Reserved for PKINIT | @@ -235,9 +235,9 @@ The most common values: | 0x47 | KDC\_ERR\_INVALID\_CERTIFICATE | Reserved for PKINIT | | 0x48 | KDC\_ERR\_REVOKED\_CERTIFICATE | Reserved for PKINIT | | 0x49 | KDC\_ERR\_REVOCATION\_STATUS\_UNKNOWN | Reserved for PKINIT | -| 0x4A | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT | -| 0x4B | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT | -| 0x4C | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT | +| 0x4a | KDC\_ERR\_REVOCATION\_STATUS\_UNAVAILABLE | Reserved for PKINIT | +| 0x4b | KDC\_ERR\_CLIENT\_NAME\_MISMATCH | Reserved for PKINIT | +| 0x4c | KDC\_ERR\_KDC\_NAME\_MISMATCH | Reserved for PKINIT | - **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type that was used in TGT request. From 49cedb0a06c9837193c4f06b29c933de594434a2 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 13 Apr 2021 12:16:50 +0500 Subject: [PATCH 005/137] Device Health Monitoring Device health monitoring is also available in Windows 10 Pro version 1903 and later https://docs.microsoft.com/en-us/mem/analytics/troubleshoot#bkmk_2016281112 https://docs.microsoft.com/en-us/mem/intune/configuration/windows-health-monitoring Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9339 --- .../mdm/policy-csp-devicehealthmonitoring.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 60d4832fae..35190895c9 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -51,7 +51,7 @@ manager: dansimp Pro - cross mark + check mark6 Business @@ -115,7 +115,7 @@ The following list shows the supported values: Pro - cross mark + check mark6 Business @@ -178,7 +178,7 @@ IT Pros do not need to set this policy. Instead, Microsoft Intune is expected to Pro - cross mark + check mark6 Business From ca3dc27a1b80d596826273116d3749b0d5851647 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 13 Apr 2021 12:21:46 +0500 Subject: [PATCH 006/137] IPv4 is not optional For WIP, IPv4 is not optional, but mandatory to be configured. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9208 --- .../create-wip-policy-using-intune-azure.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c10b2990b3..ca584f750a 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -507,8 +507,6 @@ contoso.internalproxy1.com;contoso.internalproxy2.com ### IPv4 ranges -Starting with Windows 10, version 1703, this field is optional. - Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. Classless Inter-Domain Routing (CIDR) notation isn’t supported. From 333ab5ae96ccc53e7f0a1aed91e4f9b17ab0e13a Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 29 Apr 2021 00:06:31 +0500 Subject: [PATCH 007/137] addition of note The event Ids mentioned in this document don't apply to the windows server core edition. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9429 --- .../event-id-explanations.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index b464707f61..369f4d7f3a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -26,6 +26,9 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script +> [!Note] +> These event IDs are not applicable on Windows Server Core edition. + ## Microsoft Windows CodeIntegrity Operational log event IDs | Event ID | Explanation | From 45106d15403cb0e2cd96913da916fb61a11d089e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 29 Apr 2021 17:50:40 +0500 Subject: [PATCH 008/137] Update windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 369f4d7f3a..423f952e38 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -26,7 +26,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind - Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script -> [!Note] +> [!NOTE] > These event IDs are not applicable on Windows Server Core edition. ## Microsoft Windows CodeIntegrity Operational log event IDs From 826fe872bf33019548a281c472378d2dd0f9d689 Mon Sep 17 00:00:00 2001 From: Rittwika Rudra <33437129+RittwikaR@users.noreply.github.com> Date: Fri, 30 Apr 2021 13:46:12 -0700 Subject: [PATCH 009/137] Non administrator settings page update --- windows/deployment/update/fod-and-lang-packs.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 1ae3f99648..193b4d95ad 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -18,6 +18,8 @@ ms.custom: seo-marvel-apr2020 > Applies to: Windows 10 +As of Windows 10 version 21H2, we are enabling non-Administrator user accounts to add both a display language and its corresponding language features. + As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS. The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions. @@ -28,4 +30,4 @@ In Windows 10 version 1809 and beyond, changing the **Specify settings for optio For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location. -Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/). \ No newline at end of file +Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/). From 9fafb9767beb886fb7b0a0deb612308337d60f02 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 3 May 2021 09:30:34 +0500 Subject: [PATCH 010/137] Update policy-csp-localpoliciessecurityoptions.md --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index a0b1076deb..8d384e1020 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 05/02/2021 ms.reviewer: manager: dansimp --- @@ -1045,9 +1045,7 @@ GP Info: -Valid values: -- 0 - disabled -- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit) +Valid values: from 0 to 599940, where the value is the amount of inactivity time (in seconds), after which the session will be locked. If it is set to zero (0), the setting is disabled. @@ -3467,4 +3465,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + From 4e0b331d0c6b08c0b875d9319a8b0ece7b85f668 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 4 May 2021 16:11:39 +0500 Subject: [PATCH 011/137] Update windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 8d384e1020..8beeba2c2e 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1045,7 +1045,7 @@ GP Info: -Valid values: from 0 to 599940, where the value is the amount of inactivity time (in seconds), after which the session will be locked. If it is set to zero (0), the setting is disabled. +Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it is set to zero (0), the setting is disabled. From 33813715be906532b5f00daea8b0c148288b4955 Mon Sep 17 00:00:00 2001 From: Dan Pandre <54847950+DanPandre@users.noreply.github.com> Date: Wed, 5 May 2021 18:16:11 -0400 Subject: [PATCH 012/137] Document ProxyServers property --- windows/client-management/mdm/surfacehub-csp.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index ff96d2c80a..745f408e3b 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -61,9 +61,9 @@ SurfaceHub --------SleepTimeout --------AllowSessionResume --------AllowAutoProxyAuth +--------ProxyServers --------DisableSigninSuggestions --------DoNotShowMyMeetingsAndFiles -----ProxyServers ----Management --------GroupName --------GroupSid @@ -571,6 +571,11 @@ SurfaceHub

If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.

The data type is boolean. Supported operation is Get and Replace. + +**Properties/ProxyServers** +

Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://). + +

The data type is string. Supported operation is Get and Replace. **Properties/DisableSigninSuggestions**

Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. From 50e97e88a9b9bf5347ffa18cdaceeefd05ac04a5 Mon Sep 17 00:00:00 2001 From: Dan Pandre <54847950+DanPandre@users.noreply.github.com> Date: Fri, 7 May 2021 09:25:49 -0400 Subject: [PATCH 013/137] Removed locale from links --- windows/client-management/mdm/surfacehub-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 745f408e3b..9755457f60 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -573,7 +573,7 @@ SurfaceHub

The data type is boolean. Supported operation is Get and Replace. **Properties/ProxyServers** -

Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://). +

Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://).

The data type is string. Supported operation is Get and Replace. From f8c73443282198524fa19649560e103b2e301e40 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Wed, 19 May 2021 14:01:42 +0530 Subject: [PATCH 014/137] Create bitlocker-deployment-comparison.md created new topic per task 5120578 --- .../bitlocker-deployment-comparison.md | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md new file mode 100644 index 0000000000..9918e7eea1 --- /dev/null +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -0,0 +1,91 @@ +--- +title: BitLocker deployment comparison (Windows 10) +description: This article for the IT professional explains how +BitLocker features can be used to protect your data through drive +encryption. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: v-lsaldanha +ms.author: lovina-saldanha +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 02/28/2019 +ms.custom: bitlocker +--- + +# Bitlocker deployment comparison + +**Applies to** + +- Windows 10 + +This article for the IT professional explains how BitLocker +features can be used to protect your data through drive encryption. + +## Bitlocker deployment comparison chart + + + +| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* | +|---------|---------|---------|---------| +|**Requirements**|||| +|Minimum client operating system version |Windows 10 | Windows 10 and Windows 8.1 | Windows 7 and later | +|Supported Windows 10 SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise | +|Minimum Windows 10 version |1909** | None | None | +|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | +|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | +|Cloud or on premises | Cloud | On premises | On premises | +|Server components required? | | | | +|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | +|Administrative plane | Microsoft Endpoint Manager +admin center | Configuration Manager console | Group Policy Management Console +and MBAM sites | +|Administrative portal installation required | | | | +|Compliance reporting capabilities | | | | +|Force encryption | | | | +|Encryption for storage cards (mobile) | | | | +|Allow recovery password | | | | +|Manage startup authentication | | | | +|Select cipher strength and algorithms for fixed +drives | | | | +|Select cipher strength and algorithms for +removable drives | | | | +|Select cipher strength and algorithms for operating +environment drives | | | | +|Standard recovery password storage location | Azure AD or +Active Directory | Configuration Manager site database | MBAM database | +|Store recovery password for operating system and +fixed drives to Azure AD or Active Directory | Yes (Active Directory and +Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | +|Customize preboot message and recovery link | | | | +|Allow/deny key file creation | | | | +|Deny Write permission to unprotected drives | | | | +|Can be administered outside company network | | | | +|Support for organization unique IDs | | | | +|Self-service recovery | Yes (through Azure AD or +Company Portal app) | | | +|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | | | +|Wait to complete encryption until recovery information is backed up to Active Directory | | | | +|Allow or deny Data Recovery Agent | | | | +|Unlock a volume using certificate with custom object identifier | | | | +|Prevent memory overwrite on restart | | | | +|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | | +|Manage auto-unlock functionality | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | +|Row6 | | | | +|Row7 | | | | + From cc7ad8b42c92e4f747d51b9cfb1ba2550762ae6f Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Wed, 19 May 2021 14:04:36 +0530 Subject: [PATCH 015/137] new-img-5120578 Added newly per 5120578 task --- .../bitlocker/images/dot.png | Bin 0 -> 674 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/images/dot.png diff --git a/windows/security/information-protection/bitlocker/images/dot.png b/windows/security/information-protection/bitlocker/images/dot.png new file mode 100644 index 0000000000000000000000000000000000000000..8dc160da790bb40082cb31ae078125c8dd9bcb14 GIT binary patch literal 674 zcmV;T0$u%yP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0yjxSK~z{r?U%c2 zQ(+i~3&o|-O`SyPQlTKIn<%*U4{-J$=q_#54v~7JR1L+DMI0P-P%@>J22p54u|uqB zn>0zyMVqvZxoR$_P2Qe2d<9A0ez$W18S=nyI`F;^-*>)SA9OK2IbC{ky4WJOUETv< zqzvzZMewW^;ajQ#RinYa>Z2`}$k$V0grRRdcqIK3LAdff1}~R$+M>#G^}Pn% zd7o)Dr=+NyxgUZ>b7WOflKWLK;Nr6=DIk+u-ZV6uO;$~ev|KW8z|bRl3RN=Z*^(BN zlEbOIWMRbGGxs^mD)W(&yKVksR1@6{++Br@-5RTYJVLp2$$%4+bQ3GN@hZtW9FI`W z;oByQTMe%E-$jFUp%KbmcoHFt+mWYB{C|%tS1~tFmHkXLH{YaKCmOC?V5>?NwJVpM zQPzouE9Z~@Ba7OV;h7EAiH0lpCDB>Ak=Y3AM8lQC)kGDwE2A&stP>4a4v(4B_twe6 zc4T}$!#dG$^Jxq0HGXCEiQSgft5J@;=^Ak zhpeQlww|w7T`}RPAyRS(UUR5MsySsYuxPfoh$%U3zl5bg>-30U^uP%Z6!0+5i9m07*qo IM6N<$f`#cUv;Y7A literal 0 HcmV?d00001 From 42430085302dd9383967037dedde47ecaffa4fb4 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Wed, 19 May 2021 16:02:43 +0530 Subject: [PATCH 016/137] new-image-5120578 added new image per 5120578 --- .../bitlocker/images/dot1.png | Bin 0 -> 739 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/images/dot1.png diff --git a/windows/security/information-protection/bitlocker/images/dot1.png b/windows/security/information-protection/bitlocker/images/dot1.png new file mode 100644 index 0000000000000000000000000000000000000000..c9ec7c52ab41b4f5c567d7a8db90e7b679d47928 GIT binary patch literal 739 zcmV<90v!E`P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0(eP8K~z{r?Uv1J z6G0e8QliJp_RPmysB2_7-AR-DyPsKk#p<-_>^x&}`lwLfDf_l&vZ-PCE z2r7D052@HHqK87HF-;efY-97WP3nw}r0vY4yPFNY_&~_KbC`W*-kEnsSt4Maaj^e& z#qvrdGK-ju=b+_Fa40}?qZ|7I8{l!9pO-0#XsUp_?~-^lkw!GFv)(dJBGcJgkG@VH zE*#iwSjdn>VX=g3ujX+5wThxa<(5Vl9`rWj)b5R}N6wlOGi1g+qfvbLkz+mP7z+Dw z<4gdGLY7HFMTzez9o_e)F`eX>-VFW6w&K>gpj1SfG@63*W6`PwD7WAK#2xaJA(a>= zdtkz13PcP&o5eRZ&!UwGCF1isM&76_vWEqI30I#dShNzM#Qpb4=p`1|$oMA>F^x~J zP~!2V##;75kGE)SP9jT|;B!KpJ3ENXWLc{WC-GG+7%oUwn40A$$VvPv)L=6#BO@4} zlc4p#mbmC`w+c?8b&H#|YQrwU_?$%3CKq;ioh-7SgH0aRD#J<8`W|lgvdDhI?G3C| zhLfONKI&sFdkK+LoZiDA44&}AX=GzkXi6TE2Z@E3nv||kJ+6=| zU4-;A`-2|b> Date: Wed, 19 May 2021 16:20:57 +0530 Subject: [PATCH 017/137] Update bitlocker-deployment-comparison.md added dot image --- .../bitlocker/bitlocker-deployment-comparison.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 9918e7eea1..ad4b1b82b8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -46,9 +46,9 @@ features can be used to protect your data through drive encryption. admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | |Administrative portal installation required | | | | -|Compliance reporting capabilities | | | | -|Force encryption | | | | -|Encryption for storage cards (mobile) | | | | +|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | +|Force encryption | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | +|Encryption for storage cards (mobile) | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | | |Allow recovery password | | | | |Manage startup authentication | | | | |Select cipher strength and algorithms for fixed From fdad2a91e3dd95bdea16f8528a7b9b96ac3fff7e Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 20 May 2021 11:46:05 +0530 Subject: [PATCH 018/137] Update bitlocker-deployment-comparison.md Created newly for task 5120578 - Bitlocker Comparison Chart --- .../bitlocker-deployment-comparison.md | 79 +++++++------------ 1 file changed, 28 insertions(+), 51 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index ad4b1b82b8..749082dd5f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -1,8 +1,6 @@ --- title: BitLocker deployment comparison (Windows 10) -description: This article for the IT professional explains how -BitLocker features can be used to protect your data through drive -encryption. +description: This article shows the Bitlocker deployment comparison chart. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -14,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 02/28/2019 +ms.date: 05/20/2021 ms.custom: bitlocker --- @@ -24,13 +22,10 @@ ms.custom: bitlocker - Windows 10 -This article for the IT professional explains how BitLocker -features can be used to protect your data through drive encryption. +This article for the IT professional depicts the BitLocker deployment comparison chart. ## Bitlocker deployment comparison chart - - | |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* | |---------|---------|---------|---------| |**Requirements**|||| @@ -40,52 +35,34 @@ features can be used to protect your data through drive encryption. |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | -|Server components required? | | | | +|Server components required? | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | -|Administrative plane | Microsoft Endpoint Manager -admin center | Configuration Manager console | Group Policy Management Console -and MBAM sites | -|Administrative portal installation required | | | | -|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | -|Force encryption | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | -|Encryption for storage cards (mobile) | :::image type="content" source="images/dot.png" alt-text="dot"::: | :::image type="content" source="images/dot.png" alt-text="dot"::: | | -|Allow recovery password | | | | -|Manage startup authentication | | | | -|Select cipher strength and algorithms for fixed -drives | | | | -|Select cipher strength and algorithms for -removable drives | | | | -|Select cipher strength and algorithms for operating -environment drives | | | | +|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | +|Administrative portal installation required | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Force encryption | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Encryption for storage cards (mobile) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | +|Allow recovery password | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Manage startup authentication | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | |Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | -|Customize preboot message and recovery link | | | | -|Allow/deny key file creation | | | | -|Deny Write permission to unprotected drives | | | | -|Can be administered outside company network | | | | -|Support for organization unique IDs | | | | -|Self-service recovery | Yes (through Azure AD or -Company Portal app) | | | -|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | | | -|Wait to complete encryption until recovery information is backed up to Active Directory | | | | -|Allow or deny Data Recovery Agent | | | | -|Unlock a volume using certificate with custom object identifier | | | | -|Prevent memory overwrite on restart | | | | -|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | | -|Manage auto-unlock functionality | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | -|Row6 | | | | -|Row7 | | | | - +|Customize preboot message and recovery link | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Allow/deny key file creation | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Deny Write permission to unprotected drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Can be administered outside company network | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | +|Support for organization unique IDs | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | | +|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Allow or deny Data Recovery Agent | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Prevent memory overwrite on restart | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Manage auto-unlock functionality | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | From f4006bb298f1047b8b2c162d2ba97caafed7ffac Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 20 May 2021 11:57:10 +0530 Subject: [PATCH 019/137] Update bitlocker-deployment-comparison.md To fix build issues --- .../bitlocker/bitlocker-deployment-comparison.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 749082dd5f..e01dbd312c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -6,8 +6,8 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: v-lsaldanha -ms.author: lovina-saldanha +author: lovina-saldanha +ms.author: v-lsaldanha manager: dansimp audience: ITPro ms.collection: M365-security-compliance From e67a850344a65aa8473a0cf9ee44550c909ec43d Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 20 May 2021 12:19:06 +0530 Subject: [PATCH 020/137] Update bitlocker-deployment-comparison.md updated --- .../bitlocker/bitlocker-deployment-comparison.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index e01dbd312c..6ba03dc4d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -22,7 +22,7 @@ ms.custom: bitlocker - Windows 10 -This article for the IT professional depicts the BitLocker deployment comparison chart. +This article depicts the BitLocker deployment comparison chart. ## Bitlocker deployment comparison chart From 366544ec62a2b665fef59b2330af2d0ca4be9ae7 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 20 May 2021 13:56:05 +0530 Subject: [PATCH 021/137] Update TOC.yml updated toc per task 5120578 --- windows/security/information-protection/TOC.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/information-protection/TOC.yml b/windows/security/information-protection/TOC.yml index 9965f322db..bcaa9d74d7 100644 --- a/windows/security/information-protection/TOC.yml +++ b/windows/security/information-protection/TOC.yml @@ -29,6 +29,8 @@ href: bitlocker\bitlocker-using-with-other-programs-faq.yml - name: "Prepare your organization for BitLocker: Planning and policies" href: bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md + - name: BitLocker deployment comparison + href: bitlocker\bitlocker-deployment-comparison.md - name: BitLocker basic deployment href: bitlocker\bitlocker-basic-deployment.md - name: "BitLocker: How to deploy on Windows Server 2012 and later" From d1f23943124836f6438ab53e6107ca774c4a861d Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Thu, 20 May 2021 17:59:10 +0530 Subject: [PATCH 022/137] New-5120578 New image added --- .../bitlocker/images/dot_new.png | Bin 0 -> 734 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/images/dot_new.png diff --git a/windows/security/information-protection/bitlocker/images/dot_new.png b/windows/security/information-protection/bitlocker/images/dot_new.png new file mode 100644 index 0000000000000000000000000000000000000000..af2bab3c631974672dd255ab793f124a34b980e1 GIT binary patch literal 734 zcmV<40wMj0P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0&_`3K~z{r#g@x! z6G0ruzng3xo7S}5pf<6MidIBL8xSjc>>(hER4-CcK`-i|`VZu)7mq#=JSd6>J(Q{! z&B22RirRpJ6^l|IZPSObZ7`2Esm>%nXr`OZ=CL84OXfFB<}*9bpY)G`24SJ!hR{%X z#nb*LnMGtGiI34V7E)PQBncZ@WCVN)cC2&2W|gR=F=fellkn(YTz?(I)6a1%>-B_md_x2d#i_26~9l@?944v}BA!`RvbVze-Qyshiqh>MZ z8QUwN=hGC46qOG=nZ&P!3`Mnb_2qB88cR^Lf=2#jCXIWMd5X+|uWKkgl@AKg$ZxRY zR1aQ!OW@N~ilRIkIX}ns;_<5ED#+*AjrBFQM3MPKCQ5wy=chx%no4;Dc{)?_ zva6YNR_tGp+beh!s$q5if_#g|My2|&)gwMOf?RdU*w|XX0R((bD&-O6oZz-*Dw$8P zOYB=CKi|_vC36XQo!Hl@P?Sd_?`9dv5%v_CO{jM*B$o9QqLFiM_4#sHiCOgTX+hsk zH$^KHm3!SbJUGz-ogAPdcDFll?WmU`5#8?j#v458&!t4w(#_U6e0CGsbY{^ohvP5N z=||&uH!j}GMqFh1+hvx=x$OGWS623#Vb|i_;W^xV6T|xwgW$__e3u)S4tmhzcTufA zWyuTS$;L2yojycUxmVE2c5wR|p0~53)S Date: Thu, 20 May 2021 19:46:38 +0530 Subject: [PATCH 023/137] Update bitlocker-deployment-comparison.md image correction --- .../bitlocker/bitlocker-deployment-comparison.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 6ba03dc4d8..dd32f174a6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -35,7 +35,7 @@ This article depicts the BitLocker deployment comparison chart. |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | -|Server components required? | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Server components required? | | :::image type="content" source="images/dot_new.png" alt-text="dots"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | |Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | |Administrative portal installation required | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | From 37fbfbcde78be2867fa411c950656bd4b249e49b Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 20 May 2021 21:17:52 +0530 Subject: [PATCH 024/137] added Allow Update Compliance Processing as per user feedback issue #9540, so I added **Allow Update Compliance Processing** policy-related settings in this article, after looking at GPO in windows 10 pre release build 21h1 19043.985. --- .../mdm/policy-csp-system.md | 78 ++++++++++++++++++- 1 file changed, 77 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 3615cb2e3f..a9ccc9b578 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -49,6 +49,9 @@ manager: dansimp

System/AllowTelemetry
+
+ System/AllowUpdateComplianceProcessing +
System/AllowUserToResetPhone
@@ -791,6 +794,77 @@ ADMX Info: +
+ + +**System/AllowUpdateComplianceProcessing** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark6
Businesscheck mark6
Enterprisecheck mark6
Educationcheck mark6
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance. + +If you enable this setting, Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. + +If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance. + + + +ADMX Info: +- GP English name: *Allow Update Compliance Processing* +- GP name: *AllowUpdateComplianceProcessing* +- GP element: *AllowUpdateComplianceProcessing* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +The following list shows the supported values: + +- 0 - Disabled. +- 16 - Enabled. + + + +
@@ -1778,5 +1852,7 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. +- 9 - Available in Windows 10, version 20H2. +- 10 - Available in Windows 10, version 21H1. - \ No newline at end of file + From 9a024df7b281dda143f89bd32ad6300ba49d2ce2 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 20 May 2021 22:43:25 +0530 Subject: [PATCH 025/137] Update windows/client-management/mdm/policy-csp-system.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index a9ccc9b578..787fbbbb2a 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -50,7 +50,7 @@ manager: dansimp System/AllowTelemetry
- System/AllowUpdateComplianceProcessing + System/AllowUpdateComplianceProcessing
System/AllowUserToResetPhone From 13f59c7b058804c40fdd1ea8b50d5e5775db00f9 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Thu, 20 May 2021 14:02:10 -0700 Subject: [PATCH 026/137] Update policy-csp-authentication.md updated description for web sign in policy --- windows/client-management/mdm/policy-csp-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index d62b5b232d..0c1b971103 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -542,7 +542,7 @@ Value type is integer. Supported values: > [!Warning] > This policy is in preview mode only and therefore not meant or recommended for production purposes. -"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML). +"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials like Temporary Access Pass > [!Note] > Web Sign-in is only supported on Azure AD Joined PCs. From 4867c75d1f89c3f1efe92ef338d4134b046f4137 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Thu, 20 May 2021 15:29:01 -0700 Subject: [PATCH 027/137] Update windows/client-management/mdm/policy-csp-authentication.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 0c1b971103..1b75bd9a6b 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -542,7 +542,7 @@ Value type is integer. Supported values: > [!Warning] > This policy is in preview mode only and therefore not meant or recommended for production purposes. -"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials like Temporary Access Pass +"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass. > [!Note] > Web Sign-in is only supported on Azure AD Joined PCs. From 6c0242ca208802d1ba7b4430892d63942287f0b0 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 21 May 2021 14:16:50 +0530 Subject: [PATCH 028/137] Update windows/client-management/mdm/policy-csp-system.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 787fbbbb2a..828bc97b2a 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -842,7 +842,7 @@ ADMX Info: Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance. -If you enable this setting, Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. +If you enable this setting, it enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. If you disable or do not configure this policy setting, diagnostic data from this device will not be processed by Update Compliance. From 64de74b17d47d461eb6c47200e47bac57946e5b8 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 21 May 2021 14:29:06 +0530 Subject: [PATCH 029/137] made boot to System/BootStartDriverInitialization as per user feedback from @illfated under issue #9554 , so i made sentence **System/BootStartDriverInitialization** to bold. --- windows/client-management/mdm/policy-csp-system.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 3615cb2e3f..3a5f16aba7 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -852,6 +852,7 @@ The following list shows the supported values:
+ **System/BootStartDriverInitialization** @@ -1779,4 +1780,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + From 988b07c78c4ec090e719c80b5f30be474e0c4730 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Mon, 24 May 2021 09:59:45 +0530 Subject: [PATCH 030/137] Update bitlocker-deployment-comparison.md To fix edit issue --- .../bitlocker/bitlocker-deployment-comparison.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index dd32f174a6..2ef7fbf2b9 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -49,9 +49,7 @@ This article depicts the BitLocker deployment comparison chart. |Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | -|Store recovery password for operating system and -fixed drives to Azure AD or Active Directory | Yes (Active Directory and -Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | +|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | |Customize preboot message and recovery link | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Allow/deny key file creation | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | |Deny Write permission to unprotected drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | From e57ba5b729344902306418ac00a608744c751d70 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 24 May 2021 15:46:24 +0530 Subject: [PATCH 031/137] Changed instances of "Bitlocker" to BitLocker" to keep the terminology consistent --- .../bitlocker/bitlocker-deployment-comparison.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 2ef7fbf2b9..d3e5e2f766 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -16,7 +16,7 @@ ms.date: 05/20/2021 ms.custom: bitlocker --- -# Bitlocker deployment comparison +# BitLocker deployment comparison **Applies to** @@ -24,7 +24,7 @@ ms.custom: bitlocker This article depicts the BitLocker deployment comparison chart. -## Bitlocker deployment comparison chart +## BitLocker deployment comparison chart | |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* | |---------|---------|---------|---------| From 582ad407f366210a6cb504cb3ef6879df9fcd154 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 26 May 2021 14:49:40 +0500 Subject: [PATCH 032/137] Minor correction to remove the confusion I have made a minor addition to the content to clarify the confusion. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9461 --- .../client-management/mdm/policy-csp-admx-windowsexplorer.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 234f5f9d6c..352dd76846 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -4521,7 +4521,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives. -If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. +If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents (open the files in the folders or see the files in the folders). Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list. @@ -5356,4 +5356,4 @@ ADMX Info: > [!NOTE] > These policies are currently only available as part of a Windows Insider release. - \ No newline at end of file + From 019efaf14e3c7c6c96f349887633c6f737829c8e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 26 May 2021 15:53:17 +0500 Subject: [PATCH 033/137] Pointing to the correct link As the content has been moved to MDM, I have updated and pointed to the correct link. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9451 --- .../create-wip-policy-using-intune-azure.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c10b2990b3..685e4236d2 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -52,9 +52,9 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or ## Create a WIP policy -1. Sign in to the Azure portal. +1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). -2. Open Microsoft Intune and click **Client apps** > **App protection policies** > **Create policy**. +2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**. ![Open Client apps](images/create-app-protection-policy.png) From 1a2e96258aa3aa28174c0ff6bf0d467836fe5257 Mon Sep 17 00:00:00 2001 From: v-hearya Date: Fri, 28 May 2021 22:14:28 +0530 Subject: [PATCH 034/137] faq-md-app-guard.md converted into yml --- .../TOC.yml | 2 +- .../faq-md-app-guard.yml | 200 ++++++++++++++++++ .../md-app-guard-overview.md | 2 +- 3 files changed, 202 insertions(+), 2 deletions(-) create mode 100644 windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml index c77a91d3e5..ee887e168a 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml @@ -12,4 +12,4 @@ - name: Microsoft Defender Application Guard Extension href: md-app-guard-browser-extension.md - name: FAQ - href: faq-md-app-guard.md + href: faq-md-app-guard.yml diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml new file mode 100644 index 0000000000..7b33d23616 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -0,0 +1,200 @@ +### YamlMime:FAQ +metadata: + title: FAQ - Microsoft Defender Application Guard (Windows 10) + description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. + ms.prod: m365-security + ms.mktglfcycl: manage + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: denisebmsft + ms.author: deniseb + ms.date: 05/12/2021 + ms.reviewer: + manager: dansimp + ms.custom: asr + ms.technology: mde + +title: Frequently asked questions - Microsoft Defender Application Guard +summary: | + **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration. + + ## Frequently Asked Questions + +sections: + - name: Frequently Asked Questions + questions: + - question: | + Can I enable Application Guard on machines equipped with 4-GB RAM? + answer: | + We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. + + `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) + + `HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) + + `HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) + + - question: | + Can employees download documents from the Application Guard Edge session onto host devices? + answer: | + In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. + + In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. + + - question: | + Can employees copy and paste between the host device and the Application Guard Edge session? + answer: | + Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. + + - question: | + Why don't employees see their favorites in the Application Guard Edge session? + answer: | + Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard) + + - question: | + Why aren’t employees able to see their extensions in the Application Guard Edge session? + answer: | + Make sure to enable the extensions policy on your Application Guard configuration. + + - question: | + How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? + answer: | + Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. + + - question: | + Which Input Method Editors (IME) in 19H1 are not supported? + answer: | + The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard: + + - Vietnam Telex keyboard + - Vietnam number key-based keyboard + - Hindi phonetic keyboard + - Bangla phonetic keyboard + - Marathi phonetic keyboard + - Telugu phonetic keyboard + - Tamil phonetic keyboard + - Kannada phonetic keyboard + - Malayalam phonetic keyboard + - Gujarati phonetic keyboard + - Odia phonetic keyboard + - Punjabi phonetic keyboard + + - question: | + I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? + answer: | + This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. + + - question: | + What is the WDAGUtilityAccount local account? + answer: | + WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error: + + **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** + + We recommend that you do not modify this account. + + - question: | + How do I trust a subdomain in my site list? + answer: | + To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. + + - question: | + Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? + answer: | + When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). + + - question: | + Is there a size limit to the domain lists that I need to configure? + answer: | + Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. + + - question: | + Why does my encryption driver break Microsoft Defender Application Guard? + answer: | + Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). + + - question: | + Why do the Network Isolation policies in Group Policy and CSP look different? + answer: | + There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. + + - Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** + + - Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** + + - For EnterpriseNetworkDomainNames, there is no mapped CSP policy. + + Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). + + - question: | + Why did Application Guard stop working after I turned off hyperthreading? + answer: | + If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. + + - question: | + Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? + answer: | + Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. + + - question: | + Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file? + answer: | + This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: + + - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) + - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) + + - question: | + Why can I not launch Application Guard when Exploit Guard is enabled? + answer: | + There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. + + - question: | + How can I disable portions of ICS without breaking Application Guard? + answer: | + ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. + + 1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. + + 2. Disable IpNat.sys from ICS load as follows:
+ `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` + + 3. Configure ICS (SharedAccess) to enabled as follows:
+ `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` + + 4. (This is optional) Disable IPNAT as follows:
+ `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` + + 5. Reboot the device. + + - question: | + Why doesn't the container fully load when device control policies are enabled? + answer: | + Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly. + + Policy: Allow installation of devices that match any of the following device IDs: + + - `SCSI\DiskMsft____Virtual_Disk____` + - `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` + - `VMS_VSF` + - `root\Vpcivsp` + - `root\VMBus` + - `vms_mp` + - `VMS_VSP` + - `ROOT\VKRNLINTVSP` + - `ROOT\VID` + - `root\storvsp` + - `vms_vsmp` + - `VMS_PP` + + Policy: Allow installation of devices using drivers that match these device setup classes + - `{71a27cdd-812a-11d0-bec7-08002be2092f}` + +additionalContent: | + + ## See also + + [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 9c41f91b39..83850f5a21 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -52,5 +52,5 @@ Application Guard has been created to target several types of devices: |[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | -|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| +|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| |[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| \ No newline at end of file From a2805311479b72e7604e7ff21fd28d6d919a18c9 Mon Sep 17 00:00:00 2001 From: v-hearya Date: Fri, 28 May 2021 22:57:26 +0530 Subject: [PATCH 035/137] faq-md-app-guard.md deleted & updated .yml --- .../faq-md-app-guard.md | 210 ------------------ .../faq-md-app-guard.yml | 35 +++ 2 files changed, 35 insertions(+), 210 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md deleted file mode 100644 index 0e4406aaa5..0000000000 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ /dev/null @@ -1,210 +0,0 @@ ---- -title: FAQ - Microsoft Defender Application Guard (Windows 10) -description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 05/12/2021 -ms.reviewer: -manager: dansimp -ms.custom: asr -ms.technology: mde ---- - -# Frequently asked questions - Microsoft Defender Application Guard - -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration. - -## Frequently Asked Questions - -### Can I enable Application Guard on machines equipped with 4-GB RAM? - -We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. - -`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) - -### Can employees download documents from the Application Guard Edge session onto host devices? - -In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. - -In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. - -### Can employees copy and paste between the host device and the Application Guard Edge session? - -Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. - -### Why don't employees see their favorites in the Application Guard Edge session? - -Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard) - -### Why aren’t employees able to see their extensions in the Application Guard Edge session? - -Make sure to enable the extensions policy on your Application Guard configuration. - -### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? - -Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. - -### Which Input Method Editors (IME) in 19H1 are not supported? - -The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard: - -- Vietnam Telex keyboard -- Vietnam number key-based keyboard -- Hindi phonetic keyboard -- Bangla phonetic keyboard -- Marathi phonetic keyboard -- Telugu phonetic keyboard -- Tamil phonetic keyboard -- Kannada phonetic keyboard -- Malayalam phonetic keyboard -- Gujarati phonetic keyboard -- Odia phonetic keyboard -- Punjabi phonetic keyboard - -### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? - -This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. - -### What is the WDAGUtilityAccount local account? - -WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error: - -**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** - -We recommend that you do not modify this account. - -### How do I trust a subdomain in my site list? - -To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. - -### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? - -When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). - -### Is there a size limit to the domain lists that I need to configure? - -Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. - -### Why does my encryption driver break Microsoft Defender Application Guard? - -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). - -### Why do the Network Isolation policies in Group Policy and CSP look different? - -There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. - -- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** - -- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** - -- For EnterpriseNetworkDomainNames, there is no mapped CSP policy. - -Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). - -### Why did Application Guard stop working after I turned off hyperthreading? - -If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. - -### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? - -Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. - -### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file? - -This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: - -- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) -- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) - -#### First rule (DHCP Server) -1. Program path: `%SystemRoot%\System32\svchost.exe` - -2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` - -3. Protocol UDP - -4. Port 67 - -#### Second rule (DHCP Client) -This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: - -1. Right-click on inbound rules, and then create a new rule. - -2. Choose **custom rule**. - -3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`. - -4. Specify the following settings: - - Protocol Type: UDP - - Specific ports: 67 - - Remote port: any - -5. Specify any IP addresses. - -6. Allow the connection. - -7. Specify to use all profiles. - -8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. - -9. In the **Programs and services** tab, under the **Services** section, select **settings**. - -10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - -### Why can I not launch Application Guard when Exploit Guard is enabled? - -There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. - -### How can I disable portions of ICS without breaking Application Guard? - -ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. - -1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. - -2. Disable IpNat.sys from ICS load as follows:
-`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` - -3. Configure ICS (SharedAccess) to enabled as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` - -4. (This is optional) Disable IPNAT as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` - -5. Reboot the device. - -### Why doesn't the container fully load when device control policies are enabled? - -Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly. - -Policy: Allow installation of devices that match any of the following device IDs: - -- `SCSI\DiskMsft____Virtual_Disk____` -- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` -- `VMS_VSF` -- `root\Vpcivsp` -- `root\VMBus` -- `vms_mp` -- `VMS_VSP` -- `ROOT\VKRNLINTVSP` -- `ROOT\VID` -- `root\storvsp` -- `vms_vsmp` -- `VMS_PP` - -Policy: Allow installation of devices using drivers that match these device setup classes -- `{71a27cdd-812a-11d0-bec7-08002be2092f}` - -## See also - -[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 7b33d23616..aef33b9815 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -146,6 +146,41 @@ sections: - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) + + ### First rule (DHCP Server) + 1. Program path: `%SystemRoot%\System32\svchost.exe` + + 2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` + + 3. Protocol UDP + + 4. Port 67 + + ### Second rule (DHCP Client) + This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: + + 1. Right-click on inbound rules, and then create a new rule. + + 2. Choose **custom rule**. + + 3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`. + + 4. Specify the following settings: + - Protocol Type: UDP + - Specific ports: 67 + - Remote port: any + + 5. Specify any IP addresses. + + 6. Allow the connection. + + 7. Specify to use all profiles. + + 8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. + + 9. In the **Programs and services** tab, under the **Services** section, select **settings**. + + 10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - question: | Why can I not launch Application Guard when Exploit Guard is enabled? From 2bef916b8d6fb2e52d9ab2776f4a4968ddb2fa67 Mon Sep 17 00:00:00 2001 From: v-hearya Date: Fri, 28 May 2021 23:31:37 +0530 Subject: [PATCH 036/137] ie-edge-faqs.md converted into yml --- browsers/internet-explorer/TOC.yml | 2 +- .../kb-support/ie-edge-faqs.md | 220 ----------------- .../kb-support/ie-edge-faqs.yml | 233 ++++++++++++++++++ 3 files changed, 234 insertions(+), 221 deletions(-) delete mode 100644 browsers/internet-explorer/kb-support/ie-edge-faqs.md create mode 100644 browsers/internet-explorer/kb-support/ie-edge-faqs.yml diff --git a/browsers/internet-explorer/TOC.yml b/browsers/internet-explorer/TOC.yml index 077879a18d..2c6602e1de 100644 --- a/browsers/internet-explorer/TOC.yml +++ b/browsers/internet-explorer/TOC.yml @@ -356,6 +356,6 @@ - name: KB Troubleshoot items: - name: Internet Explorer and Microsoft Edge FAQ for IT Pros - href: kb-support/ie-edge-faqs.md + href: kb-support/ie-edge-faqs.yml - name: Microsoft Edge and Internet Explorer troubleshooting href: /troubleshoot/browsers/welcome-browsers diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md deleted file mode 100644 index 3e2d6c100e..0000000000 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md +++ /dev/null @@ -1,220 +0,0 @@ ---- -title: IE and Microsoft Edge FAQ for IT Pros -description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. -audience: ITPro -manager: msmets -author: ramakoni1 -ms.author: ramakoni -ms.reviewer: ramakoni, DEV_Triage -ms.prod: internet-explorer -ms.technology: -ms.topic: kb-support -ms.custom: CI=111020 -ms.localizationpriority: medium -ms.date: 01/23/2020 ---- -# Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros - -## Cookie-related questions - -### What is a cookie? - -An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol. - -### How does Internet Explorer handle cookies? - -For more information about how Internet Explorer handles cookies, see the following articles: - -- [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios) -- [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p) -- [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq) -- [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content) -- [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies) - -### Where does Internet Explorer store cookies? - -To see where Internet Explorer stores its cookies, follow these steps: - -1. Start File Explorer. -2. Select **Views** \> **Change folder and search options**. -3. In the **Folder Options** dialog box, select **View**. -4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**. -5. Clear **Hide protected operation system files (Recommended)**. -6. Select **Apply**. -7. Select **OK**. - -The following are the folder locations where the cookies are stored: - -**In Windows 10** -C:\Users\username\AppData\Local\Microsoft\Windows\INetCache - -**In Windows 8 and Windows 8.1** -C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies - -**In Windows 7** -C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies -C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low - -### What is the per-domain cookie limit? - -Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie. - -There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value. - -The JavaScript limitation was updated to 10 KB from 4 KB. - -For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq). - -#### Additional information about cookie limits - -**What does the Cookie RFC allow?** -RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following: - -- At least 300 cookies total -- At least 20 cookies per unique host or domain name - -For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer. - -### Cookie size limit per domain - -Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies. - -## Proxy Auto Configuration (PAC)-related questions - -### Is an example Proxy Auto Configuration (PAC) file available? - -Here is a simple PAC file: - -```vb -function FindProxyForURL(url, host) -{ - return "PROXY proxyserver:portnumber"; -} -``` - -> [!NOTE] -> The previous PAC always returns the **proxyserver:portnumber** proxy. - -For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/). - -**Third-party information disclaimer** -The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. - -### How to improve performance by using PAC scripts - -- [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr) -- [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/) - -## Other questions - -### How to set home and start pages in Microsoft Edge and allow user editing - -For more information, see the following blog article: - -[How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/) - -### How to add sites to the Enterprise Mode (EMIE) site list - -For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md). - -### What is Content Security Policy (CSP)? - -By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites. - -Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly. - -CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run. - -For more information, see the following articles: - -- [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/) -- [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) - -### Where to find Internet Explorer security zones registry entries - -Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users). - -This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11. - -The default Zone Keys are stored in the following locations: - -- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones -- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones - -### Why don't HTML5 videos play in Internet Explorer 11? - -To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**. - -- 0 (the default value): Allow -- 3: Disallow - -This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone. - -For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie). - -For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions). - -For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running) - -### What is the Enterprise Mode Site List Portal? - -This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). - -### What is Enterprise Mode Feature? - -For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md). - -### Where can I obtain a list of HTTP Status codes? - -For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes). - -### What is end of support for Internet Explorer 11? - -Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed. - -For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer). - -### How to configure TLS (SSL) for Internet Explorer - -For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380). - -### What is Site to Zone? - -Site to Zone usually refers to one of the following: - -**Site to Zone Assignment List** -This is a Group Policy policy setting that can be used to add sites to the various security zones. - -The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones: - -- Intranet zone -- Trusted Sites zone -- Internet zone -- Restricted Sites zone - -If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site. - -**Site to Zone Mapping** -Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list: - -- HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap -- HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey - -**Site to Zone Assignment List policy** -This policy setting is available for both Computer Configuration and User Configuration: - -- Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page -- User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page - -**References** -[How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices) - -### What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer? - -For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)). - -### What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting? - -The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server. - -For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer). \ No newline at end of file diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml new file mode 100644 index 0000000000..8c6a0be253 --- /dev/null +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml @@ -0,0 +1,233 @@ +### YamlMime:FAQ +metadata: + title: IE and Microsoft Edge FAQ for IT Pros + description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. + audience: ITPro + manager: msmets + author: ramakoni1 + ms.author: ramakoni + ms.reviewer: ramakoni, DEV_Triage + ms.prod: internet-explorer + ms.technology: + ms.topic: kb-support + ms.custom: CI=111020 + ms.localizationpriority: medium + ms.date: 01/23/2020 + +title: Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros +summary: | + +sections: + - name: Cookie-related questions + questions: + - question: | + What is a cookie? + answer: | + An HTTP cookie (the web cookie or browser cookie) is a small piece of data that a server sends to the user's web browser. The web browser may store the cookie and return it to the server together with the next request. For example, a cookie might be used to indicate whether two requests come from the same browser in order to allow the user to remain logged-in. The cookie records stateful information for the stateless HTTP protocol. + + - question: | + How does Internet Explorer handle cookies? + answer: | + For more information about how Internet Explorer handles cookies, see the following articles: + + - [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios) + - [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p) + - [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq) + - [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content) + - [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies) + + - question: | + Where does Internet Explorer store cookies? + answer: | + To see where Internet Explorer stores its cookies, follow these steps: + + 1. Start File Explorer. + 2. Select **Views** \> **Change folder and search options**. + 3. In the **Folder Options** dialog box, select **View**. + 4. In **Advanced settings**, select **Do not show hidden files, folders, or drivers**. + 5. Clear **Hide protected operation system files (Recommended)**. + 6. Select **Apply**. + 7. Select **OK**. + + The following are the folder locations where the cookies are stored: + + **In Windows 10** + C:\Users\username\AppData\Local\Microsoft\Windows\INetCache + + **In Windows 8 and Windows 8.1** + C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies + + **In Windows 7** + C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies + C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low + + - question: | + What is the per-domain cookie limit? + answer: | + Since the June 2018 cumulative updates for Internet Explorer and Microsoft Edge, the per-domain cookie limit is increased from 50 to 180 for both browsers. The cookies vary by path. So, if the same cookie is set for the same domain but for different paths, it's essentially a new cookie. + + There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is sent out. This limit can cause some cookies to be lost after they exceed that value. + + The JavaScript limitation was updated to 10 KB from 4 KB. + + For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq). + + - question: | + Cookie size limit per domain + answer: | + Some browsers also limit the amount of space that any one domain can use for cookies. This means that if your browser sets a limit of 4,096 bytes per domain for cookies, 4,096 bytes is the maximum available space in that domain even though you can set up to 180 cookies. + + - name: Proxy Auto Configuration (PAC)-related questions + questions: + - question: | + Is an example Proxy Auto Configuration (PAC) file available? + answer: | + Here is a simple PAC file: + + ```vb + function FindProxyForURL(url, host) + { + return "PROXY proxyserver:portnumber"; + } + ``` + + > [!NOTE] + > The previous PAC always returns the **proxyserver:portnumber** proxy. + + For more information about how to write a PAC file and about the different functions in a PAC file, see [the FindProxyForURL website](https://findproxyforurl.com/). + + **Third-party information disclaimer** + The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. + + - question: | + How to improve performance by using PAC scripts + answer: | + - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr) + - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/) + + - name: Other questions + questions: + - question: | + How to set home and start pages in Microsoft Edge and allow user editing + answer: | + For more information, see the following blog article: + + [How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/) + + - question: | + How to add sites to the Enterprise Mode (EMIE) site list + answer: | + For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md). + + - question: | + What is Content Security Policy (CSP)? + answer: | + By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites. + + Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly. + + CSP2 makes these scenarios easier to manage by adding support for nonces and hashes for script and style resources. A nonce is a cryptographically strong random value that is generated on each page load that appears in both the CSP policy and in the script tags on the page. Using nonces can help minimize the need to maintain a list of allowed source URL values while also allowing trusted scripts that are declared in script elements to run. + + For more information, see the following articles: + + - [Introducing support for Content Security Policy Level 2](https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/) + - [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) + + - question: | + Where to find Internet Explorer security zones registry entries + answer: | + Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users). + + This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11. + + The default Zone Keys are stored in the following locations: + + - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones + - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones + + - question: | + Why don't HTML5 videos play in Internet Explorer 11? + answer: | + To play HTML5 videos in the Internet Zone, use the default settings or make sure that the registry key value of **2701** under **Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3** is set to **0**. + + - 0 (the default value): Allow + - 3: Disallow + + This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone. + + For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie). + + For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions). + + For more information about how to check Windows versions, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-version-am-i-running) + + - question: | + What is the Enterprise Mode Site List Portal? + answer: | + This is a new feature to add sites to your enterprise mode site list XML. For more information, see [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). + + - question: | + What is Enterprise Mode Feature? + answer: | + For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md). + + - question: | + Where can I obtain a list of HTTP Status codes? + answer: | + For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes). + + - question: | + What is end of support for Internet Explorer 11? + answer: | + Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed. + + For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer). + + - question: | + How to configure TLS (SSL) for Internet Explorer + answer: | + For more information about how to configure TLS/SSL for Internet Explorer, see [Group Policy Setting to configure TLS/SSL](https://gpsearch.azurewebsites.net/#380). + + - question: | + What is Site to Zone? + answer: | + Site to Zone usually refers to one of the following: + + **Site to Zone Assignment List** + This is a Group Policy policy setting that can be used to add sites to the various security zones. + + The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones: + + - Intranet zone + - Trusted Sites zone + - Internet zone + - Restricted Sites zone + + If you set this policy setting to **Enabled**, you can enter a list of sites and their related zone numbers. By associating a site to a zone, you can make sure that the security settings for the specified zone are applied to the site. + + **Site to Zone Mapping** + Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys for the sites that are deployed through the Site to Zone assignment list: + + - HKEY\_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap + - HKEY\_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey + + **Site to Zone Assignment List policy** + This policy setting is available for both Computer Configuration and User Configuration: + + - Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page + - User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page + + **References** + [How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices) + + - question: | + What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer? + answer: | + For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)). + + - question: | + What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting? + answer: | + The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server. + + For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer). From 14fc19ef109aa2cc8d229eeabfba46d8aa3c4b9b Mon Sep 17 00:00:00 2001 From: v-hearya Date: Fri, 28 May 2021 23:57:54 +0530 Subject: [PATCH 037/137] missing content added --- .../internet-explorer/kb-support/ie-edge-faqs.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml index 8c6a0be253..7bc45c1ec2 100644 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml @@ -71,6 +71,18 @@ sections: The JavaScript limitation was updated to 10 KB from 4 KB. For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq). + + - name: Additional information about cookie limits + questions: + - question: | + What does the Cookie RFC allow? + answer: | + RFC 2109 defines how cookies should be implemented, and it defines minimum values that browsers support. According to the RFC, browsers would ideally have no limits on the size and number of cookies that a browser can handle. To meet the specifications, the user agent should support the following: + + - At least 300 cookies total + - At least 20 cookies per unique host or domain name + + For practicality, individual browser makers set a limit on the total number of cookies that any one domain or unique host can set. They also limit the total number of cookies that can be stored on a computer. - question: | Cookie size limit per domain From 6ac2a0bc368fced5f672d96224d9e54f53891fa1 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 31 May 2021 12:51:27 +0100 Subject: [PATCH 038/137] Update policy-csp-system.md --- .../client-management/mdm/policy-csp-system.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 61558a2ca2..9497ff874d 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -748,11 +748,14 @@ The following list shows the supported values for Windows 10 version 1809 and ol Most restricted value is 0. -The following list shows the supported values for Windows 10 version 19H1 and later: +For Windows 10 version 19H1 and later we simplified your diagnostic data controls by moving from four diagnostic data controls to three. The following list shows the supported values: -- **Diagnostic data off** - No Windows diagnostic data sent. -- **Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected. -- **Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. +- **0 - Diagnostic data off** - No Windows diagnostic data sent. +- **1 - Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected. +- **3 - Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. + +> [!NOTE] +> If your devices are set to Enhanced when they are upgraded, the device settings will be migrated to the more privacy-preserving setting of Required diagnostic data. For more information, see [Changes to Windows diagnostic data](/windows/privacy/changes-to-windows-diagnostic-data-collection). \ No newline at end of file + From e41479bca6a0e65258440054adaec42a36b7a21b Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 31 May 2021 12:59:35 +0100 Subject: [PATCH 039/137] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 9497ff874d..905ec90ac2 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -748,7 +748,7 @@ The following list shows the supported values for Windows 10 version 1809 and ol Most restricted value is 0. -For Windows 10 version 19H1 and later we simplified your diagnostic data controls by moving from four diagnostic data controls to three. The following list shows the supported values: +For Windows 10 version 19H1 and later, we simplified your diagnostic data controls by moving from four diagnostic data controls to three. The following list shows the supported values: - **0 - Diagnostic data off** - No Windows diagnostic data sent. - **1 - Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected. From 59af80564b27c765a665efb11f5d695326ac0643 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 31 May 2021 21:51:04 +0530 Subject: [PATCH 040/137] removed device word this is my own PR i removed word **Device** --- windows/client-management/mdm/healthattestation-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 3463de078b..7ba60128fb 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -1,5 +1,5 @@ --- -title: Device HealthAttestation CSP +title: HealthAttestation CSP description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions. ms.assetid: 6F2D783C-F6B4-4A81-B9A2-522C4661D1AC ms.reviewer: From 818a12067925afaadc3bc520df2a63a3c25d6ff1 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 31 May 2021 23:48:21 +0530 Subject: [PATCH 041/137] formatted table properly. added cross check marks this is my own PR, 01. I added Checkmarks only for Business edition if under Professional and Enterprise are already added Checkmarks 02. I added Crossmarks only for Business edition if under Professional and Enterprise are already added Crossmarks 03. Removed the following words **Only for mobile application management (MAM)** **Provisioning only** 04. Added footnotes **A- Only for mobile application management (MAM)** **B- Provisioning only** --- ...onfiguration-service-provider-reference.md | 160 +++++++++--------- 1 file changed, 79 insertions(+), 81 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 90f132759c..35baca9f52 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -71,7 +71,7 @@ Additional lists: cross mark check mark4 - cross mark + check mark4 check mark4 check mark4 cross mark @@ -97,7 +97,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -123,7 +123,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark cross mark @@ -149,7 +149,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -201,7 +201,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -227,7 +227,7 @@ Additional lists: cross mark check mark3 - + check mark check mark check mark cross mark @@ -253,7 +253,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -305,7 +305,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark cross mark @@ -331,7 +331,7 @@ Additional lists: check mark3 check mark3 - + check mark3 check mark3 check mark3 check mark @@ -358,7 +358,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark1 @@ -384,7 +384,7 @@ Additional lists: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark @@ -410,7 +410,7 @@ Additional lists: check mark3 check mark3 - + check mark3 check mark3 check mark3 check mark @@ -436,7 +436,7 @@ Additional lists: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark @@ -462,7 +462,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -514,7 +514,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -540,7 +540,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark cross mark @@ -566,7 +566,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -592,7 +592,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -618,7 +618,7 @@ Additional lists: check mark check mark - + check mark check mark check mark cross mark @@ -644,7 +644,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -670,7 +670,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -722,7 +722,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -748,7 +748,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -774,7 +774,6 @@ Additional lists: check mark check mark - check mark check mark check mark @@ -802,7 +801,6 @@ Additional lists: check mark check mark - check mark check mark check mark @@ -829,7 +827,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -882,7 +880,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -934,7 +932,7 @@ Additional lists: check mark2 check mark2 - + check mark2 check mark2 check mark2 check mark @@ -960,7 +958,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1012,7 +1010,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1037,9 +1035,9 @@ Additional lists: check mark -Only for mobile application management (MAM) +A + check mark check mark - check mark check mark check mark @@ -1065,10 +1063,9 @@ Additional lists: cross mark check mark - check mark check mark - cross mark + check mark cross mark @@ -1092,7 +1089,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1118,7 +1115,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1144,7 +1141,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1168,7 +1165,7 @@ Additional lists: Mobile - + cross mark check mark3 check mark3 check mark3 @@ -1196,10 +1193,10 @@ Additional lists: cross mark cross mark - cross mark cross mark - check mark (Provisioning only) + cross mark + check markB @@ -1248,7 +1245,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1274,7 +1271,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1300,7 +1297,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1378,7 +1375,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1404,7 +1401,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1482,7 +1479,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1534,7 +1531,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1560,7 +1557,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1586,7 +1583,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1638,7 +1635,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1664,7 +1661,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1688,12 +1685,12 @@ Additional lists: Mobile - check mark (Provisioning only) - check mark (Provisioning only) - - check mark (Provisioning only) - check mark (Provisioning only) - check mark (Provisioning only) + check markB + check markB + check markB + check markB + check markB + check markB @@ -1716,7 +1713,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1742,7 +1739,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1768,7 +1765,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1794,7 +1791,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1820,7 +1817,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -1846,7 +1843,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1872,7 +1869,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1898,7 +1895,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -1924,7 +1921,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -1950,7 +1947,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -1976,7 +1973,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2002,7 +1999,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -2028,7 +2025,7 @@ Additional lists: cross mark check mark - + check mark check mark check mark check mark @@ -2159,7 +2156,7 @@ Additional lists: cross mark cross mark - + check mark check mark check mark cross mark @@ -2185,7 +2182,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2211,7 +2208,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -2237,7 +2234,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2290,7 +2287,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2316,7 +2313,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -2368,7 +2365,7 @@ Additional lists: cross mark check mark1 - + check mark1 check mark1 check mark1 cross mark @@ -2421,7 +2418,7 @@ Additional lists: check mark check mark - + check mark check mark check mark check mark @@ -2447,7 +2444,7 @@ Additional lists: cross mark cross mark - + cross mark cross mark cross mark check mark @@ -2503,7 +2500,6 @@ Additional lists: check mark - @@ -2627,6 +2623,8 @@ The following list shows the CSPs supported in HoloLens devices:
Footnotes: +- A - Only for mobile application management (MAM) +- B - Provisioning only - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. @@ -2636,4 +2634,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update -- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) \ No newline at end of file +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) From 534690e3f5745b9a0c64e52bb98141b437cb0d97 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 00:24:54 +0530 Subject: [PATCH 042/137] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 35baca9f52..e23ec60e95 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2623,7 +2623,7 @@ The following list shows the CSPs supported in HoloLens devices:
Footnotes: -- A - Only for mobile application management (MAM) +- A - Only for mobile application management (MAM) - B - Provisioning only - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. From 7ef4e5ade9277041be1aa55212925cee5db4bb04 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 10:48:36 +0530 Subject: [PATCH 043/137] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index e23ec60e95..e13ad288ab 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2623,7 +2623,7 @@ The following list shows the CSPs supported in HoloLens devices:
Footnotes: -- A - Only for mobile application management (MAM) +- A - Only for mobile application management (MAM). - B - Provisioning only - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. From 460f60dd4abec4c5228991d27e829a1489c0b06e Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 10:48:48 +0530 Subject: [PATCH 044/137] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index e13ad288ab..f4fab2c509 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2633,5 +2633,5 @@ The following list shows the CSPs supported in HoloLens devices: - 6 - Added in Windows 10, version 1903. - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. -- 9 - Added in Windows 10 Team 2020 Update +- 9 - Added in Windows 10 Team 2020 Update. - 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) From 827ed7c9761b1ca8fdefe65d59d306903c960fc3 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 10:49:00 +0530 Subject: [PATCH 045/137] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index f4fab2c509..0f759f0e22 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2634,4 +2634,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update. -- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2). From 3ac0b220781ec3f56a70100448772bceec07ac1e Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 10:49:13 +0530 Subject: [PATCH 046/137] Update windows/client-management/mdm/configuration-service-provider-reference.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/configuration-service-provider-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 0f759f0e22..e9ff678bdb 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2624,7 +2624,7 @@ The following list shows the CSPs supported in HoloLens devices: Footnotes: - A - Only for mobile application management (MAM). -- B - Provisioning only +- B - Provisioning only. - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. From f139f3b91614e2ed3df61b40953315379a99b781 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 1 Jun 2021 11:24:06 +0530 Subject: [PATCH 047/137] Update windows/client-management/mdm/healthattestation-csp.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/healthattestation-csp.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 7ba60128fb..9df5a62fdf 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -1,5 +1,5 @@ --- -title: HealthAttestation CSP +title: Device HealthAttestation CSP description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions. ms.assetid: 6F2D783C-F6B4-4A81-B9A2-522C4661D1AC ms.reviewer: @@ -1176,4 +1176,3 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio [Configuration service provider reference](configuration-service-provider-reference.md) - From 9fd633ba5a9bf87b9868997929b69b44db80a164 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 2 Jun 2021 12:38:29 +0500 Subject: [PATCH 048/137] update basic-audit-account-management.md --- .../basic-audit-account-management.md | 84 +++++++++---------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index 10a7cb1c8c..dd21f98e57 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -46,48 +46,48 @@ You can configure this security setting by opening the appropriate policy under | Account management events | Description | |---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 624 | A user account was created. | -| 627 | A user password was changed. | -| 628 | A user password was set. | -| 630 | A user account was deleted. | -| 631 | A global group was created. | -| 632 | A member was added to a global group. | -| 633 | A member was removed from a global group. | -| 634 | A global group was deleted. | -| 635 | A new local group was created. | -| 636 | A member was added to a local group. | -| 637 | A member was removed from a local group. | -| 638 | A local group was deleted. | -| 639 | A local group account was changed. | -| 641 | A global group account was changed. | -| 642 | A user account was changed. | -| 643 | A domain policy was modified. | -| 644 | A user account was auto locked. | -| 645 | A computer account was created. | -| 646 | A computer account was changed. | -| 647 | A computer account was deleted. | -| 648 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | -| 649 | A local security group with security disabled was changed. | -| 650 | A member was added to a security-disabled local security group. | -| 651 | A member was removed from a security-disabled local security group. | -| 652 | A security-disabled local group was deleted. | -| 653 | A security-disabled global group was created. | -| 645 | A security-disabled global group was changed. | -| 655 | A member was added to a security-disabled global group. | -| 656 | A member was removed from a security-disabled global group. | -| 657 | A security-disabled global group was deleted. | -| 658 | A security-enabled universal group was created. | -| 659 | A security-enabled universal group was changed. | -| 660 | A member was added to a security-enabled universal group. | -| 661 | A member was removed from a security-enabled universal group. | -| 662 | A security-enabled universal group was deleted. | -| 663 | A security-disabled universal group was created. | -| 664 | A security-disabled universal group was changed. | -| 665 | A member was added to a security-disabled universal group. | -| 666 | A member was removed from a security-disabled universal group. | -| 667 | A security-disabled universal group was deleted. | -| 668 | A group type was changed. | -| 684 | Set the security descriptor of members of administrative groups. | +| 4720 | A user account was created. | +| 4723 | A user password was changed. | +| 4724 | A user password was set. | +| 4726 | A user account was deleted. | +| 4727 | A global group was created. | +| 4728 | A member was added to a global group. | +| 4729 | A member was removed from a global group. | +| 4730 | A global group was deleted. | +| 4731 | A new local group was created. | +| 4732 | A member was added to a local group. | +| 4733 | A member was removed from a local group. | +| 4734 | A local group was deleted. | +| 4735 | A local group account was changed. | +| 4737 | A global group account was changed. | +| 4738 | A user account was changed. | +| 4739 | A domain policy was modified. | +| 4740 | A user account was auto locked. | +| 4741 | A computer account was created. | +| 4742 | A computer account was changed. | +| 4743 | A computer account was deleted. | +| 4744 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | +| 4745 | A local security group with security disabled was changed. | +| 4746 | A member was added to a security-disabled local security group. | +| 4747 | A member was removed from a security-disabled local security group. | +| 4748 | A security-disabled local group was deleted. | +| 4749 | A security-disabled global group was created. | +| 4750 | A security-disabled global group was changed. | +| 4751 | A member was added to a security-disabled global group. | +| 4752 | A member was removed from a security-disabled global group. | +| 4753 | A security-disabled global group was deleted. | +| 4754 | A security-enabled universal group was created. | +| 4755 | A security-enabled universal group was changed. | +| 4756 | A member was added to a security-enabled universal group. | +| 4757 | A member was removed from a security-enabled universal group. | +| 4758 | A security-enabled universal group was deleted. | +| 4759 | A security-disabled universal group was created. | +| 4760 | A security-disabled universal group was changed. | +| 4761 | A member was added to a security-disabled universal group. | +| 4762 | A member was removed from a security-disabled universal group. | +| 4763 | A security-disabled universal group was deleted. | +| 4764 | A group type was changed. | +| 4780 | Set the security descriptor of members of administrative groups. | | 685 | Set the security descriptor of members of administrative groups.
**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. | ## Related topics From ab320a70eac965e084f5e73670f000c27b9d559a Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 2 Jun 2021 14:24:45 +0500 Subject: [PATCH 049/137] Update Proxy servers and Internal proxy servers Made changes in Proxy servers and Internal proxy servers. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9499 --- .../create-wip-policy-using-intune-azure.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c10b2990b3..69a4976fae 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -486,7 +486,7 @@ Specify the proxy servers your devices will go through to reach your cloud resou Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in your Internal proxy servers list. -Internal proxy servers must be used only for WIP-protected (enterprise) traffic. +Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. Separate multiple resources with the ";" delimiter. ```console @@ -497,8 +497,7 @@ proxy.contoso.com:80;proxy2.contoso.com:443 Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. -This list shouldn’t include any servers listed in your Proxy servers list. -Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. +This list shouldn’t include any servers listed in your Proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic. Separate multiple resources with the ";" delimiter. ```console From 0ea039011830844a17359aa17bffc66723a54bbd Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 2 Jun 2021 14:29:53 +0500 Subject: [PATCH 050/137] Update in Changing the PIN Made some update in Changing the PIN Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9475 --- .../virtual-smart-card-use-virtual-smart-cards.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index cb9d870d46..f5d0883f98 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -80,8 +80,12 @@ A TPM-based virtual smart card is labeled **Security Device** in the user interf ## Changing the PIN -The PIN for virtual smart card can be changed by pressing Ctrl+Alt+Del, and then selecting the TPM virtual smart card under **Sign in options**. - +The PIN for virtual smart card can be changed by following steps: +- Log on with the old pin or password. +- Press Ctrl+Alt+Del and choose **Change a password**. +- Click ""Sign-in Options**. +- Click the **Virtual smart card icon**. +- Change the pin. ## Resolving issues ### TPM not provisioned @@ -100,4 +104,4 @@ Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter ## See also -For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md). \ No newline at end of file +For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md). From 70acd1d2b6e65ecdce2dbf73fa5a8bfc84416a25 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 2 Jun 2021 13:01:35 +0100 Subject: [PATCH 051/137] updates for AllowTelemetry --- .../mdm/policy-csp-system.md | 20 +++++++------------ ...s-to-windows-diagnostic-data-collection.md | 2 +- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 905ec90ac2..89ff9b9090 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -740,22 +740,16 @@ In Windows 10, you can configure this policy setting to decide what level of dia The following list shows the supported values for Windows 10 version 1809 and older: -- 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender. - **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. -- 1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data. -- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data. -- 3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices. +- 0 – (**Security**) This turns Windows diagnostic data off. +- **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. +- 1 – (**Required**) Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. +- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data, such as limited crash dumps. +- 3 – (**Optional**) Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. -Most restricted value is 0. - -For Windows 10 version 19H1 and later, we simplified your diagnostic data controls by moving from four diagnostic data controls to three. The following list shows the supported values: - -- **0 - Diagnostic data off** - No Windows diagnostic data sent. -- **1 - Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected. -- **3 - Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. +Most restrictive value is 0. > [!NOTE] -> If your devices are set to Enhanced when they are upgraded, the device settings will be migrated to the more privacy-preserving setting of Required diagnostic data. For more information, see [Changes to Windows diagnostic data](/windows/privacy/changes-to-windows-diagnostic-data-collection). +> If your devices are set to Enhanced when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of Required diagnostic data. For more information, see [Changes to Windows diagnostic data](/windows/privacy/changes-to-windows-diagnostic-data-collection). + +For more general tips, see [prevent malware infection](prevent-malware-infection.md). + +## Human-operated ransomware + +Unlike auto-spreading ransomware like WannaCry or NotPetya, human-operated ransomware is the result of active and ongoing attacks that target an organization rather than a single device. Cybercriminals use their knowledge of common system and security misconfigurations and vulnerabilities to infiltrate the organization, navigate the enterprise network, adapt to the environment, and exploit its weaknesses as they go. + +Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement and can result in deployment of ransomware payloads to high business impact resources that attackers choose. Once deployed, the attackers contact the organization with their ransom demands. + +The same primary prevention techniques described in this article should be implemented to prevent human-operated ransomware. For additional preventative measures against human-operated ransomware, see this [article](/security/compass/human-operated-ransomware). + +See [this blog post](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) from the Microsoft 365 Defender Threat Intelligence Team for more information and attack chain analysis of actual human-operated ransomware attacks. From 1174cb4b333f2ebca7c124e6a51b379eac330ea7 Mon Sep 17 00:00:00 2001 From: Joe Davies Date: Fri, 4 Jun 2021 13:02:07 -0700 Subject: [PATCH 070/137] Update ransomware-malware.md --- .../intelligence/ransomware-malware.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index 00bd93579d..2eee3a6421 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -66,7 +66,7 @@ To provide the best protection against ransomware attacks, Microsoft recommends 2. Deploy regular hardware and software systems patching and effective vulnerability management - A vital defense against cybersecurity attacks is the application of security updates and patches as soon as the software vendors release them. + A vital defense against cybersecurity attacks is the application of security updates and patches as soon as the software publishers release them. A prominent example of this failure was the WannaCry ransomware events in 2017, one of the largest global cybersecurity attacks in the history of the internet, which used a leaked vulnerability in Windows networking Server Message Block (SMB) protocol, for which Microsoft had released a patch nearly two months before the first publicized incident. @@ -74,9 +74,9 @@ To provide the best protection against ransomware attacks, Microsoft recommends **HOW:** Use [update channels](/microsoft-365/enterprise/deploy-update-channels-examples) for recommendations on updates for Windows 10 and Microsoft 365 Apps for Enterprise (Windows 10). -3. Use up-to-date antivirus and an endpoint detection and response (EDR) solutions +3. Use up to date antivirus and an endpoint detection and response (EDR) solutions - While owning an antivirus solution alone does not ensure absolute protection against viruses and other advanced computer threats, it’s very important to ensure that your antivirus solutions are kept up-to-date with your software vendors. + While owning an antivirus solution alone does not ensure absolute protection against viruses and other advanced computer threats, ensure that your antivirus solutions are kept up to date with your software publishers. Attackers invest heavily in the creation of new viruses and exploits, while vendors are left playing catch-up by releasing daily updates to their antivirus database engines. @@ -88,11 +88,11 @@ To provide the best protection against ransomware attacks, Microsoft recommends **HOW:** To effectively reduce your credential attack surface, use Microsoft support for [Azure Multi-Factor Authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks) to require stronger authentication for privileged accounts, [Azure Privileged Identity Management (PIM)](/azure/active-directory/privileged-identity-management/) for just-in-time use of privileged accounts, and [Privileged Access Management (PAM)](/microsoft-365/compliance/privileged-access-management-solution-overview) for just-in-time access to Microsoft 365 tasks that need elevated permissions. -5. Implement effective application allow lists +5. Implement effective application allowlists - It’s very important as part of a ransomware prevention strategy to restrict the applications that can run within an IT infrastructure. Application allow lists ensure only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective. + You need to restrict the applications that can run within an IT infrastructure. Application allowlists ensure only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective. - **HOW:** For Microsoft 365 apps, use [Azure AD Conditional Access](azure/active-directory/conditional-access/app-based-conditional-access) to require approved apps. + **HOW:** For Microsoft 365 apps, use [Azure AD Conditional Access](/azure/active-directory/conditional-access/app-based-conditional-access) to require approved apps. 6. Regularly back up critical systems and files From 840a38048575d1bbb83ef14c9877ab793d1ba891 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 4 Jun 2021 13:54:49 -0700 Subject: [PATCH 071/137] Added suggested feedback to event-id-explanation and select-types-of-rules documents. --- .../event-id-explanations.md | 2 +- .../select-types-of-rules-to-create.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index fb6a29d22d..f6ca319d9d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -109,7 +109,7 @@ A list of other relevant event IDs and their corresponding description. | 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | | 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. | | 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. | -| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. | +| 3086 | The file under validation does not meet the signing requirements for an isolated user mode (IUM) process. | | 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | | 3097 | The Code Integrity policy cannot be refreshed. | | 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. | diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 91b1a1725e..fa5065912e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -127,7 +127,7 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. > [!NOTE] -> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on version 1903 and higher. +> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later. ## More information about hashes From 9f96ebfac501647c03b74cfc94a93bac1c7032bd Mon Sep 17 00:00:00 2001 From: Joe Davies Date: Fri, 4 Jun 2021 15:57:28 -0700 Subject: [PATCH 072/137] Update ransomware-malware.md --- .../threat-protection/intelligence/ransomware-malware.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index 2eee3a6421..f09ebe1af1 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -62,7 +62,7 @@ To provide the best protection against ransomware attacks, Microsoft recommends By adopting an enterprise-grade email protection solution, most cybersecurity threats against an organization will be blocked at ingress and egress. - **HOW:** Use [Exchange Online Protection (EOP)](/microsoft-365/security/office-365-security/exchange-online-protection-overview), the Microsoft 365 and Office 365 cloud-based filtering service that protects your organization' Exchange Online mailboxes against spam, malware, and other email threats. + **HOW:** Use [Exchange Online Protection (EOP)](/microsoft-365/security/office-365-security/exchange-online-protection-overview), the Microsoft 365 and Office 365 cloud-based filtering service that protects your organization's Exchange Online mailboxes against spam, malware, and other email threats. 2. Deploy regular hardware and software systems patching and effective vulnerability management From d55e19b1fb18b23c3fc84817a9e0b98eebe68456 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 5 Jun 2021 12:01:29 +0530 Subject: [PATCH 073/137] Update windows/deployment/update/feature-update-maintenance-window.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/feature-update-maintenance-window.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 3214cc878a..a045a86cc0 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -126,7 +126,7 @@ There are potentially a thousand or more feature updates displayed in the Config Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. 1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. -2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**, +2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**. The **Download Software Updates Wizard** opens. 3. On the **Deployment Package** page, configure the following settings: **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: From aab9c1f49a47a4ec695871db8436ed75194e6de6 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 5 Jun 2021 12:09:52 +0530 Subject: [PATCH 074/137] Update windows/deployment/update/feature-update-maintenance-window.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/feature-update-maintenance-window.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index a045a86cc0..b1ee4d2dd8 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -127,6 +127,7 @@ Before you deploy the feature updates, you can download the content as a separat 1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. 2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**. + The **Download Software Updates Wizard** opens. 3. On the **Deployment Package** page, configure the following settings: **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: From 4976757337aa37e7c23e5e7cf7a304086585426f Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 5 Jun 2021 12:10:06 +0530 Subject: [PATCH 075/137] Update windows/deployment/update/feature-update-maintenance-window.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/feature-update-maintenance-window.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index b1ee4d2dd8..630c2b6867 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -185,6 +185,7 @@ After you determine which feature updates you intend to deploy, you can manually 1. In the Configuration Manager console, click **Software Library**. 2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. 3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**, + The **Deploy Software Updates Wizard** opens. 4. On the General page, configure the following settings: - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** From 7687ee2034c302e019134cbd28184475802b256c Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 5 Jun 2021 12:10:39 +0530 Subject: [PATCH 076/137] Update windows/deployment/update/feature-update-maintenance-window.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/feature-update-maintenance-window.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 630c2b6867..6f359c369a 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -251,7 +251,7 @@ After you determine which feature updates you intend to deploy, you can manually - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. > [!NOTE] - > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content Source Priority](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#content-source-priority). + > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source priority](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#content-source-priority). 10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. 11. Click **Next** to deploy the feature update(s). From cfb6ec4f44efa773f610febb8bafbcbf18cdd1db Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 5 Jun 2021 12:11:02 +0530 Subject: [PATCH 077/137] Update windows/deployment/update/feature-update-maintenance-window.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/feature-update-maintenance-window.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 6f359c369a..771a7648f8 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -184,7 +184,7 @@ After you determine which feature updates you intend to deploy, you can manually 1. In the Configuration Manager console, click **Software Library**. 2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. -3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**, +3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. The **Deploy Software Updates Wizard** opens. 4. On the General page, configure the following settings: From 4551a1a6c5824a305885e0821bbaf3f6515c82ee Mon Sep 17 00:00:00 2001 From: Joe Davies Date: Mon, 7 Jun 2021 07:35:30 -0700 Subject: [PATCH 078/137] Update ransomware-malware.md --- .../intelligence/ransomware-malware.md | 47 +------------------ 1 file changed, 1 insertion(+), 46 deletions(-) diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index f09ebe1af1..5a04348f87 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -56,58 +56,13 @@ Organizations can be targeted specifically by attackers, or they can be caught i To provide the best protection against ransomware attacks, Microsoft recommends that you: -1. Use an effective email filtering solution - - According to the [Microsoft Security Intelligence Report Volume 24 of 2018](https://clouddamcdnprodep.azureedge.net/gdc/gdc09FrGq/original), spam and phishing emails are still the most common delivery method for ransomware infections. To effectively stop ransomware at its entry point, you must adopt an email security service that ensures all email content and headers entering and leaving the organization are scanned for spam, viruses, and other advanced malware threats. - - By adopting an enterprise-grade email protection solution, most cybersecurity threats against an organization will be blocked at ingress and egress. - - **HOW:** Use [Exchange Online Protection (EOP)](/microsoft-365/security/office-365-security/exchange-online-protection-overview), the Microsoft 365 and Office 365 cloud-based filtering service that protects your organization's Exchange Online mailboxes against spam, malware, and other email threats. - -2. Deploy regular hardware and software systems patching and effective vulnerability management - - A vital defense against cybersecurity attacks is the application of security updates and patches as soon as the software publishers release them. - - A prominent example of this failure was the WannaCry ransomware events in 2017, one of the largest global cybersecurity attacks in the history of the internet, which used a leaked vulnerability in Windows networking Server Message Block (SMB) protocol, for which Microsoft had released a patch nearly two months before the first publicized incident. - - Regular patching and an effective vulnerability management program are important measures to defend against ransomware and other forms of malware. - - **HOW:** Use [update channels](/microsoft-365/enterprise/deploy-update-channels-examples) for recommendations on updates for Windows 10 and Microsoft 365 Apps for Enterprise (Windows 10). - -3. Use up to date antivirus and an endpoint detection and response (EDR) solutions - - While owning an antivirus solution alone does not ensure absolute protection against viruses and other advanced computer threats, ensure that your antivirus solutions are kept up to date with your software publishers. - - Attackers invest heavily in the creation of new viruses and exploits, while vendors are left playing catch-up by releasing daily updates to their antivirus database engines. - - EDR solutions collect and store large volumes of data from endpoints and provide real-time host-based, file-level monitoring and visibility to systems. The data sets and alerts generated by an EDR solution can help stop advanced threats and are often leveraged for responding to security incidents. - -4. Separate administrative and privileged credentials from standard credentials - - Separate your system administrative accounts from your standard user accounts to ensure those administrative accounts are not useable across multiple systems. Separating these privileged accounts not only enforces proper access control but also ensures that a compromise of a single standard user account doesn’t lead to the compromise of your entire IT infrastructure. - - **HOW:** To effectively reduce your credential attack surface, use Microsoft support for [Azure Multi-Factor Authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks) to require stronger authentication for privileged accounts, [Azure Privileged Identity Management (PIM)](/azure/active-directory/privileged-identity-management/) for just-in-time use of privileged accounts, and [Privileged Access Management (PAM)](/microsoft-365/compliance/privileged-access-management-solution-overview) for just-in-time access to Microsoft 365 tasks that need elevated permissions. - -5. Implement effective application allowlists - - You need to restrict the applications that can run within an IT infrastructure. Application allowlists ensure only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective. - - **HOW:** For Microsoft 365 apps, use [Azure AD Conditional Access](/azure/active-directory/conditional-access/app-based-conditional-access) to require approved apps. - -6. Regularly back up critical systems and files - - The ability to recover to a known good state is the most critical strategy of any information security incident plan, especially ransomware. Therefore, to ensure the success of this process, an organization must validate that all its critical systems, applications, and files are regularly backed up and that those backups are regularly tested to ensure they are recoverable. Ransomware is known to encrypt or destroy any file it comes across, and it can often make them unrecoverable; consequently, it’s of utmost importance that all impacted files can be easily recovered from a good backup stored at a secondary location not impacted by the ransomware attack. - +- [Implement controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom. For more general tips, see [prevent malware infection](prevent-malware-infection.md). From eb5fb0cf09ae5feade62a76072c5bc0884d789b0 Mon Sep 17 00:00:00 2001 From: Paul Huijbregts <30799281+pahuijbr@users.noreply.github.com> Date: Mon, 7 Jun 2021 08:45:00 -0700 Subject: [PATCH 079/137] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 2c20894dcf..ff10761a52 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -59,6 +59,9 @@ Defender --------TamperProtection (Added in Windows 10, version 1903) --------EnableFileHashComputation (Added in Windows 10, version 1903) --------SupportLogLocation (Added in the next major release of Windows 10) +--------PlatformUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) +--------EngineUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) +--------DefinitionUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) ----Scan ----UpdateSignature ----OfflineScan (Added in Windows 10 version 1803) @@ -521,6 +524,71 @@ More details: - [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) +**Configuration/PlatformUpdatesChannel** +Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. + +Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + +Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + +Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +• 0: Not configured (Default) +• 1: Beta Channel - Prerelease +• 2: Current Channel (Preview) +• 3: Current Channel (Staged) +• 4: Current Channel (Broad) + +**Configuration/EngineUpdatesChannel** +Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. + +Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + +Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + +Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +• 0: Not configured (Default) +• 1: Beta Channel - Prerelease +• 2: Current Channel (Preview) +• 3: Current Channel (Staged) +• 4: Current Channel (Broad) + +**Configuration/DefinitionUpdatesChannel** +Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. + +Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%) + +Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + +If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. + +The data type is integer. +Supported operations are Add, Delete, Get, Replace. + +Valid Values are: +• 0: Not configured (Default) +• 3: Current Channel (Staged) +• 4: Current Channel (Broad) + **Scan** Node that can be used to start a Windows Defender scan on a device. From 57309f51e80c02e22b105c93f9198f14c9811faf Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 7 Jun 2021 09:38:34 -0700 Subject: [PATCH 080/137] Implemented 1 last suggestion to event ID 8036 --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index f6ca319d9d..e09ff64630 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -41,7 +41,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |--------|-----------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | -| 8036| COM object was blocked. Learn more about COM object authorization: [Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs](allow-com-object-registration-in-windows-defender-application-control-policy). | +| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy). | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events From c18073c830e580029fdf78314f953f82a6753e31 Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Mon, 7 Jun 2021 14:44:15 -0400 Subject: [PATCH 081/137] corrected OMA-URI for Commercial ID @jaimeo --- .../deployment/update/update-compliance-configuration-mem.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index c4ce3579f9..01de3567bf 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -40,7 +40,7 @@ Take the following steps to create a configuration profile that will set require 2. Add a setting for **Commercial ID** ) with the following values: - **Name**: Commercial ID - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace. - - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID` + - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID` - **Data type**: String - **Value**: *Set this to your Commercial ID* 2. Add a setting configuring the **Windows Diagnostic Data level** for devices: From baba2c8823d9e23078aff23dd22e34c020748feb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 7 Jun 2021 12:42:30 -0700 Subject: [PATCH 082/137] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index ff10761a52..acc2fed615 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -10,7 +10,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 06/02/2021 +ms.date: 06/07/2021 --- # Defender CSP @@ -521,7 +521,7 @@ When enabled or disabled exists on the client and admin moves the setting to not More details: -- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) +- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) **Configuration/PlatformUpdatesChannel** From 560d09e0e55760ffc4b97bf4242133b7203d0af2 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 7 Jun 2021 15:26:17 -0700 Subject: [PATCH 083/137] Added a section for supplemental policies. --- .../select-types-of-rules-to-create.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index add268e0ee..f5e5b8c109 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -71,6 +71,16 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | +### The following options are valid for supplemental policies. However, number 5 is not implemented as it is reserved for future work, and number 7 is not supported. +| Rule option | Description | +|------------ | ----------- | +| 5 | Enabled: Inherit Default Policy | +| **6** | **Enabled: Unsigned System Integrity Policy** | +| 7 | Allowed: Debug Policy Augmented | +| **13** | **Enabled: Managed Installer** | +| **14** | **Enabled: Intelligent Security Graph Authorization** | +| **18** | **Disabled: Runtime FilePath Rule Protection** | + ## Windows Defender Application Control file rule levels File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary or as general as a CA certificate. You specify file rule levels when using WDAC PowerShell cmdlets to create and modify policies. From bb345aa0690e2344aca3f2b0de66b5e0440f730b Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Tue, 8 Jun 2021 10:18:28 +0530 Subject: [PATCH 084/137] added-for-5120578 new image for 5120578 --- .../bitlocker/images/yes-icon.png | Bin 0 -> 916 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/information-protection/bitlocker/images/yes-icon.png diff --git a/windows/security/information-protection/bitlocker/images/yes-icon.png b/windows/security/information-protection/bitlocker/images/yes-icon.png new file mode 100644 index 0000000000000000000000000000000000000000..bbae7d30522832e4ebf00c52e1c2af7f11e5e952 GIT binary patch literal 916 zcmeAS@N?(olHy`uVBq!ia0vp^f*{Pn1|+R>-G2co&H|6fVxatW5N34Jm|X!BWH0gb zb!C6TCcvg7pm3r3FIdPmqQtSZBqP6wVdc6r9zY?U5}=SvYH@N=WQ0!XYD{Sc8LDcqU2PDum780 z!<0Ga=jNv7l`woeGi^Umj18nLB(o$Zm0`uZOX>^^O!1yBjv*Gky;EX6L;^*Q|NnmP z=FG_Q@Y}wJ_X%9S)1_4KyW%82OS4@^+@k3shnm(12y1HebXC1r+N8i0T=UVD_tQ!N zXJ$?AGizK`E_j`};*cGkKIiUCOWPL1-9Jm`>HRPMZ-35mPPL@qLCMC|jaN$gD_tLL zIlbjZ+T}Dx&j1&(FDExeRv2l;&f8}wTUa$ic+=;;{MS9_su#6!BuxBpV%ogfa{4c= z7JogLUGuMCNucdFTcy_NObiEde0CfbKJ|LBZd)_cZXd7PWjDht*_&~WqJ-j> z!gWu6YVPg+`TEbwxSPMEdOJf;ONw?b;9}k1Bf)Us?WQCiofF13&%RD&U|6tg0aLSh z`$PYaj0|6POkmc$7OQ8`8pfn?;$GXWMYk)=u5?Mh-EJ)UWZBuGxn1FmMzxxp4W)MG zQKzg7*Y+-c^|H0)&YY8GA9frSirN_x)7>~ru;m*2f2Y(1&;L~4NLl>hU|z<@BR7xh zK6|L=$hp;YPc4V;y2XD}*qbDcc4=Eboch<|#s=}p7jM+(?qYd)NA<<#;6FyfM;9Ki zRw!h(O?TgzS!$QJ&!WBYV?Oseuc;YL!W;Wfb{$|&u9lw&-9kyq~gPwpn zi|1x&o6oXjD4BCDUhG*$Y174`d-V;M_T2ont!S~NN7d1G>8s3tlf8E5aa~VhaNYE_ z_GXo9_RNbW>o-36ukt!9s%%!)ef2|Phm*3C#fnci@q{k&JZEsoGIa0izP7pZ?3>TN WbFAMm`zSE+F?hQAxvXxtI@ literal 0 HcmV?d00001 From 236f5143deb430b86426fb70c329aff141097034 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Tue, 8 Jun 2021 10:31:46 +0530 Subject: [PATCH 085/137] Update bitlocker-deployment-comparison.md Updated the image to yes icon --- .../bitlocker-deployment-comparison.md | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index d3e5e2f766..f4d29550e4 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -35,32 +35,32 @@ This article depicts the BitLocker deployment comparison chart. |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | -|Server components required? | | :::image type="content" source="images/dot_new.png" alt-text="dots"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client | |Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites | -|Administrative portal installation required | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Compliance reporting capabilities | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Force encryption | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Encryption for storage cards (mobile) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | -|Allow recovery password | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Manage startup authentication | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | +|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | |Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | -|Customize preboot message and recovery link | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Allow/deny key file creation | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Deny Write permission to unprotected drives | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Can be administered outside company network | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | -|Support for organization unique IDs | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/dot1.png" alt-text="dot"::: | | | -|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Allow or deny Data Recovery Agent | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Prevent memory overwrite on restart | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | -|Manage auto-unlock functionality | | :::image type="content" source="images/dot1.png" alt-text="dot"::: | :::image type="content" source="images/dot1.png" alt-text="dot"::: | +|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | +|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | | +|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | +|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | From 2b82513f59cc8d11340fb7074376ac64553d7a5c Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Tue, 8 Jun 2021 11:06:56 +0530 Subject: [PATCH 086/137] delete-irrelevant-images deleted unwanted images that i added earlier for this task --- .../bitlocker/images/dot.png | Bin 674 -> 0 bytes .../bitlocker/images/dot1.png | Bin 739 -> 0 bytes .../bitlocker/images/dot_new.png | Bin 734 -> 0 bytes 3 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/security/information-protection/bitlocker/images/dot.png delete mode 100644 windows/security/information-protection/bitlocker/images/dot1.png delete mode 100644 windows/security/information-protection/bitlocker/images/dot_new.png diff --git a/windows/security/information-protection/bitlocker/images/dot.png b/windows/security/information-protection/bitlocker/images/dot.png deleted file mode 100644 index 8dc160da790bb40082cb31ae078125c8dd9bcb14..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 674 zcmV;T0$u%yP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0yjxSK~z{r?U%c2 zQ(+i~3&o|-O`SyPQlTKIn<%*U4{-J$=q_#54v~7JR1L+DMI0P-P%@>J22p54u|uqB zn>0zyMVqvZxoR$_P2Qe2d<9A0ez$W18S=nyI`F;^-*>)SA9OK2IbC{ky4WJOUETv< zqzvzZMewW^;ajQ#RinYa>Z2`}$k$V0grRRdcqIK3LAdff1}~R$+M>#G^}Pn% zd7o)Dr=+NyxgUZ>b7WOflKWLK;Nr6=DIk+u-ZV6uO;$~ev|KW8z|bRl3RN=Z*^(BN zlEbOIWMRbGGxs^mD)W(&yKVksR1@6{++Br@-5RTYJVLp2$$%4+bQ3GN@hZtW9FI`W z;oByQTMe%E-$jFUp%KbmcoHFt+mWYB{C|%tS1~tFmHkXLH{YaKCmOC?V5>?NwJVpM zQPzouE9Z~@Ba7OV;h7EAiH0lpCDB>Ak=Y3AM8lQC)kGDwE2A&stP>4a4v(4B_twe6 zc4T}$!#dG$^Jxq0HGXCEiQSgft5J@;=^Ak zhpeQlww|w7T`}RPAyRS(UUR5MsySsYuxPfoh$%U3zl5bg>-30U^uP%Z6!0+5i9m07*qo IM6N<$f`#cUv;Y7A diff --git a/windows/security/information-protection/bitlocker/images/dot1.png b/windows/security/information-protection/bitlocker/images/dot1.png deleted file mode 100644 index c9ec7c52ab41b4f5c567d7a8db90e7b679d47928..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 739 zcmV<90v!E`P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0(eP8K~z{r?Uv1J z6G0e8QliJp_RPmysB2_7-AR-DyPsKk#p<-_>^x&}`lwLfDf_l&vZ-PCE z2r7D052@HHqK87HF-;efY-97WP3nw}r0vY4yPFNY_&~_KbC`W*-kEnsSt4Maaj^e& z#qvrdGK-ju=b+_Fa40}?qZ|7I8{l!9pO-0#XsUp_?~-^lkw!GFv)(dJBGcJgkG@VH zE*#iwSjdn>VX=g3ujX+5wThxa<(5Vl9`rWj)b5R}N6wlOGi1g+qfvbLkz+mP7z+Dw z<4gdGLY7HFMTzez9o_e)F`eX>-VFW6w&K>gpj1SfG@63*W6`PwD7WAK#2xaJA(a>= zdtkz13PcP&o5eRZ&!UwGCF1isM&76_vWEqI30I#dShNzM#Qpb4=p`1|$oMA>F^x~J zP~!2V##;75kGE)SP9jT|;B!KpJ3ENXWLc{WC-GG+7%oUwn40A$$VvPv)L=6#BO@4} zlc4p#mbmC`w+c?8b&H#|YQrwU_?$%3CKq;ioh-7SgH0aRD#J<8`W|lgvdDhI?G3C| zhLfONKI&sFdkK+LoZiDA44&}AX=GzkXi6TE2Z@E3nv||kJ+6=| zU4-;A`-2|b>Px#1ZP1_K>z@;j|==^1poj532;bRa{vGqB>(^xB>_oNB=7(L0&_`3K~z{r#g@x! z6G0ruzng3xo7S}5pf<6MidIBL8xSjc>>(hER4-CcK`-i|`VZu)7mq#=JSd6>J(Q{! z&B22RirRpJ6^l|IZPSObZ7`2Esm>%nXr`OZ=CL84OXfFB<}*9bpY)G`24SJ!hR{%X z#nb*LnMGtGiI34V7E)PQBncZ@WCVN)cC2&2W|gR=F=fellkn(YTz?(I)6a1%>-B_md_x2d#i_26~9l@?944v}BA!`RvbVze-Qyshiqh>MZ z8QUwN=hGC46qOG=nZ&P!3`Mnb_2qB88cR^Lf=2#jCXIWMd5X+|uWKkgl@AKg$ZxRY zR1aQ!OW@N~ilRIkIX}ns;_<5ED#+*AjrBFQM3MPKCQ5wy=chx%no4;Dc{)?_ zva6YNR_tGp+beh!s$q5if_#g|My2|&)gwMOf?RdU*w|XX0R((bD&-O6oZz-*Dw$8P zOYB=CKi|_vC36XQo!Hl@P?Sd_?`9dv5%v_CO{jM*B$o9QqLFiM_4#sHiCOgTX+hsk zH$^KHm3!SbJUGz-ogAPdcDFll?WmU`5#8?j#v458&!t4w(#_U6e0CGsbY{^ohvP5N z=||&uH!j}GMqFh1+hvx=x$OGWS623#Vb|i_;W^xV6T|xwgW$__e3u)S4tmhzcTufA zWyuTS$;L2yojycUxmVE2c5wR|p0~53)S Date: Tue, 8 Jun 2021 09:38:41 -0700 Subject: [PATCH 087/137] Removed the heading format for the new text and also swapped out "number" for "option." --- .../select-types-of-rules-to-create.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index f5e5b8c109..7a56e31130 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -71,7 +71,8 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | -### The following options are valid for supplemental policies. However, number 5 is not implemented as it is reserved for future work, and number 7 is not supported. +The following options are valid for supplemental policies. However, option 5 is not implemented as it is reserved for future work, and option 7 is not supported. + | Rule option | Description | |------------ | ----------- | | 5 | Enabled: Inherit Default Policy | From d0c4483edec560d839288689bfc3557412a17c7f Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 8 Jun 2021 13:55:32 -0700 Subject: [PATCH 088/137] Acrolinx "Bitlocker" --- .../bitlocker/bitlocker-deployment-comparison.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index f4d29550e4..de76b10cc5 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -1,6 +1,6 @@ --- title: BitLocker deployment comparison (Windows 10) -description: This article shows the Bitlocker deployment comparison chart. +description: This article shows the BitLocker deployment comparison chart. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library From e3aa788ac7f136c183a7480b70ee08247bed97c0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 8 Jun 2021 15:06:15 -0700 Subject: [PATCH 089/137] Update windows/client-management/mdm/defender-csp.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/defender-csp.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index acc2fed615..dbdc03e3aa 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -566,11 +566,11 @@ The data type is integer. Supported operations are Add, Delete, Get, Replace. Valid values are: -• 0: Not configured (Default) -• 1: Beta Channel - Prerelease -• 2: Current Channel (Preview) -• 3: Current Channel (Staged) -• 4: Current Channel (Broad) +- 0 - Not configured (Default) +- 1 - Beta Channel - Prerelease +- 2 - Current Channel (Preview) +- 3 - Current Channel (Staged) +- 4 - Current Channel (Broad) **Configuration/DefinitionUpdatesChannel** Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. From ccb70b243bcf508a3355b1d1194b5577eedb6c00 Mon Sep 17 00:00:00 2001 From: Marysia Kaminska <85372436+marysiakam9889@users.noreply.github.com> Date: Tue, 8 Jun 2021 16:35:35 -0700 Subject: [PATCH 090/137] Update defender-ddf.md adding new csp's for Defender Update controls: DisableGradualRelease, DefinitionUpdatesChannel, EngineUpdatesChannel, and PlatformUpdatesChannel --- windows/client-management/mdm/defender-ddf.md | 180 ++++++++++++++++++ 1 file changed, 180 insertions(+) diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index a63f4dec92..b4c21b747a 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -757,6 +757,186 @@ The XML below is the current version for this CSP. + + DisableGradualRelease + + + + + + + + Enable this policy to disable gradual rollout of Defender updates. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.3 + + + + 1 + Gradual release is disabled + + + 0 + Gradual release is enabled + + + + + + DefinitionUpdatesChannel + + + + + + + + Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 4 + Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + + + + EngineUpdatesChannel + + + + + + + + Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 2 + Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + + + 3 + Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + + + 4 + Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + + + + PlatformUpdatesChannel + + + + + + + + Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. + + + + + + + + + + + text/plain + + + 99.9.99999 + 1.3 + + + + 0 + Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. + + + 2 + Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. + + + 3 + Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. + + + 4 + Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). + + + 5 + Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). + + + + Scan From cd99516b0029f122bc575c93c7344caa6869ebda Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 8 Jun 2021 16:46:25 -0700 Subject: [PATCH 091/137] fix --- windows/application-management/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index dc786fd289..95053b27f0 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -5,7 +5,7 @@ summary: Learn about managing applications in Windows client, including how to r metadata: title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about managing applications in Windows 10 and Windows Sun Valley. # Required; article description that is displayed in search results. < 160 chars. + description: Learn about managing applications in Windows 10. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice From e640603aef1d3eb2aaadcf5db4fbdb6bacc66e20 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 8 Jun 2021 21:14:03 -0700 Subject: [PATCH 092/137] Applied "> [!NOTE]" style --- ...policy-csp-localpoliciessecurityoptions.md | 23 +++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 8beeba2c2e..1d2f90b193 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1241,7 +1241,8 @@ If you click Force Logoff in the Properties dialog box for this policy, the user If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. -Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. +> [!NOTE] +> Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default: This policy is not defined, which means that the system treats it as No action. @@ -2457,7 +2458,8 @@ If you select "Enable auditing for all accounts", the server will log events for This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2535,7 +2537,8 @@ If you select "Deny all accounts," the server will deny NTLM authentication requ This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2613,7 +2616,8 @@ If you select "Deny all," the client computer cannot authenticate identities to This policy is supported on at least Windows 7 or Windows Server 2008 R2. -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2897,7 +2901,9 @@ This policy setting controls the behavior of the elevation prompt for administra The options are: -- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. +- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. + > [!NOTE] + > Use this option only in the most constrained environments. - 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. @@ -3172,7 +3178,8 @@ This policy setting controls whether applications that request to run with a Use - …\Windows\system32\ - …\Program Files (x86)\, including subfolders for 64-bit versions of Windows -Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. +> [!NOTE] +> Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. @@ -3240,7 +3247,9 @@ User Account Control: Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: -- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. +- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. + > [!NOTE] + > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. - 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. From 36f4a8e1e005f397d9df19b4738db1131d4270c9 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 8 Jun 2021 21:14:54 -0700 Subject: [PATCH 093/137] =?UTF-8?q?Replaced=20"=C3=A2=E2=82=AC=C2=A6"=20in?= =?UTF-8?q?=20file=20path=20with=20"."?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 1d2f90b193..0d4580ee4b 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -3174,9 +3174,9 @@ User Account Control: Only elevate UIAccess applications that are installed in s This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: -- …\Program Files\, including subfolders -- …\Windows\system32\ -- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows +- .\Program Files\, including subfolders +- .\Windows\system32\ +- .\Program Files (x86)\, including subfolders for 64-bit versions of Windows > [!NOTE] > Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. From 0df3a52c4af3656c945bfb7848ab32d0d1f37a73 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Wed, 9 Jun 2021 09:13:30 +0200 Subject: [PATCH 094/137] Update filter-origin-documentation.md Fixing a typo in the auditpol commands to enable WFP packet drop auditing --- .../windows-firewall/filter-origin-documentation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index c1121baa73..90d5fd2514 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -67,7 +67,7 @@ To enable a specific audit event, run the corresponding command in an administra |**Audit #**|**Enable command**|**Link**| |:-----|:-----|:-----| |**5157**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5157(F): The Windows Filtering Platform has blocked a connection.](../auditing/event-5157.md)| -|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)| +|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Packet Drop" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)| ## Example flow of debugging packet drops with filter origin @@ -168,4 +168,4 @@ For more information on how to debug drops caused by UWP default block filters, **WSH default** -Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected. \ No newline at end of file +Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected. From d383abf06cf5469119d5549a6cc6c7b86cb81c6e Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 9 Jun 2021 11:05:13 -0700 Subject: [PATCH 095/137] revert --- windows/client-management/mdm/defender-csp.md | 74 +------------------ 1 file changed, 3 insertions(+), 71 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index dbdc03e3aa..a97b4484db 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -10,7 +10,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 06/07/2021 +ms.date: 06/02/2021 --- # Defender CSP @@ -59,9 +59,6 @@ Defender --------TamperProtection (Added in Windows 10, version 1903) --------EnableFileHashComputation (Added in Windows 10, version 1903) --------SupportLogLocation (Added in the next major release of Windows 10) ---------PlatformUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) ---------EngineUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) ---------DefinitionUpdatesChannel (Added with the 4.18.2105.4 Defender platform release) ----Scan ----UpdateSignature ----OfflineScan (Added in Windows 10 version 1803) @@ -521,74 +518,9 @@ When enabled or disabled exists on the client and admin moves the setting to not More details: -- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) +- [Microsoft Defender AV diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) -**Configuration/PlatformUpdatesChannel** -Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. - -Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - -Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - -Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - -Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - -If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - -The data type is integer. - -Supported operations are Add, Delete, Get, Replace. - -Valid values are: -• 0: Not configured (Default) -• 1: Beta Channel - Prerelease -• 2: Current Channel (Preview) -• 3: Current Channel (Staged) -• 4: Current Channel (Broad) - -**Configuration/EngineUpdatesChannel** -Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. - -Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - -Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - -Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - -Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - -If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - -The data type is integer. - -Supported operations are Add, Delete, Get, Replace. - -Valid values are: -- 0 - Not configured (Default) -- 1 - Beta Channel - Prerelease -- 2 - Current Channel (Preview) -- 3 - Current Channel (Staged) -- 4 - Current Channel (Broad) - -**Configuration/DefinitionUpdatesChannel** -Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. - -Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%) - -Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - -If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. - -The data type is integer. -Supported operations are Add, Delete, Get, Replace. - -Valid Values are: -• 0: Not configured (Default) -• 3: Current Channel (Staged) -• 4: Current Channel (Broad) - **Scan** Node that can be used to start a Windows Defender scan on a device. @@ -610,4 +542,4 @@ Supported operations are Get and Execute. ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file From c19599c11a1f5a02bbdcb61d8d7124d10474c363 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Jun 2021 11:20:21 -0700 Subject: [PATCH 096/137] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index a97b4484db..a423b48612 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -94,11 +94,11 @@ The data type is integer. The following list shows the supported values: -- 0 = Unknown -- 1 = Low -- 2 = Moderate -- 4 = High -- 5 = Severe +- 0 = Unknown +- 1 = Low +- 2 = Moderate +- 4 = High +- 5 = Severe Supported operation is Get. From ab77e37ba969b67c526233351346af25df4d4089 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Jun 2021 11:20:46 -0700 Subject: [PATCH 097/137] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index a423b48612..eeb53adf0b 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -171,17 +171,17 @@ The data type is integer. The following list shows the supported values: -- 0 = Active -- 1 = Action failed -- 2 = Manual steps required -- 3 = Full scan required -- 4 = Reboot required -- 5 = Remediated with noncritical failures -- 6 = Quarantined -- 7 = Removed -- 8 = Cleaned -- 9 = Allowed -- 10 = No Status ( Cleared) +- 0 = Active +- 1 = Action failed +- 2 = Manual steps required +- 3 = Full scan required +- 4 = Reboot required +- 5 = Remediated with noncritical failures +- 6 = Quarantined +- 7 = Removed +- 8 = Cleaned +- 9 = Allowed +- 10 = No Status ( Cleared) Supported operation is Get. From 3a0889b5734ecd753d7682e8ff761d7febc12b15 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 9 Jun 2021 11:26:44 -0700 Subject: [PATCH 098/137] Update defender-ddf.md --- windows/client-management/mdm/defender-ddf.md | 180 ------------------ 1 file changed, 180 deletions(-) diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index b4c21b747a..7aa0520e15 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -10,7 +10,6 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 08/11/2020 --- # Defender DDF file @@ -758,185 +757,6 @@ The XML below is the current version for this CSP. - DisableGradualRelease - - - - - - - - Enable this policy to disable gradual rollout of Defender updates. - - - - - - - - - - - text/plain - - - 99.9.99999 - 1.3 - - - - 1 - Gradual release is disabled - - - 0 - Gradual release is enabled - - - - - - DefinitionUpdatesChannel - - - - - - - - Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. - - - - - - - - - - - text/plain - - - 99.9.99999 - 1.3 - - - - 0 - Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - - - 4 - Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - - - 5 - Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - - - - - - EngineUpdatesChannel - - - - - - - - Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. - - - - - - - - - - - text/plain - - - 99.9.99999 - 1.3 - - - - 0 - Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - - - 2 - Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - - - 3 - Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - - - 4 - Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - - - 5 - Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - - - - - - PlatformUpdatesChannel - - - - - - - - Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. - - - - - - - - - - - text/plain - - - 99.9.99999 - 1.3 - - - - 0 - Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. - - - 2 - Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. - - - 3 - Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. - - - 4 - Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). - - - 5 - Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). - - - - Scan From 8a70374af83826fb4d9816ab68328ade757ff3b4 Mon Sep 17 00:00:00 2001 From: mapalko Date: Wed, 9 Jun 2021 14:47:50 -0700 Subject: [PATCH 099/137] updateing multi camera support in FAQ --- .../identity-protection/hello-for-business/hello-faq.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index eb89236d09..405b6710ad 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -69,9 +69,9 @@ sections: answer: | It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users. - - question: Can I use an external camera when my laptop is closed or docked? + - question: Can I use an external Windows Hello compatible camera when my laptop is closed or docked? answer: | - No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. + Yes. Starting with Windows 10, version 21H2 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - question: Why does authentication fail immediately after provisioning hybrid key trust? answer: | @@ -118,7 +118,7 @@ sections: Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services. - question: | - Which is better or more secure: key trust or certificate trust? + Which is better or more secure, key trust or certificate trust? answer: | The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types are: - Required domain controllers From 85b745c30f703a915dcd7df61c0f04a342a5f8b0 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 10 Jun 2021 09:35:38 +0530 Subject: [PATCH 100/137] Update bitlocker-deployment-comparison.md Removed the asterisk for note. Row alignment corrected. --- .../bitlocker/bitlocker-deployment-comparison.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index de76b10cc5..0fbc7f9f48 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -26,12 +26,12 @@ This article depicts the BitLocker deployment comparison chart. ## BitLocker deployment comparison chart -| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM)* | +| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) | |---------|---------|---------|---------| |**Requirements**|||| |Minimum client operating system version |Windows 10 | Windows 10 and Windows 8.1 | Windows 7 and later | |Supported Windows 10 SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise | -|Minimum Windows 10 version |1909** | None | None | +|Minimum Windows 10 version |1909 | None | None | |Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | @@ -47,8 +47,7 @@ This article depicts the BitLocker deployment comparison chart. |Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | -|Standard recovery password storage location | Azure AD or -Active Directory | Configuration Manager site database | MBAM database | +|Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database | |Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) | |Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | From 568d14d252c78c7f5bea39725af3bf0099e726b7 Mon Sep 17 00:00:00 2001 From: Joel Christiansen <43965946+jchri@users.noreply.github.com> Date: Thu, 10 Jun 2021 14:12:34 -0500 Subject: [PATCH 101/137] Update update-csp.md Spelling mistake correction. --- windows/client-management/mdm/update-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 89c8d33d45..094b56add7 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -17,7 +17,7 @@ ms.date: 02/23/2018 The Update configuration service provider enables IT administrators to manage and control the rollout of new updates. > [!NOTE] -> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies. +> The Update CSP functionality of 'ApprovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies. The following shows the Update configuration service provider in tree format. From 400685ccf2212aadda5e7a72e1494b4b734eac0c Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 10 Jun 2021 14:19:34 -0700 Subject: [PATCH 102/137] Added CN info to the 2nd note under table 2 Also formatted the note as lists. --- .../select-types-of-rules-to-create.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 7a56e31130..ace22beaca 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -109,7 +109,8 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the > When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate. > [!NOTE] -> WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. +> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. +> - CN is what the code uses for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format and ensure UTF-8 is not being used for the CN. For example, printable string or IA5 or BMP is ok. ## Example of file rule levels in use From 7f56a2952658469dc42f84edfef33467bd2bc04b Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Fri, 11 Jun 2021 10:57:19 +0100 Subject: [PATCH 103/137] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 28a1cdf6e0..c7611518d4 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -741,13 +741,13 @@ The following list shows the supported values for Windows 8.1: In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. -The following list shows the supported values for Windows 10 version 1809 and older: - -- 0 – (**Security**) This turns Windows diagnostic data off. +The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets): +- 0 – **Off (Security)** This turns Windows diagnostic data off. **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. -- 1 – (**Required**) Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. +- 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. - 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. -- 3 – (**Optional**) Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. + **Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1. +- 3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. Most restrictive value is 0. @@ -1683,7 +1683,7 @@ To enable this behavior, you must complete two steps: - Enable this policy setting - Set the **AllowTelemetry** level: - - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced + - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1.) - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full) From 4bee7439bbe2fbf69ca199e666301f8f9e1e0d04 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Fri, 11 Jun 2021 11:29:53 +0100 Subject: [PATCH 104/137] Update policy-csp-system.md --- windows/client-management/mdm/policy-csp-system.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index c7611518d4..4d1e1393b7 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -745,8 +745,8 @@ The following list shows the supported values for Windows 10 version 1809 and ol - 0 – **Off (Security)** This turns Windows diagnostic data off. **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. - 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. -- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. - **Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1. +- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. + **Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1. - 3 – **Optional (Full)** Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. Most restrictive value is 0. @@ -1683,7 +1683,7 @@ To enable this behavior, you must complete two steps: - Enable this policy setting - Set the **AllowTelemetry** level: - - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1.) + - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. (**Note**: **Enhanced** is no longer an option for Windows Holographic, version 21H1) - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full) From 13ca837b40cfe77998c0319819c76763d9a980a5 Mon Sep 17 00:00:00 2001 From: Mark Stanfill Date: Fri, 11 Jun 2021 10:51:20 -0500 Subject: [PATCH 105/137] Update policy-csp-storage.md Correcting OMA-URI value --- windows/client-management/mdm/policy-csp-storage.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index a3d2099a3e..e55afed42c 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -719,7 +719,7 @@ ADMX Info: Example for setting the device custom OMA-URI setting to enable this policy: -To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```.\[device|user]\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1. +To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1. See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles. @@ -740,4 +740,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + From 571ca43d6a97e7d2c419e8ae53f880c1dfed2fb8 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 11 Jun 2021 10:22:00 -0700 Subject: [PATCH 106/137] Added the suggested edits for the 2nd note under the 2nd table. --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index ace22beaca..1f5068600a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -110,7 +110,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the > [!NOTE] > - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits. -> - CN is what the code uses for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format and ensure UTF-8 is not being used for the CN. For example, printable string or IA5 or BMP is ok. +> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP. ## Example of file rule levels in use From a7248e6d9cafecdc29fe8b25fbbf47ed878bfa63 Mon Sep 17 00:00:00 2001 From: Steve DiAcetis Date: Fri, 11 Jun 2021 14:09:12 -0700 Subject: [PATCH 107/137] Update media-dynamic-update.md Additional information on Flash removal --- windows/deployment/update/media-dynamic-update.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 34ef7cc00f..5b33d7c287 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -84,6 +84,9 @@ This table shows the correct sequence for applying the various tasks to the file > [!NOTE] > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). +> [!NOTE] +> Microsoft will remove the Flash component from Windows through the KB4577586 “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying KB4577586, which is available on the Catalog, between steps 20 and 21. As of July 2021, the KB4577586 “Update for Removal of Adobe Flash Player” will be included in the Latest Cumulative Update for Windows 10, versions 1607 and Windows 10, version 1507. The KB will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). + ### Multiple Windows editions The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last. From fe45e657bf13c815e40ef7c1e7893f7e8aa37281 Mon Sep 17 00:00:00 2001 From: Andrea Barr <81656118+AndreaLBarr@users.noreply.github.com> Date: Fri, 11 Jun 2021 14:13:45 -0700 Subject: [PATCH 108/137] FAQ Additoin This additional question and answer was requested to be added to this FAQ document by Radia Soulmani . --- .../microsoft-defender-application-guard/faq-md-app-guard.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index 0e4406aaa5..abb97cebcc 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -51,6 +51,10 @@ Depending on your organization’s settings, it might be that Favorites Sync is Make sure to enable the extensions policy on your Application Guard configuration. +### I’m trying to watch playback video with HDR, why is the HDR option missing? + +In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. + ### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. From 611dc0328fe7cdf684864aec19db3d13b099758f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 11 Jun 2021 14:34:51 -0700 Subject: [PATCH 109/137] Update faq-md-app-guard.md --- .../faq-md-app-guard.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index abb97cebcc..c37d466af5 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 05/12/2021 +ms.date: 06/11/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -23,9 +23,9 @@ This article lists frequently asked questions with answers for Microsoft Defende ## Frequently Asked Questions -### Can I enable Application Guard on machines equipped with 4-GB RAM? +### Can I enable Application Guard on machines equipped with 4 GB RAM? -We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. +We recommend 8 GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) @@ -51,7 +51,7 @@ Depending on your organization’s settings, it might be that Favorites Sync is Make sure to enable the extensions policy on your Application Guard configuration. -### I’m trying to watch playback video with HDR, why is the HDR option missing? +### I’m trying to watch playback video with HDR. Why is the HDR option missing? In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. @@ -102,7 +102,7 @@ Yes, both the Enterprise Resource domains that are hosted in the cloud and the d ### Why does my encryption driver break Microsoft Defender Application Guard? -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). +Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). ### Why do the Network Isolation policies in Group Policy and CSP look different? @@ -114,7 +114,7 @@ There is not a one-to-one mapping among all the Network Isolation policies betwe - For EnterpriseNetworkDomainNames, there is no mapped CSP policy. -Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). +Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). ### Why did Application Guard stop working after I turned off hyperthreading? From 1464230d8a9f035ff6dc317c890fb15955901cc1 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Fri, 11 Jun 2021 15:03:48 -0700 Subject: [PATCH 110/137] Update media-dynamic-update.md A few small changes for style. --- windows/deployment/update/media-dynamic-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 5b33d7c287..81b0cd7857 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -85,7 +85,7 @@ This table shows the correct sequence for applying the various tasks to the file > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). > [!NOTE] -> Microsoft will remove the Flash component from Windows through the KB4577586 “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying KB4577586, which is available on the Catalog, between steps 20 and 21. As of July 2021, the KB4577586 “Update for Removal of Adobe Flash Player” will be included in the Latest Cumulative Update for Windows 10, versions 1607 and Windows 10, version 1507. The KB will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). +> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player,” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). ### Multiple Windows editions @@ -459,4 +459,4 @@ Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null Write-Output "$(Get-TS): Media refresh completed!" -``` \ No newline at end of file +``` From 237301056a6c8112fbaca4532a276f881ae3aeed Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 11 Jun 2021 15:03:58 -0700 Subject: [PATCH 111/137] Changed numbered list to bullets; added missing period The list under "First rule (DHCP Server)" appeared to NOT be a sequential list, so by style guidelines, it should not use numbers for its list items. --- .../faq-md-app-guard.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index aef33b9815..cb0bff0dc0 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -52,7 +52,7 @@ sections: - question: | Why don't employees see their favorites in the Application Guard Edge session? answer: | - Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard) + Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard). - question: | Why aren’t employees able to see their extensions in the Application Guard Edge session? @@ -148,13 +148,13 @@ sections: - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) ### First rule (DHCP Server) - 1. Program path: `%SystemRoot%\System32\svchost.exe` + - Program path: `%SystemRoot%\System32\svchost.exe` - 2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` + - Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` - 3. Protocol UDP + - Protocol UDP - 4. Port 67 + - Port 67 ### Second rule (DHCP Client) This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: From c79468fa89db03a73db421805d3b77f58597e752 Mon Sep 17 00:00:00 2001 From: Jason Gerend Date: Fri, 11 Jun 2021 15:29:44 -0700 Subject: [PATCH 112/137] Update to deal with production outage issue If a customer running a failover cluster removes Authenticated Users group from this policy setting, the cluster goes down. --- .../access-this-computer-from-the-network.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md index d20934b1f3..55c80b17f7 100644 --- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md @@ -14,17 +14,20 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 06/11/2021 ms.technology: mde --- # Access this computer from the network - security policy setting **Applies to** -- Windows 10 +- Windows 10, Azure Stack HCI, Windows Server 2022, Windows Server 2019, Windows Server 2016 Describes the best practices, location, values, policy management, and security considerations for the **Access this computer from the network** security policy setting. +> [!WARNING] +> If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the **Access this computer from the network** policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service won't have sufficient rights to function or start properly. + ## Reference The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). @@ -43,6 +46,7 @@ Constant: SeNetworkLogonRight - On desktop devices or member servers, grant this right only to users and administrators. - On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators. +- On failover clusters, make sure this right is granted to authenticated users. - This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead. ### Location @@ -104,6 +108,8 @@ from servers in the domain if members of the **Domain Users** group are included If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network. +If running Windows Server or Azure Stack HCI Failover Clustering, do not remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service will not have sufficient rights to function or start properly. + ## Related topics [User Rights Assignment](user-rights-assignment.md) From 875fc889a1780ff8a2fe413bbea8ca55a1b107fe Mon Sep 17 00:00:00 2001 From: JoyJaz <76192344+joyjaz@users.noreply.github.com> Date: Fri, 11 Jun 2021 14:29:45 -0800 Subject: [PATCH 113/137] Update configuration-service-provider-reference.md Changes made per Lavinder and Task 33226532. --- .../mdm/configuration-service-provider-reference.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 90f132759c..f076fe16e7 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2555,7 +2555,7 @@ The following list shows the CSPs supported in HoloLens devices: [PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | -| [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | +| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | @@ -2636,4 +2636,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update -- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) \ No newline at end of file +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) From 57e1b9eaaedab70491466dd1199d20c5058d880c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Sun, 13 Jun 2021 19:07:04 -0700 Subject: [PATCH 114/137] Correct bad link added in the public repo This commit corrects the bad link added in commit https://github.com/MicrosoftDocs/windows-itpro-docs/pull/9646/commits/1ca6bc2544d22c9a01b92fe2e8fa7f7f3df44c44 in PR https://github.com/MicrosoftDocs/windows-itpro-docs/pull/9646. --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index c3f6909aaa..9c79336c9d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -41,7 +41,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |--------|-----------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | -| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy). | +| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events From 83d688e3f2ea31d4c1b4dc8965dc2c6c82b264df Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Sun, 13 Jun 2021 22:08:07 -0700 Subject: [PATCH 115/137] Remove the Markdown version of this file, which has been replaced by a YAML file in the private branch. --- .../faq-md-app-guard.md | 214 ------------------ 1 file changed, 214 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md deleted file mode 100644 index c37d466af5..0000000000 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ /dev/null @@ -1,214 +0,0 @@ ---- -title: FAQ - Microsoft Defender Application Guard (Windows 10) -description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 06/11/2021 -ms.reviewer: -manager: dansimp -ms.custom: asr -ms.technology: mde ---- - -# Frequently asked questions - Microsoft Defender Application Guard - -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration. - -## Frequently Asked Questions - -### Can I enable Application Guard on machines equipped with 4 GB RAM? - -We recommend 8 GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. - -`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) - -### Can employees download documents from the Application Guard Edge session onto host devices? - -In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. - -In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. - -### Can employees copy and paste between the host device and the Application Guard Edge session? - -Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. - -### Why don't employees see their favorites in the Application Guard Edge session? - -Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard) - -### Why aren’t employees able to see their extensions in the Application Guard Edge session? - -Make sure to enable the extensions policy on your Application Guard configuration. - -### I’m trying to watch playback video with HDR. Why is the HDR option missing? - -In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. - -### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? - -Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. - -### Which Input Method Editors (IME) in 19H1 are not supported? - -The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard: - -- Vietnam Telex keyboard -- Vietnam number key-based keyboard -- Hindi phonetic keyboard -- Bangla phonetic keyboard -- Marathi phonetic keyboard -- Telugu phonetic keyboard -- Tamil phonetic keyboard -- Kannada phonetic keyboard -- Malayalam phonetic keyboard -- Gujarati phonetic keyboard -- Odia phonetic keyboard -- Punjabi phonetic keyboard - -### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? - -This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. - -### What is the WDAGUtilityAccount local account? - -WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error: - -**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** - -We recommend that you do not modify this account. - -### How do I trust a subdomain in my site list? - -To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. - -### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? - -When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). - -### Is there a size limit to the domain lists that I need to configure? - -Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. - -### Why does my encryption driver break Microsoft Defender Application Guard? - -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). - -### Why do the Network Isolation policies in Group Policy and CSP look different? - -There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. - -- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** - -- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** - -- For EnterpriseNetworkDomainNames, there is no mapped CSP policy. - -Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). - -### Why did Application Guard stop working after I turned off hyperthreading? - -If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. - -### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? - -Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. - -### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file? - -This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: - -- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) -- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) - -#### First rule (DHCP Server) -1. Program path: `%SystemRoot%\System32\svchost.exe` - -2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` - -3. Protocol UDP - -4. Port 67 - -#### Second rule (DHCP Client) -This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: - -1. Right-click on inbound rules, and then create a new rule. - -2. Choose **custom rule**. - -3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`. - -4. Specify the following settings: - - Protocol Type: UDP - - Specific ports: 67 - - Remote port: any - -5. Specify any IP addresses. - -6. Allow the connection. - -7. Specify to use all profiles. - -8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. - -9. In the **Programs and services** tab, under the **Services** section, select **settings**. - -10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - -### Why can I not launch Application Guard when Exploit Guard is enabled? - -There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. - -### How can I disable portions of ICS without breaking Application Guard? - -ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. - -1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. - -2. Disable IpNat.sys from ICS load as follows:
-`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` - -3. Configure ICS (SharedAccess) to enabled as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` - -4. (This is optional) Disable IPNAT as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` - -5. Reboot the device. - -### Why doesn't the container fully load when device control policies are enabled? - -Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly. - -Policy: Allow installation of devices that match any of the following device IDs: - -- `SCSI\DiskMsft____Virtual_Disk____` -- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` -- `VMS_VSF` -- `root\Vpcivsp` -- `root\VMBus` -- `vms_mp` -- `VMS_VSP` -- `ROOT\VKRNLINTVSP` -- `ROOT\VID` -- `root\storvsp` -- `vms_vsmp` -- `VMS_PP` - -Policy: Allow installation of devices using drivers that match these device setup classes -- `{71a27cdd-812a-11d0-bec7-08002be2092f}` - -## See also - -[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) From 6506a888b45aa5764c3fafb4d79f3c87af7206a8 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Mon, 14 Jun 2021 10:30:40 +0200 Subject: [PATCH 116/137] Update vpnv2-csp.md Update information on NRPT applicability. --- windows/client-management/mdm/vpnv2-csp.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 15c30be7f5..e21af0bff4 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -390,6 +390,9 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile. The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. +> [!NOTE] +> Only applications using the [Windows DNS API](https://docs.microsoft.com/en-us/windows/win32/dns/dns-reference) can make use of the Name Resolution Policy Table (NRPT) and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so please always use the PowerShell CmdLet [Resolve-DNSName](https://docs.microsoft.com/en-us/powershell/module/dnsclient/resolve-dnsname) to check the functionality of NRPT. + **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId A sequential integer identifier for the Domain Name information. Sequencing must start at 0. @@ -419,8 +422,8 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers** Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet. -> [!NOTE] -> Currently only one web proxy server is supported. +> [!NOTE] +> Currently only one web proxy server is supported. Value type is chr. Supported operations include Get, Add, Replace, and Delete. From c7161c13338e271240a06a7653e4c9a108ce3da3 Mon Sep 17 00:00:00 2001 From: Per Larsen Date: Mon, 14 Jun 2021 13:27:20 +0200 Subject: [PATCH 117/137] Update enroll-a-windows-10-device-automatically-using-group-policy.md Device Credential Is only supported for: - Co-management - WVD (Azure Virtual Desktop) - Autopilot deploying mode - witch is not using GPO for enrollment --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 9e1150cd20..775e72cacd 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -128,7 +128,7 @@ Requirements: > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. > > The default behavior for older releases is to revert to **User Credential**. - > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device. + > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop. When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." From f07b4f01f30e6e85aa162856ae32936b6ad82f10 Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Mon, 14 Jun 2021 08:39:15 -0700 Subject: [PATCH 118/137] Update windows/deployment/update/media-dynamic-update.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/media-dynamic-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 81b0cd7857..85d236c15d 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -85,7 +85,7 @@ This table shows the correct sequence for applying the various tasks to the file > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). > [!NOTE] -> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player,” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). +> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player”, will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). ### Multiple Windows editions From 17db40a3eb6f99a7ad7d4f06edc1e1fea0e58274 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Mon, 14 Jun 2021 09:08:56 -0700 Subject: [PATCH 119/137] Update media-dynamic-update.md Corrected comma. --- windows/deployment/update/media-dynamic-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 85d236c15d..2664d3f9d8 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -85,7 +85,7 @@ This table shows the correct sequence for applying the various tasks to the file > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). > [!NOTE] -> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player”, will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). +> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). ### Multiple Windows editions From 86d8af570836ff725714dc4296572c51a294e83e Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 14 Jun 2021 10:25:05 -0700 Subject: [PATCH 120/137] Added additional text to the ApplicationControl CSP section --- ...ultiple-windows-defender-application-control-policies.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 80ef49b096..f3935c6b4b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -101,7 +101,11 @@ To deploy policies locally using the new multiple policy format, follow these st ### Deploying multiple policies via ApplicationControl CSP -Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. +Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
+ +However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is because the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. + +See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. > [!NOTE] > WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies. From 036fdabfce26f39a91fbaf7bde5fa7977f464a8d Mon Sep 17 00:00:00 2001 From: v-hearya Date: Tue, 15 Jun 2021 00:59:11 +0530 Subject: [PATCH 121/137] Broken link fixed --- browsers/internet-explorer/kb-support/ie-edge-faqs.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml index 7bc45c1ec2..50862d688d 100644 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml @@ -114,8 +114,8 @@ sections: - question: | How to improve performance by using PAC scripts answer: | - - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/help/315810/browser-is-slow-to-respond-when-you-use-an-automatic-configuration-scr) - - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](https://blogs.msdn.microsoft.com/askie/2014/02/07/optimizing-performance-with-automatic-proxyconfiguration-scripts-pac/) + - [Browser is slow to respond when you use an automatic configuration script](https://support.microsoft.com/en-us/topic/effa1aa0-8e95-543d-6606-03ac68e3f490) + - [Optimizing performance with automatic Proxyconfiguration scripts (PAC)](/troubleshoot/browsers/optimize-pac-performance) - name: Other questions questions: @@ -124,7 +124,7 @@ sections: answer: | For more information, see the following blog article: - [How do I set the home page in Microsoft Edge?](https://blogs.msdn.microsoft.com/askie/2017/10/04/how-do-i-set-the-home-page-in-edge/) + [How do I set the home page in Microsoft Edge?](https://support.microsoft.com/en-us/microsoft-edge/change-your-browser-home-page-a531e1b8-ed54-d057-0262-cc5983a065c6) - question: | How to add sites to the Enterprise Mode (EMIE) site list From 9354d35287519d34b15260b94fe232c63e31b670 Mon Sep 17 00:00:00 2001 From: katoma2017 <48699113+katoma2017@users.noreply.github.com> Date: Mon, 14 Jun 2021 21:44:22 -0700 Subject: [PATCH 122/137] Update update-baseline.md Update the link of Update Baseline toolkit to the Security Compliance Toolkit (which now contains Update Baseline) --- windows/deployment/update/update-baseline.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index 4438c95e54..91ea05a2e5 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -40,7 +40,7 @@ For the complete detailed list of all settings and their values, see the MSFT Wi ## How do I get started? -The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) from the Download Center. +The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. Today, the Update Baseline toolkit is currently only available for use with Group Policy. From 3f9c194f35c6a682b974ee07af0a064b819d41d3 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Tue, 15 Jun 2021 08:12:48 +0200 Subject: [PATCH 123/137] Update windows/client-management/mdm/vpnv2-csp.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/vpnv2-csp.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index e21af0bff4..1fed240483 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -391,7 +391,7 @@ Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile. The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. > [!NOTE] -> Only applications using the [Windows DNS API](https://docs.microsoft.com/en-us/windows/win32/dns/dns-reference) can make use of the Name Resolution Policy Table (NRPT) and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so please always use the PowerShell CmdLet [Resolve-DNSName](https://docs.microsoft.com/en-us/powershell/module/dnsclient/resolve-dnsname) to check the functionality of NRPT. +> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId A sequential integer identifier for the Domain Name information. Sequencing must start at 0. @@ -1603,4 +1603,3 @@ Servers - From d36f937b2b902896a15ce6c7f6bd2d47394dc089 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andre=20M=C3=BCller?= <85677225+amueller-tf@users.noreply.github.com> Date: Tue, 15 Jun 2021 11:18:00 +0200 Subject: [PATCH 124/137] Fix Defender for Endpoint link --- .../security/threat-protection/intelligence/fileless-threats.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 39371c3da0..31d34345c4 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -99,7 +99,7 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with ## Defeating fileless malware -At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) From 9ef8502ee4b2e602b09c4775b306e8ba73e9a3e0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT <18405051+denisebmsft@users.noreply.github.com> Date: Tue, 15 Jun 2021 07:14:26 -0700 Subject: [PATCH 125/137] Update fileless-threats.md --- .../security/threat-protection/intelligence/fileless-threats.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 31d34345c4..e2029f3c2c 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -99,7 +99,7 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with ## Defeating fileless malware -At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) From 3b02d8ff9dd952b9f7baac5f0cf8923522515135 Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Tue, 15 Jun 2021 11:08:15 -0400 Subject: [PATCH 126/137] Fixed error in documentation for wrong value AllowWUfBCloudProcessing is a DWORD, or Integer. Not String. It also must be set to "8", not "1". This is correcting an error in documentation. --- windows/deployment/update/deployment-service-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 4c034921b7..256bbb7d4e 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -148,8 +148,8 @@ Following is an example of setting the policy using Microsoft Endpoint Manager: - Name: **AllowWUfBCloudProcessing** - Description: Enter a description. - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing` - - Data type: **String** - - Value: **1** + - Data type: **Integer** + - Value: **8** 6. In **Assignments**, select the groups that will receive the profile, and then select **Next**. 7. In **Review + create**, review your settings, and then select **Create**. 8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**. From 0e3c630f274313fc7bb39bacea59b053dc18c5a7 Mon Sep 17 00:00:00 2001 From: katoma2017 <48699113+katoma2017@users.noreply.github.com> Date: Tue, 15 Jun 2021 09:50:15 -0700 Subject: [PATCH 127/137] Update windows/deployment/update/update-baseline.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/update-baseline.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index 91ea05a2e5..2e4ab4fd64 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -40,8 +40,7 @@ For the complete detailed list of all settings and their values, see the MSFT Wi ## How do I get started? -The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. +The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. Today, the Update Baseline toolkit is currently only available for use with Group Policy. - From 727dfe92ff3a817a49565fdcc874cda9a8e2a495 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 15 Jun 2021 16:29:59 -0700 Subject: [PATCH 128/137] Substituted because for that per the feedback. --- ...oy-multiple-windows-defender-application-control-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index f3935c6b4b..1f9364ad64 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -103,7 +103,7 @@ To deploy policies locally using the new multiple policy format, follow these st Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
-However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is because the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. +However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability. From 4d33f48dd97275341b6023a2317c48eff9098e18 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 15 Jun 2021 16:42:32 -0700 Subject: [PATCH 129/137] Acrolinx "Bitlocker" and "Powershell" --- .../client-management/mdm/healthattestation-csp.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 9df5a62fdf..9f691cab8c 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -502,8 +502,8 @@ The following list of data points are verified by the DHA-Service in DHA-Report - [HealthStatusMismatchFlags](#healthstatusmismatchflags) \* TPM 2.0 only -** Reports if Bitlocker was enabled during initial boot. -*** The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot. +\*\* Reports if BitLocker was enabled during initial boot. +\*\*\* The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot. Each of these are described in further detail in the following sections, along with the recommended actions to take. @@ -547,8 +547,8 @@ Each of these are described in further detail in the following sections, along w - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. -**BitlockerStatus** (at boot time) -

When Bitlocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

+**BitLockerStatus** (at boot time) +

When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.

@@ -614,7 +614,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling VSM using WMI or a Powershell script. +- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. **OSKernelDebuggingEnabled**

OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.

@@ -659,7 +659,7 @@ Each of these are described in further detail in the following sections, along w - Disallow all access - Disallow access to HBI and MBI assets - Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling test signing using WMI or a Powershell script. +- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. **SafeMode**

Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.

From d2955fe82fb7c463a3cbaa1702cf0d586fcad5f4 Mon Sep 17 00:00:00 2001 From: Andrea Barr <81656118+AndreaLBarr@users.noreply.github.com> Date: Tue, 15 Jun 2021 17:03:49 -0700 Subject: [PATCH 130/137] Added a question and answer Added question and answer to lines 40-49 as requested by Radia Soulmani . --- .../faq-md-app-guard.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index cb0bff0dc0..10ada92e34 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -36,7 +36,18 @@ sections: `HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) `HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) - + + - question: | + My network configuration uses a proxy and I’m running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that? + answer: | + The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements. + + To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: + + - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. + - It needs to be a FQDN…just a simple IP address will not work. + - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. + - question: | Can employees download documents from the Application Guard Edge session onto host devices? answer: | @@ -232,4 +243,4 @@ additionalContent: | ## See also - [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) \ No newline at end of file + [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) From 3e7c3664aa0c586d4a1302d9eafd15d71dec17d5 Mon Sep 17 00:00:00 2001 From: Shaun Pearson Date: Wed, 16 Jun 2021 09:30:04 +0100 Subject: [PATCH 131/137] What's new 21H1 Small typo noticed when looking the Windows Assessment and Deployment Toolkit section --- windows/whats-new/whats-new-windows-10-version-21H1.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index c56c65dac3..99f122b717 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -47,7 +47,7 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft ### Windows Assessment and Deployment Toolkit (ADK) -There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). +There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). ## Device management @@ -136,4 +136,4 @@ This release includes the following enhancements and issues fixed: [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
\ No newline at end of file +[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
From aef7333ad599c711065ba4a41c54fc8def5733aa Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 16 Jun 2021 11:26:46 -0700 Subject: [PATCH 132/137] Update faq-md-app-guard.yml --- .../microsoft-defender-application-guard/faq-md-app-guard.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 10ada92e34..03baa2d537 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -9,7 +9,7 @@ metadata: ms.localizationpriority: medium author: denisebmsft ms.author: deniseb - ms.date: 05/12/2021 + ms.date: 06/16/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -45,7 +45,7 @@ sections: To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. - - It needs to be a FQDN…just a simple IP address will not work. + - It must be a FQDN. A simple IP address will not work. - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. - question: | From 835cf8dc25c0e514e9b259b18879fcc74dd056df Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Wed, 16 Jun 2021 17:26:38 -0400 Subject: [PATCH 133/137] Updated error AllowWufbCloudProcessing Should be value 8, showed value 1 --- windows/deployment/update/deployment-service-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 256bbb7d4e..b7bccbb684 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -125,7 +125,7 @@ Deployment scheduling controls are always available, but to take advantage of th > Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect. - Diagnostic data is set to *Required* or *Optional*. -- The **AllowWUfBCloudProcessing** policy is set to **1**. +- The **AllowWUfBCloudProcessing** policy is set to **8**. #### Set the **AllowWUfBCloudProcessing** policy From eff900dc59988d59668fc3997ed761dcd46d2a56 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 17 Jun 2021 08:41:57 -0700 Subject: [PATCH 134/137] Update fod-and-lang-packs.md --- windows/deployment/update/fod-and-lang-packs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 193b4d95ad..fc45328c40 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -18,7 +18,7 @@ ms.custom: seo-marvel-apr2020 > Applies to: Windows 10 -As of Windows 10 version 21H2, we are enabling non-Administrator user accounts to add both a display language and its corresponding language features. +In Windows 10 version 21H2, non-Administrator user accounts can add both a display language and its corresponding language features. As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS. From 7647aeec7f20705366ccf52ccbec19b42918e75b Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Thu, 17 Jun 2021 09:56:55 -0600 Subject: [PATCH 135/137] Pencil edit to fix Acro Line 63: casue ---> cause --- windows/whats-new/whats-new-windows-10-version-21H1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index 99f122b717..70725f4a9b 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -60,7 +60,7 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf WDAG performance is improved with optimized document opening times: - An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link. -- A memory issue is fixed that could casue a WDAG container to use almost 1 GB of working set memory when the container is idle. +- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle. - The performance of Robocopy is improved when copying files over 400 MB in size. ### Windows Hello From 4be947cda64690349d761a581161a80dc5b6040e Mon Sep 17 00:00:00 2001 From: gkomatsu Date: Thu, 17 Jun 2021 14:51:38 -0700 Subject: [PATCH 136/137] Update enterprisedesktopappmanagement-csp.md Fixing Typo Timeout -> TimeOut --- .../client-management/mdm/enterprisedesktopappmanagement-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 60cff29616..20cd2f1e44 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -401,7 +401,7 @@ The following table MsiInstallJob describes the schema elements. Command-line options to be used when calling MSIEXEC.exe -Timeout +TimeOut Amount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation. From bbc34e8734653f6fa1c720a0f1a200df6d10123d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 17 Jun 2021 20:11:47 -0700 Subject: [PATCH 137/137] Acrolinx "preceed" and other minor corrections --- .../mdm/enterprisedesktopappmanagement-csp.md | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 20cd2f1e44..78f0b5cb28 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -20,6 +20,7 @@ The EnterpriseDesktopAppManagement configuration service provider is used to han Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example). The following shows the EnterpriseDesktopAppManagement CSP in tree format. + ``` ./Device/Vendor/MSFT EnterpriseDesktopAppManagement @@ -37,6 +38,7 @@ EnterpriseDesktopAppManagement --------UpgradeCode ------------Guid ``` + **./Device/Vendor/MSFT/EnterpriseDesktopAppManagement** The root node for the EnterpriseDesktopAppManagement configuration service provider. @@ -194,15 +196,15 @@ The following table describes the fields in the previous sample: The following table describes the fields in the previous sample: -| Name | Description | -|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application. | -| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | +| Name | Description | +|--------|-----------------------| +| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.| +| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | -**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to preceed the Exec command.** +**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to precede the Exec command.** ```xml @@ -292,7 +294,8 @@ The following table describes the fields in the previous sample: -> **Note**  Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at . +> [!Note] +> Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at [Msiexec (command-line options)](https://technet.microsoft.com/library/cc759262%28v=ws.10%29.aspx). @@ -550,21 +553,18 @@ Here's a list of references: ```xml - 4 - 1224 - - - ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall - - - Reversed-Domain-Name:com.microsoft.mdm.win32csp_install - int - informational - - 0 - + 4 + 1224 + + + ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall + + + Reversed-Domain-Name:com.microsoft.mdm.win32csp_install + int + informational + + 0 + ``` - - -