deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into 1803-basicdiagdata

Browse Source
This commit is contained in:
Brian Lich 2018-09-10 15:32:49 -07:00
commit ab5821a17d
1054 changed files with 5825 additions and 4931 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
.openpublishing.redirection.json
View File

@ -6,6 +6,21 @@
"redirect_document_id": true
},
{
"source_path": "windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md",
"redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-countermeasures",
"redirect_document_id": true
},
{
"source_path": "windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md",
"redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-countermeasures",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md",
"redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-countermeasures",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/intelligence/transparency-report.md",
"redirect_url": "/windows/security/threat-protection/intelligence/av-tests",
"redirect_document_id": true
@ -21,6 +36,11 @@
"redirect_document_id": true
},
{
"source_path": "windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows",
"redirect_document_id": true
},
{
"source_path": "windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md",
"redirect_url": "/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows",
"redirect_document_id": true

2
browsers/edge/group-policies/extensions-management-gp.md
View File

@ -5,7 +5,7 @@ services:
keywords: Dont add or edit keywords without consulting your SEO champ.
author: shortpatti
ms.author: pashort
ms.date: 07/25/2018
ms.date: 09/05/2018
ms.topic: article
ms.prod: edge
ms.mktglfcycl: explore

2
browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
View File

@ -17,7 +17,7 @@ You can use the Group Policy setting, **Set a default associations configuration
**To set the default browser as Internet Explorer 11**
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.<p>
1. Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.<p>
Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268).
![set default associations group policy setting](images/setdefaultbrowsergp.png)

4
devices/hololens/hololens-insider.md
View File

@ -14,7 +14,7 @@ ms.date: 07/27/2018
Welcome to the latest Insider Preview builds for HoloLens! Its simple to get started and provide valuable feedback for our next major operating system update for HoloLens.
>Latest insider version: 10.0.17720.1000
<span id="get-insider" />
## How do I install the Insider builds?
@ -89,7 +89,7 @@ When youre done with setup, go to **Settings -> Update & Security -> Windows
## Note for language support
- You cant change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language.
- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the ~ key on a hardware keyboard toggles the keyboard to type in English).
- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the Shift key on a hardware keyboard toggles the keyboard to type in English).
## Note for developers

8
devices/hololens/hololens-install-apps.md
View File

@ -79,13 +79,15 @@ Using Intune, you can also [monitor your app deployment](https://docs.microsoft.
>[!TIP]
>If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#security_certificate).
4. In the Windows Device Portal, click **Apps**.
4. In the Windows Device Portal, click **Views** and select **Apps**.
![App Manager](images/apps.png)
5. In **Install app**, select an **app package** from a folder on your computer or network. If the app package requires additional software, click **Add dependency**.
5. Click **Add** to open the **Deploy or Install Application dialog**.
6. In **Deploy**, click **Go** to deploy the app package and added dependencies to the connected HoloLens.
6. Select an **app package** from a folder on your computer or network. If the app package requires additional software or framework packages, click **I want to specify framework packages**.
7. Click **Next** to deploy the app package and added dependencies to the connected HoloLens.

BIN
devices/hololens/images/apps.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 91 KiB

After

Width:  |  Height:  |  Size: 161 KiB

BIN
devices/hololens/images/windows-device-portal-home-page.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 184 KiB

After

Width:  |  Height:  |  Size: 126 KiB

2
devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
View File

@ -34,7 +34,7 @@ PowerShell scripts to help set up and manage your Microsoft Surface Hub.
To successfully execute these PowerShell scripts, you will need to install the following prerequisites:
- [Microsoft Online Services Sign-in Assistant for IT Professionals RTW](https://www.microsoft.com/download/details.aspx?id=41950)
- [Microsoft Azure Active Directory Module for Windows PowerShell (64-bit version)](https://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185)
- [Microsoft Azure Active Directory Module for Windows PowerShell (64-bit version)](https://www.powershellgallery.com/packages/MSOnline/1.1.183.17)
- [Windows PowerShell Module for Skype for Business Online](https://www.microsoft.com/download/details.aspx?id=39366)
## <a href="" id="scripts-for-admins"></a>PowerShell scripts for Surface Hub administrators

17
devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 04/12/2018
ms.date: 08/30/2018
ms.localizationpriority: medium
---
@ -145,17 +145,17 @@ To enable Skype for Business online, your tenant users must have Exchange mailbo
| --- | --- | --- | --- |
| Join a scheduled meeting | Skype for Business Standalone Plan 1 | E1, 3, 4, or 5 | Skype for Business Server Standard CAL |
| Initiate an ad-hoc meeting | Skype for Business Standalone Plan 2 | E 1, 3, 4, or 5 | Skype for Business Server Standard CAL or Enterprise CAL |
| Initiate an ad-hoc meeting and dial out from a meeting to phone numbers | Skype for Business Standalone Plan 2 with PSTN Conferencing</br></br>**Note** PSTN consumption billing is optional | E1 or E3 with PSTN Conferencing, or E5| Skype for Business Server Standard CAL or Enterprise CAL |
| Give the room a phone number and make or receive calls from the room or join a dial-in conference using a phone number | Skype for Business Standalone Plan 2 with Cloud PBX and a PSTN Voice Calling plan | E1 or E3 with Cloud PBX and a PSTN Voice Calling plan, or E5 | Skype for Business Server Standard CAL or Plus CAL |
| Initiate an ad-hoc meeting and dial out from a meeting to phone numbers | Skype for Business Standalone Plan 2 with Audio Conferencing</br></br>**Note** PSTN consumption billing is optional | E1 or E3 with Audio Conferencing, or E5| Skype for Business Server Standard CAL or Enterprise CAL |
| Give the room a phone number and make or receive calls from the room or join a dial-in conference using a phone number | Skype for Business Standalone Plan 2 with Phone System and a PSTN Voice Calling plan | E1 or E3 with Phone System and a PSTN Voice Calling plan, or E5 | Skype for Business Server Standard CAL or Plus CAL |
The following table lists the Office 365 plans and Skype for Business options.
| O365 Plan | Skype for Business | Cloud PBX | PSTN Conferencing | PSTN Calling |
| O365 Plan | Skype for Business | Phone System | Audio Conferencing | Calling Plans |
| --- | --- | --- | --- | --- |
| O365 Business Essentials | Included | | | |
| O365 Business Premium | Included | | | |
| E1 | Included | Add-on | Add-on | Add-on (requires Cloud PBX add-on) |
| E3 | Included | Add-on | Add-on | Add-on (requires Cloud PBX add-on) |
| E1 | Included | Add-on | Add-on | Add-on (requires Phone System add-on) |
| E3 | Included | Add-on | Add-on | Add-on (requires Phone System add-on) |
| E5 | Included | Included | Included | Add-on |
1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment.
@ -190,7 +190,7 @@ The following table lists the Office 365 plans and Skype for Business options.
- Click **Licenses**.
- In **Assign licenses**, select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub.
- In **Assign licenses**, select Skype for Business (Plan 1) or Skype for Business (Plan 2), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 2 license if you want to use Enterprise Voice on your Surface Hub.
- Click **Save**.
@ -291,7 +291,8 @@ Use this procedure if you use Exchange online.
- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
>**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
>[!IMPORTANT]
>Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
![Image showing password dialog box.](images/hybriddeployment-02a.png)

98
mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md
View File

@ -50,7 +50,7 @@ The hardware requirements are applicable to all versions.
<th align="left">Operating System</th>
<th align="left">Edition</th>
<th align="left">Service Pack</th>
<th align="left">System Architecture</th>
<th align="left">Achitectural SKU</th>
</tr>
</thead>
<tbody>
@ -74,31 +74,21 @@ The hardware requirements are applicable to all versions.
</tr>
<tr class="even">
<td align="left"><p>Windows 8</p></td>
<td align="left"><p>Professional or Enterprise Edition</p></td>
<td align="left"><p>Pro or Enterprise Edition</p></td>
<td align="left"><p></p></td>
<td align="left"><p>x86 and x64</p></td>
</tr>
</tbody>
</table>
 
**Note**  
The following software prerequisites are installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, the following products must be installed first.
- **Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2005 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=119961) (https://go.microsoft.com/fwlink/?LinkId=119961). For version 4.5 SP2 of the App-V client, download Vcredist\_x86.exe from [Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update](https://go.microsoft.com/fwlink/?LinkId=169360) (https://go.microsoft.com/fwlink/?LinkId=169360).
- **Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)**—For more information about installing Microsoft Core XML Services (MSXML) 6.0 SP1 (x86), see [Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)](https://go.microsoft.com/fwlink/?LinkId=63266) (https://go.microsoft.com/fwlink/?LinkId=63266).
- **Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)**—For more information about installing Microsoft Core XML Services (MSXML) 6.0 SP1 (x86), see [Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)](https://go.microsoft.com/fwlink/?LinkId=63266) (https://go.microsoft.com/fwlink/?LinkId=63266).
 
**Note**  
For the Application Virtualization (App-V) 4.6 Desktop Client, the following additional software prerequisite is installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, you must also install with the other prerequisites listed.
- **Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=150700) (https://go.microsoft.com/fwlink/?LinkId=150700).
 
### Software Requirements for Versions that Precede App-V 4.6 SP2
<table>
@ -113,7 +103,7 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add
<th align="left">Operating System</th>
<th align="left">Edition</th>
<th align="left">Service Pack</th>
<th align="left">System Architecture</th>
<th align="left">Achitectural SKU</th>
</tr>
</thead>
<tbody>
@ -121,33 +111,26 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add
<td align="left"><p>Windows XP</p></td>
<td align="left"><p>Professional Edition</p></td>
<td align="left"><p>SP2 or SP3</p></td>
<td align="left"><p>x86</p></td>
<td align="left"><p>x86 and x64</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Vista</p></td>
<td align="left"><p>Business, Enterprise, or Ultimate Edition</p></td>
<td align="left"><p>No service pack, SP1, or SP2</p></td>
<td align="left"><p>x86</p></td>
<td align="left"><p>x86 and x64</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows </p></td>
<td align="left"><p>Professional, Enterprise, or Ultimate Edition</p></td>
<td align="left"><p>No service pack or SP1</p></td>
<td align="left"><p>x86</p></td>
<td align="left"><p>x86 and x64</p></td>
</tr>
</tbody>
</table>
 
¹Supported for App-V 4.5 SP1 and SP2, App-V 4.6 and 4.6 SP1 only
**Note**  
The Application Virtualization (App-V) 4.6 Desktop Client supports 32-bit and 64-bit versions of these operating systems.
The Application Virtualization (App-V) 4.6 Desktop Client supports x86 and x64 SKUs of these operating systems.
 
**Note**  
The following software prerequisites are installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, the following products must be installed first.
- **Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2005 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=119961) (https://go.microsoft.com/fwlink/?LinkId=119961). For version 4.5 SP2 of the App-V client, download Vcredist\_x86.exe from [Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update](https://go.microsoft.com/fwlink/?LinkId=169360) (https://go.microsoft.com/fwlink/?LinkId=169360).
@ -156,25 +139,16 @@ The following software prerequisites are installed automatically if you are usin
- **Microsoft Application Error Reporting**—The installation program for this software is included in the **Support\\Watson** folder in the self-extracting archive file.
 
**Note**  
For the Application Virtualization (App-V) 4.6 Desktop Client, the following additional software prerequisite is installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, you must also install with the other prerequisites listed.
- **Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=150700) (https://go.microsoft.com/fwlink/?LinkId=150700).
 
## Application Virtualization Client for Remote Desktop Services
Following are the recommended hardware and software requirements for the Application Virtualization Client for Remote Desktop Services. The requirements are listed first for appv461\_3, followed by the requirements for versions that preceded App-V 4.6 SP2.
**Note**  
The Application Virtualization (App-V) Client for Remote Desktop Services requires no additional processor or RAM resources beyond the requirements of the host operating system.
 
### Hardware Requirements
The hardware requirements are applicable to all versions.
@ -199,7 +173,7 @@ The hardware requirements are applicable to all versions.
<th align="left">Operating System</th>
<th align="left">Edition</th>
<th align="left">Service Pack</th>
<th align="left">System Architecture</th>
<th align="left">Achitectural SKU</th>
</tr>
</thead>
<tbody>
@ -207,13 +181,13 @@ The hardware requirements are applicable to all versions.
<td align="left"><p>Windows Server 2003 R2</p></td>
<td align="left"><p>Standard Edition, Enterprise Edition, or Datacenter Edition</p></td>
<td align="left"><p>SP2</p></td>
<td align="left"><p>x86</p></td>
<td align="left"><p>x86 and x64</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2008</p></td>
<td align="left"><p>Standard, Enterprise, or Datacenter Edition</p></td>
<td align="left"><p>SP2</p></td>
<td align="left"><p>x86</p></td>
<td align="left"><p>x86 and x64</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2008 R2</p></td>
@ -225,14 +199,11 @@ The hardware requirements are applicable to all versions.
<td align="left"><p>Windows Server 2012</p></td>
<td align="left"><p>Standard, Enterprise, or Datacenter Edition</p></td>
<td align="left"><p></p></td>
<td align="left"><p>x86 or x64</p></td>
<td align="left"><p>x64</p></td>
</tr>
</tbody>
</table>
 
**Note**  
The following software prerequisites are installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, the following products must be installed first.
- **Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2005 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=119961) (https://go.microsoft.com/fwlink/?LinkId=119961). For version 4.5 SP2 of the App-V client, download Vcredist\_x86.exe from [Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update](https://go.microsoft.com/fwlink/?LinkId=169360) (https://go.microsoft.com/fwlink/?LinkId=169360).
@ -241,15 +212,10 @@ The following software prerequisites are installed automatically if you are usin
- **Microsoft Application Error Reporting**—The installation program for this software is included in the **Support\\Watson** folder in the self-extracting archive file.
 
**Note**  
For the Application Virtualization (App-V) 4.6 Desktop Client, the following additional software prerequisite is installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, you must also install with the other prerequisites listed.
- **Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=150700) (https://go.microsoft.com/fwlink/?LinkId=150700).
 
### Software Requirements for Versions that Precede App-V 4.6 SP2
<table>
@ -264,7 +230,7 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add
<th align="left">Operating System</th>
<th align="left">Edition</th>
<th align="left">Service Pack</th>
<th align="left">System Architecture</th>
<th align="left">Achitectural SKU</th>
</tr>
</thead>
<tbody>
@ -272,19 +238,19 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add
<td align="left"><p>Windows Server 2003</p></td>
<td align="left"><p>Standard Edition, Enterprise Edition, or Datacenter Edition</p></td>
<td align="left"><p>SP1 or SP2</p></td>
<td align="left"><p>x86</p></td>
<td align="left"><p>x86 and x64</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2003 R2</p></td>
<td align="left"><p>Standard Edition, Enterprise Edition, or Datacenter Edition</p></td>
<td align="left"><p>No service pack or SP2</p></td>
<td align="left"><p>x86</p></td>
<td align="left"><p>x86 and x64</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2008</p></td>
<td align="left"><p>Standard, Enterprise, or Datacenter Edition</p></td>
<td align="left"><p>SP1 or SP2</p></td>
<td align="left"><p>x86</p></td>
<td align="left"><p>x86 and x64</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2008 R2</p></td>
@ -295,31 +261,11 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add
</tbody>
</table>
 
**Note**  
The Application Virtualization (App-V) 4.6 Client for Remote Desktop Services supports 32-bit and 64-bit versions of these operating systems.
 
The Application Virtualization (App-V) 4.6 Client for Remote Desktop Services supports x86 and x64 SKUs of these operating systems.
## Related topics
[Application Virtualization Sequencer Hardware and Software Requirements](application-virtualization-sequencer-hardware-and-software-requirements.md)
[Application Virtualization System Requirements](application-virtualization-system-requirements.md)
[How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md)
[How to Manually Install the Application Virtualization Client](how-to-manually-install-the-application-virtualization-client.md)
[How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md)
 
 
- [Application Virtualization Sequencer Hardware and Software Requirements](application-virtualization-sequencer-hardware-and-software-requirements.md)
- [Application Virtualization System Requirements](application-virtualization-system-requirements.md)
- [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md)
- [How to Manually Install the Application Virtualization Client](how-to-manually-install-the-application-virtualization-client.md)
- [How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md)

2
mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md
View File

@ -86,7 +86,7 @@ The following list outlines the supported operating systems for running the App-
</tr>
<tr class="even">
<td align="left"><p>Windows 8</p></td>
<td align="left"><p>Professional or Enterprise Edition</p></td>
<td align="left"><p>Pro or Enterprise Edition</p></td>
<td align="left"><p></p></td>
<td align="left"><p>x86 and x64</p></td>
</tr>

6
mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
View File

@ -8,14 +8,16 @@ ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
ms.prod: w10
ms.date: 5/30/2018
ms.date: 8/30/2018
ms.author: pashort
author: shortpatti
---
# Applying hotfixes on MBAM 2.5 SP1
This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=56126)
[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=57157)
#### Steps to update the MBAM Server for existing MBAM environment
1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features).

6
windows/client-management/mdm/bitlocker-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/16/2018
ms.date: 08/31/2018
---
# BitLocker CSP
@ -257,7 +257,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.</p>
> [!Note]
> In Windows 10, version 1709, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
> In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
<p style="margin-left: 20px">If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.</p>
@ -347,7 +347,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
> [!Note]
> In Windows 10, version 1709, you can use a minimum PIN length of 4 digits.
> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits.
>
>In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2.

39
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/21/2018
ms.date: 08/27/2018
---
# EnterpriseModernAppManagement CSP
@ -129,7 +129,6 @@ Parameters:
<li>User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed.</li>
</ul>
Supported operation is Execute.
The following example removes a package for all users:
@ -164,6 +163,39 @@ Required. Used for managing apps from the Microsoft Store.
Supported operations are Get and Delete.
<a href="" id="appmanagement-releasemanagement"></a>**AppManagement/AppStore/ReleaseManagement**
Added in Windows 10, next major version. Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
> [!Note]
> ReleaseManagement settings only apply to updates through the Microsoft Store.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_**
Added in Windows 10, next major version. Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-channelid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId**
Added in Windows 10, next major version. Specifies the app channel ID.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-releasemanagementid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ReleaseManagementId**
Added in Windows 10, next major version. The IT admin can specify a release ID to indicate a specific release they would like the user or device to be on.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-effectiverelease"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease**
Added in Windows 10, next major version. Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-effectiverelease-channelid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ChannelId**
Added in Windows 10, next major version. Returns the last user channel ID on the device.
Value type is string. Supported operation is Get.
<a href="" id="appmanagement-releasemanagement-releasemanagementkey-effectiverelease-releasemanagementid"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ReleaseManagementId**
Added in Windows 10, next major version. Returns the last user release ID on the device.
Value type is string. Supported operation is Get.
<a href="" id="----packagefamilyname"></a>**.../****_PackageFamilyName_**
Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
@ -222,8 +254,6 @@ Required. Architecture of installed package. Value type is string.
> [!Note]
> Not applicable to XAP files.
 
Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-installlocation"></a>**.../*PackageFamilyName*/*PackageFullName*/InstallLocation**
@ -231,7 +261,6 @@ Required. Install location of the app on the device. Value type is string.
> [!Note]
> Not applicable to XAP files.
 
Supported operation is Get.

6
windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/23/2018
ms.date: 07/27/2018
---
# EnterpriseModernAppManagement DDF
@ -580,7 +580,7 @@ The XML below is for Windows 10, next major version.
</DFProperties>
</Node>
<Node>
<NodeName>ReleaseId</NodeName>
<NodeName>ReleaseManagementId</NodeName>
<DFProperties>
<AccessType>
<Get />
@ -642,7 +642,7 @@ The XML below is for Windows 10, next major version.
</DFProperties>
</Node>
<Node>
<NodeName>ReleaseId</NodeName>
<NodeName>ReleaseManagementId</NodeName>
<DFProperties>
<AccessType>
<Get />

BIN
windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 132 KiB

After

Width:  |  Height:  |  Size: 134 KiB

41
windows/client-management/mdm/networkproxy-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/08/2018
ms.date: 08/29/2018
---
# NetworkProxy CSP
@ -31,44 +31,53 @@ The following diagram shows the NetworkProxy configuration service provider in t
![networkproxy csp](images/provisioning-csp-networkproxy.png)
<a href="" id="networkproxy"></a>**./Vendor/MSFT/NetworkProxy**
The root node for the NetworkProxy configuration service provider..</p>
The root node for the NetworkProxy configuration service provider..
<a href="" id="proxysettingsperuser"></a>**ProxySettingsPerUser**
Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide.
Supported operations are Add, Get, Replace, and Delete.
> [!Note]
> Per user proxy configuration setting is not supported.
<a href="" id="autodetect"></a>**AutoDetect**
Automatically detect settings. If enabled, the system tries to find the path to a PAC script.</p>
Valid values:</p>
Automatically detect settings. If enabled, the system tries to find the path to a PAC script.
Valid values:
<ul>
<li>0 - Disabled</li>
<li>1 (default) - Enabled</li>
</ul>
The data type is int. Supported operations are Get and Replace.</p>
The data type is int. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported.
<a href="" id="setupscripturl"></a>**SetupScriptUrl**
Address to the PAC script you want to use.</p>
The data type is string. Supported operations are Get and Replace.</p>
Address to the PAC script you want to use.
The data type is string. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported.
<a href="" id="proxyserver"></a>**ProxyServer**
Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections.</p>
Supported operation is Get.</p>
Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections.
Supported operation is Get.
<a href="" id="proxyaddress"></a>**ProxyAddress**
Address to the proxy server. Specify an address in the format &lt;server&gt;[“:”&lt;port&gt;]. </p>
The data type is string. Supported operations are Get and Replace.</p>
Address to the proxy server. Specify an address in the format &lt;server&gt;[“:”&lt;port&gt;]. 
The data type is string. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported.
<a href="" id="exceptions"></a>**Exceptions**
Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries. </p>
The data type is string. Supported operations are Get and Replace.</p>
Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries. 
The data type is string. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported.
<a href="" id="useproxyforlocaladdresses"></a>**UseProxyForLocalAddresses**
Specifies whether the proxy server should be used for local (intranet) addresses. </p>
Valid values:</p>
Specifies whether the proxy server should be used for local (intranet) addresses. 
Valid values:
<ul>
<li>0 (default) - Do not use proxy server for local addresses</li>
<li>1 - Use proxy server for local addresses</li>
</ul>
The data type is int. Supported operations are Get and Replace.</p>
The data type is int. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported.

18
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/14/2018
ms.date: 08/27/2018
---
# What's new in MDM enrollment and management
@ -1419,6 +1419,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Privacy/DisablePrivacyExperience</li>
<li>Privacy/UploadUserActivities</li>
<li>Security/RecoveryEnvironmentAuthentication</li>
<li>System/AllowDeviceNameInDiagnosticData</li>
<li>System/ConfigureMicrosoft365UploadEndpoint</li>
<li>System/DisableDeviceDelete</li>
<li>System/DisableDiagnosticDataViewer</li>
<li>Storage/RemovableDiskDenyWriteAccess</li>
<li>TaskManager/AllowEndTask</li>
<li>Update/EngagedRestartDeadlineForFeatureUpdates</li>
<li>Update/EngagedRestartSnoozeScheduleForFeatureUpdates</li>
@ -1457,7 +1462,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</td></tr>
<tr>
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top"><p>Added a new node AllowStandardUserEncryption in Windows 10, next major version.</p>
<td style="vertical-align:top"><p>Added a new node AllowStandardUserEncryption in Windows 10, next major version. Added support for Windows 10 Pro.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[DevDetail CSP](devdetail-csp.md)</td>
@ -1768,6 +1773,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</thead>
<tbody>
<tr>
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top"><p>Added support for Windows 10 Pro starting in the next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[Office CSP](office-csp.md)</td>
<td style="vertical-align:top"><p>Added FinalStatus setting in Windows 10, next major version.</p>
</td></tr>
@ -1814,6 +1823,11 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Privacy/AllowCrossDeviceClipboard</li>
<li>Privacy/DisablePrivacyExperience</li>
<li>Privacy/UploadUserActivities</li>
<li>System/AllowDeviceNameInDiagnosticData</li>
<li>System/ConfigureMicrosoft365UploadEndpoint</li>
<li>System/DisableDeviceDelete</li>
<li>System/DisableDiagnosticDataViewer</li>
<li>Storage/RemovableDiskDenyWriteAccess</li>
<li>Update/UpdateNotificationLevel</li>
</ul>
<p>Start/DisableContextMenus - added in Windows 10, version 1803.</p>

4
windows/client-management/mdm/policy-csp-bluetooth.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/08/2018
ms.date: 08/30/2018
---
# Policy CSP - Bluetooth
@ -243,7 +243,7 @@ Added in Windows 10, version 1803. This policy allows the IT admin to block user
The following list shows the supported values:
- 0 - Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios
- 1 - Allow. Allow users on these managed devices to use Swift Pair and other proximity based scenarios
- 1 - Allow (default). Allow users on these managed devices to use Swift Pair and other proximity based scenarios
<!--/SupportedValues-->
<!--/Policy-->

4
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -114,8 +114,8 @@ Here is an example:
```
<groupmembership>
<accessgroup desc="Administrators">
<member name="Contoso\Alice" />
<member name = "S-188-5-5666-5-688" / >
<member name="Contoso\Alice">
<member name = "S-188-5-5666-5-688">
</accessgroup>
</groupmembership>
```

19
windows/client-management/mdm/policy-csp-update.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/10/2018
ms.date: 08/29/2018
---
# Policy CSP - Update
@ -715,6 +715,8 @@ The following list shows the supported values:
<!--Description-->
For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled.
The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
Value type is integer. Default is 7 days.
Supported values range: 2-30.
@ -781,6 +783,8 @@ ADMX Info:
<!--Description-->
For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled.
The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
Value type is integer. Default is 7 days.
Supported values range: 2-30.
@ -1503,6 +1507,11 @@ The following list shows the supported values:
<!--Description-->
For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.
The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
> [!Note]
> If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule are not set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period.
Value type is integer. Default is 14.
Supported value range: 2 - 30.
@ -1757,9 +1766,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
Value type is integer.
Value type is integer. Default value is 7 days.
Supported value range: 0 - 30.
@ -1822,7 +1831,7 @@ ADMX Info:
<!--Description-->
For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
Value type is integer.
Value type is integer. Default value is 7 days.
Supported value range: 0 - 30.
@ -3324,6 +3333,8 @@ ADMX Info:
<!--Description-->
Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime.
When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:

3
windows/client-management/mdm/policy-ddf-file.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/09/2018
ms.date: 08/29/2018
---
# Policy DDF file
@ -20,6 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy*
You can download the DDF files from the links below:
- [Download the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml)
- [Download the Policy DDF file for Windows 10, version 1803 release C](http://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml)
- [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
- [Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
- [Download the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml)

16
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/02/2018
ms.date: 09/10/2018
---
# WindowsDefenderApplicationGuard CSP
@ -14,7 +14,7 @@ ms.date: 08/02/2018
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in the Application Guard. This CSP was added in Windows 10, version 1709.
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Windows Defender Application Guard. This CSP was added in Windows 10, version 1709.
The following diagram shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
@ -132,12 +132,12 @@ If you disable or don't configure this policy, applications inside Windows Defen
<a href="" id="status"></a>**Status**
Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get.
Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode
Bit 1 - Set to 1 when the client machine is Hyper-V capable
Bit 2 - Set to 1 when the client machine has a valid OS license and SKU
Bit 3 - Set to 1 when WDAG installed on the client machine
Bit 4 - Set to 1 when required Network Isolation Policies are configured
Bit 5 - Set to 1 when the client machine meets minimum hardware requirements
- Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode
- Bit 1 - Set to 1 when the client machine is Hyper-V capable
- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU
- Bit 3 - Set to 1 when WDAG installed on the client machine
- Bit 4 - Set to 1 when required Network Isolation Policies are configured
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements
<a href="" id="installwindowsdefenderapplicationguard"></a>**InstallWindowsDefenderApplicationGuard**
Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.

4
windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/02/2018
ms.date: 09/10/2018
---
# WindowsDefenderApplicationGuard DDF file
@ -20,7 +20,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
This XML is for Windows 10, next major version.
``` syntax
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"

4
windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
View File

@ -30,9 +30,9 @@ To enable voice commands in Cortana
Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, its best for that to happen in the foreground. However, if the app only uses basic commands and doesnt require interaction, it can happen in the background.
- **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana).
- **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](https://docs.microsoft.com/en-us/cortana/voice-commands/launch-a-foreground-app-with-voice-commands-in-cortana).
- **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana).
- **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/en-us/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana).
2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.

17
windows/configuration/windows-spotlight.md
View File

@ -58,15 +58,18 @@ To turn off Windows Spotlight locally, go to **Settings** &gt; **Personalization
Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers.
>[!NOTE]
>These policies are in the **User Configuration \Policies\Administrative Templates\Windows Components\Cloud Content** path in the Group Policy Management Console, and in the **User Configuration \Administrative Templates\Windows Components\Cloud Content** path in the Local Group Policy Editor.
| Group Policy | MDM | Description | Applies to |
| --- | --- | --- | --- |
| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later |
| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later |
| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later |
| **Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 |
| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 |
| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 |
**User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 |
| **Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later |
| **Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later |
| **Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later |
| **Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 |
| **Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 |
| **Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 |
**Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 |

7
windows/deployment/update/change-history-for-update-windows-10.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
ms.author: daniha
ms.date: 10/17/2017
ms.date: 09/05/2019
---
# Change history for Update Windows 10
@ -38,6 +38,5 @@ All topics were updated to reflect the new [naming changes](waas-overview.md#nam
## RELEASE: Windows 10, version 1703
The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added:
* [Windows Insider Program for Business](waas-windows-insider-for-business.md)
* [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
* [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started)
* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-register)

7
windows/deployment/update/waas-overview.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
author: Jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.date: 06/01/2018
ms.date: 09/07/2018
---
# Overview of Windows as a service
@ -138,10 +138,9 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale
Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 23 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
>[!NOTE]
>Windows 10 LTSB will support the currently released silicon at the time of release of the LTSB. As future silicon generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
>Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesnt contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Since these apps arent included then not supported in Windows 10 Enterprise LTSB edition, including the case of the in-box application sideloading.
Therefore, its important to remember that Microsoft has positioned the LTSC model primarily for specialized devices.
The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesnt include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even of you install by using sideloading.
>[!NOTE]
>If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel.

4
windows/deployment/update/windows-update-sources.md
View File

@ -15,8 +15,8 @@ ms.date: 04/05/2018
Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: 
1. Start Windows PowerShell as an administrator
2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`.
3. Run `\$MUSM.Services`. Check the resulting output for the **Name** and **OffersWindowsUPdates** parameters, which you can intepret according to this table:
2. Run `$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`.
3. Run `$MUSM.Services`. Check the resulting output for the **Name** and **OffersWindowsUPdates** parameters, which you can intepret according to this table:
| Output | Interpretation |
|-----------------------------------------------------|-----------------------------------|

8
windows/deployment/upgrade/windows-10-upgrade-paths.md
View File

@ -142,7 +142,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
</tr>
<tr>
<td>Professional</td>
<td>Pro</td>
<td>D</td>
<td></td>
<td></td>
@ -153,7 +153,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
</tr>
<tr>
<td>Professional Student</td>
<td>Pro Student</td>
<td>D</td>
<td></td>
<td></td>
@ -164,7 +164,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
</tr>
<tr>
<td>Professional WMC</td>
<td>Pro WMC</td>
<td>D</td>
<td></td>
<td></td>
@ -233,7 +233,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
</tr>
<tr>
<td>Professional</td>
<td>Pro</td>
<td>D</td>
<td></td>
<td></td>

15
windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
View File

@ -18,22 +18,19 @@ ms.date: 06/01/2018
Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory; it also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
- Windows 10 version 1703 or higher must be used. The Professional, Professional for Education, Business, Enterprise, and Education editions are supported.
- Windows 10 version 1703 or higher must be used. Supported editions are the following:
- Pro
- Pro Education
- Pro for Workstations
- Enterprise
- Education
- One of the following, to provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality:
- Microsoft 365 Business subscriptions
- Microsoft 365 F1 subscriptions
- Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune)
- Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features
- Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service)
Additionally, the following are also recommended but not required:
- Office 365 ProPlus, which can be deployed easily via Intune (or other MDM services)
- [Windows Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise

41
windows/privacy/diagnostic-data-viewer-overview.md
View File

@ -31,9 +31,7 @@ Before you can use this tool, you must turn on data viewing in the **Settings**
**To turn on data viewing**
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
![Location to turn on data viewing](images/ddv-data-viewing.png)
2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.<p>![Location to turn on data viewing](images/ddv-data-viewing.png)
### Download the Diagnostic Data Viewer
Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
@ -44,11 +42,7 @@ You must start this app from the **Settings** panel.
**To start the Diagnostic Data Viewer**
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.
![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)<br><br>-OR-<br><br>
Go to **Start** and search for _Diagnostic Data Viewer_.
2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.<p>![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)<p>-OR-<p> Go to **Start** and search for _Diagnostic Data Viewer_.
3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data.
@ -58,25 +52,15 @@ You must start this app from the **Settings** panel.
### Use the Diagnostic Data Viewer
The Diagnostic Data Viewer provides you with the following features to view and filter your device's diagnostic data.
- **View your diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft.
- **View your diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft.<p> Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text.<p>Selecting an event opens the detailed JSON view, with the matching text highlighted.
- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text.
- **Filter your diagnostic event categories.** The apps Menu button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft.<p>Selecting a check box lets you filter between the diagnostic event categories.
Selecting an event opens the detailed JSON view, with the matching text highlighted.
- **Help to make your Windows experience better.** Microsoft samples diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If youre a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.<p>To signify your contribution, youll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the sampling group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, youll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)).
- **Filter your diagnostic event categories.** The apps Menu button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft.
Selecting a check box lets you filter between the diagnostic event categories.
- **Help to make your Windows experience better.** Microsoft samples diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If youre a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
To signify your contribution, youll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the sampling group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, youll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)).
- **Provide diagnostic event feedback.** The **Feedback** icon opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.
Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub. You can add your comments to the box labeled, **Give us more detail (optional)**.
- **Provide diagnostic event feedback.** The **Feedback** icon opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.<p>Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub. You can add your comments to the box labeled, **Give us more detail (optional)**.
>[!Important]
>All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your feedback comments.
@ -87,17 +71,10 @@ When you're done reviewing your diagnostic data, you should turn of data viewing
**To turn off data viewing**
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
![Location to turn off data viewing](images/ddv-settings-off.png)
2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.<p>![Location to turn off data viewing](images/ddv-settings-off.png)
## View additional diagnostic data in the View problem reports tool
You can review additional Windows Error Reporting diagnostic data in the **View problem reports** tool. This tool provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system.
**To view your Windows Error Reporting diagnostic data**
1. Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.<br><br>-OR-<br><br>
Go to **Start** and search for _Problem Reports_.
The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.
![View problem reports tool with report statuses](images/ddv-problem-reports-screen.png)
1. Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.<p>-OR-<p>Go to **Start** and search for _Problem Reports_.<p>The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.<p>![View problem reports tool with report statuses](images/ddv-problem-reports-screen.png)

110
windows/security/identity-protection/TOC.md
View File

@ -70,115 +70,5 @@
### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md)
## [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md)
### [Isolating Microsoft Store Apps on Your Network](windows-firewall/isolating-apps-on-your-network.md)
### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md)
### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
### [Windows Firewall with Advanced Security Design Guide](windows-firewall/windows-firewall-with-advanced-security-design-guide.md)
#### [Understanding the Windows Firewall with Advanced Security Design Process](windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md)
#### [Identifying Your Windows Firewall with Advanced Security Deployment Goals](windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
##### [Protect Devices from Unwanted Network Traffic](windows-firewall/protect-devices-from-unwanted-network-traffic.md)
##### [Restrict Access to Only Trusted Devices](windows-firewall/restrict-access-to-only-trusted-devices.md)
##### [Require Encryption When Accessing Sensitive Network Resources](windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md)
##### [Restrict Access to Only Specified Users or Computers](windows-firewall/restrict-access-to-only-specified-users-or-devices.md)
#### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
##### [Basic Firewall Policy Design](windows-firewall/basic-firewall-policy-design.md)
##### [Domain Isolation Policy Design](windows-firewall/domain-isolation-policy-design.md)
##### [Server Isolation Policy Design](windows-firewall/server-isolation-policy-design.md)
##### [Certificate-based Isolation Policy Design](windows-firewall/certificate-based-isolation-policy-design.md)
#### [Evaluating Windows Firewall with Advanced Security Design Examples](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
##### [Firewall Policy Design Example](windows-firewall/firewall-policy-design-example.md)
##### [Domain Isolation Policy Design Example](windows-firewall/domain-isolation-policy-design-example.md)
##### [Server Isolation Policy Design Example](windows-firewall/server-isolation-policy-design-example.md)
##### [Certificate-based Isolation Policy Design Example](windows-firewall/certificate-based-isolation-policy-design-example.md)
#### [Designing a Windows Firewall with Advanced Security Strategy](windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md)
##### [Gathering the Information You Need](windows-firewall/gathering-the-information-you-need.md)
###### [Gathering Information about Your Current Network Infrastructure](windows-firewall/gathering-information-about-your-current-network-infrastructure.md)
###### [Gathering Information about Your Active Directory Deployment](windows-firewall/gathering-information-about-your-active-directory-deployment.md)
###### [Gathering Information about Your Computers](windows-firewall/gathering-information-about-your-devices.md)
###### [Gathering Other Relevant Information](windows-firewall/gathering-other-relevant-information.md)
##### [Determining the Trusted State of Your Computers](windows-firewall/determining-the-trusted-state-of-your-devices.md)
#### [Planning Your Windows Firewall with Advanced Security Design](windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md)
##### [Planning Settings for a Basic Firewall Policy](windows-firewall/planning-settings-for-a-basic-firewall-policy.md)
##### [Planning Domain Isolation Zones](windows-firewall/planning-domain-isolation-zones.md)
###### [Exemption List](windows-firewall/exemption-list.md)
###### [Isolated Domain](windows-firewall/isolated-domain.md)
###### [Boundary Zone](windows-firewall/boundary-zone.md)
###### [Encryption Zone](windows-firewall/encryption-zone.md)
##### [Planning Server Isolation Zones](windows-firewall/planning-server-isolation-zones.md)
##### [Planning Certificate-based Authentication](windows-firewall/planning-certificate-based-authentication.md)
###### [Documenting the Zones](windows-firewall/documenting-the-zones.md)
###### [Planning Group Policy Deployment for Your Isolation Zones](windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md)
####### [Planning Isolation Groups for the Zones](windows-firewall/planning-isolation-groups-for-the-zones.md)
####### [Planning Network Access Groups](windows-firewall/planning-network-access-groups.md)
####### [Planning the GPOs](windows-firewall/planning-the-gpos.md)
######## [Firewall GPOs](windows-firewall/firewall-gpos.md)
######### [GPO_DOMISO_Firewall](windows-firewall/gpo-domiso-firewall.md)
######## [Isolated Domain GPOs](windows-firewall/isolated-domain-gpos.md)
######### [GPO_DOMISO_IsolatedDomain_Clients](windows-firewall/gpo-domiso-isolateddomain-clients.md)
######### [GPO_DOMISO_IsolatedDomain_Servers](windows-firewall/gpo-domiso-isolateddomain-servers.md)
######## [Boundary Zone GPOs](windows-firewall/boundary-zone-gpos.md)
######### [GPO_DOMISO_Boundary](windows-firewall/gpo-domiso-boundary.md)
######## [Encryption Zone GPOs](windows-firewall/encryption-zone-gpos.md)
######### [GPO_DOMISO_Encryption](windows-firewall/gpo-domiso-encryption.md)
######## [Server Isolation GPOs](windows-firewall/server-isolation-gpos.md)
####### [Planning GPO Deployment](windows-firewall/planning-gpo-deployment.md)
#### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
#### [Planning to Deploy Windows Firewall with Advanced Security](windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md)
#### [Implementing Your Windows Firewall with Advanced Security Design Plan](windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md)
#### [Checklist: Creating Group Policy Objects](windows-firewall/checklist-creating-group-policy-objects.md)
#### [Checklist: Implementing a Basic Firewall Policy Design](windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md)
#### [Checklist: Configuring Basic Firewall Settings](windows-firewall/checklist-configuring-basic-firewall-settings.md)
#### [Checklist: Creating Inbound Firewall Rules](windows-firewall/checklist-creating-inbound-firewall-rules.md)
#### [Checklist: Creating Outbound Firewall Rules](windows-firewall/checklist-creating-outbound-firewall-rules.md)
#### [Checklist: Implementing a Domain Isolation Policy Design](windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md)
##### [Checklist: Configuring Rules for the Isolated Domain](windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md)
##### [Checklist: Configuring Rules for the Boundary Zone](windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md)
##### [Checklist: Configuring Rules for the Encryption Zone](windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md)
##### [Checklist: Configuring Rules for an Isolated Server Zone](windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md)
#### [Checklist: Implementing a Standalone Server Isolation Policy Design](windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md)
##### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
##### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
#### [Checklist: Implementing a Certificate-based Isolation Policy Design](windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md)
#### [Procedures Used in This Guide](windows-firewall/procedures-used-in-this-guide.md)
##### [Add Production Devices to the Membership Group for a Zone](windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md)
##### [Add Test Devices to the Membership Group for a Zone](windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md)
##### [Assign Security Group Filters to the GPO](windows-firewall/assign-security-group-filters-to-the-gpo.md)
##### [Change Rules from Request to Require Mode](windows-firewall/change-rules-from-request-to-require-mode.md)
##### [Configure Authentication Methods](windows-firewall/configure-authentication-methods.md)
##### [Configure Data Protection (Quick Mode) Settings](windows-firewall/configure-data-protection-quick-mode-settings.md)
##### [Configure Group Policy to Autoenroll and Deploy Certificates](windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md)
##### [Configure Key Exchange (Main Mode) Settings](windows-firewall/configure-key-exchange-main-mode-settings.md)
##### [Configure the Rules to Require Encryption](windows-firewall/configure-the-rules-to-require-encryption.md)
##### [Configure the Windows Firewall Log](windows-firewall/configure-the-windows-firewall-log.md)
##### [Configure the Workstation Authentication Certificate Template](windows-firewall/configure-the-workstation-authentication-certificate-template.md)
##### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
##### [Confirm That Certificates Are Deployed Correctly](windows-firewall/confirm-that-certificates-are-deployed-correctly.md)
##### [Copy a GPO to Create a New GPO](windows-firewall/copy-a-gpo-to-create-a-new-gpo.md)
##### [Create a Group Account in Active Directory](windows-firewall/create-a-group-account-in-active-directory.md)
##### [Create a Group Policy Object](windows-firewall/create-a-group-policy-object.md)
##### [Create an Authentication Exemption List Rule](windows-firewall/create-an-authentication-exemption-list-rule.md)
##### [Create an Authentication Request Rule](windows-firewall/create-an-authentication-request-rule.md)
##### [Create an Inbound ICMP Rule](windows-firewall/create-an-inbound-icmp-rule.md)
##### [Create an Inbound Port Rule](windows-firewall/create-an-inbound-port-rule.md)
##### [Create an Inbound Program or Service Rule](windows-firewall/create-an-inbound-program-or-service-rule.md)
##### [Create an Outbound Port Rule](windows-firewall/create-an-outbound-port-rule.md)
##### [Create an Outbound Program or Service Rule](windows-firewall/create-an-outbound-program-or-service-rule.md)
##### [Create Inbound Rules to Support RPC](windows-firewall/create-inbound-rules-to-support-rpc.md)
##### [Create WMI Filters for the GPO](windows-firewall/create-wmi-filters-for-the-gpo.md)
##### [Enable Predefined Inbound Rules](windows-firewall/enable-predefined-inbound-rules.md)
##### [Enable Predefined Outbound Rules](windows-firewall/enable-predefined-outbound-rules.md)
##### [Exempt ICMP from Authentication](windows-firewall/exempt-icmp-from-authentication.md)
##### [Link the GPO to the Domain](windows-firewall/link-the-gpo-to-the-domain.md)
##### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
##### [Open the Group Policy Management Console to IP Security Policies](windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md)
##### [Open the Group Policy Management Console to Windows Firewall](windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md)
##### [Open the Group Policy Management Console to Windows Firewall with Advanced Security](windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
##### [Open Windows Firewall with Advanced Security](windows-firewall/open-windows-firewall-with-advanced-security.md)
##### [Restrict Server Access to Members of a Group Only](windows-firewall/restrict-server-access-to-members-of-a-group-only.md)
##### [Turn on Windows Firewall and Configure Default Behavior](windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md)
##### [Verify That Network Traffic Is Authenticated](windows-firewall/verify-that-network-traffic-is-authenticated.md)
## [Windows Hello for Business](hello-for-business/hello-identity-verification.md)

8
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: brianlic-msft
ms.date: 05/18/2018
ms.date: 09/04/2018
---
# Manage Windows Defender Credential Guard
@ -98,7 +98,7 @@ If you enable Windows Defender Credential Guard by using Group Policy, the steps
You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot
DG_Readiness_Tool_v3.5.ps1 -Enable -AutoReboot
```
### Review Windows Defender Credential Guard performance
@ -118,7 +118,7 @@ You can view System Information to check that Windows Defender Credential Guard
You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.2.ps1 -Ready
DG_Readiness_Tool_v3.5.ps1 -Ready
```
> [!NOTE]
@ -186,7 +186,7 @@ For more info on virtualization-based security and Windows Defender Device Guard
You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.2.ps1 -Disable -AutoReboot
DG_Readiness_Tool_v3.5.ps1 -Disable -AutoReboot
```
#### Disable Windows Defender Credential Guard for a virtual machine

1
windows/security/identity-protection/index.md
View File

@ -25,5 +25,4 @@ Learn more about identity annd access management technologies in Windows 10 and
| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
| [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md) | Provides information about Windows Firewall with Advanced Security, which is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. |
| [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |

2
windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
View File

@ -187,7 +187,7 @@ The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Wind
| Registry key | Group Policy setting | Registry setting |
| - | - | - |
| FilterAdministratorToken | [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | 0 (Default) = Disabled<br />1 = Enabled |
| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled<br />1 = Enabled |
| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled<br />1 = Enabled |
| ConsentPromptBehaviorAdmin | [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | 0 = Elevate without prompting<br />1 = Prompt for credentials on the secure desktop<br />2 = Prompt for consent on the secure desktop<br />3 = Prompt for credentials<br />4 = Prompt for consent<br />5 (Default) = Prompt for consent for non-Windows binaries<br /> |
| ConsentPromptBehaviorUser | [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | 0 = Automatically deny elevation requests<br />1 = Prompt for credentials on the secure desktop<br />3 (Default) = Prompt for credentials |
| EnableInstallerDetection | [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | 1 = Enabled (default for home)<br />0 = Disabled (default for enterprise) |

2
windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
View File

@ -15,7 +15,7 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows 10 credential theft mitigation guide.docx).
This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:
- Identify high-value assets

16
windows/security/index.yml
View File

@ -22,7 +22,7 @@ metadata:
manager: brianlic
ms.date: 07/12/2018
ms.date: 08/01/2018
ms.topic: article
@ -78,17 +78,3 @@ sections:
title: Information protection
- title: Windows Defender Advanced Threat Protection
items:
- type: markdown
text: "
Prevent, detect, investigate, and respond to advanced threats. The following capabilities are available across multiple products that make up the Windows Defender ATP platform.
<br>&nbsp;<br>
<table border='0'><tr><td><b>Attack surface reduction</b></td><td><b>Next generation protection</b></td><td><b>Endpoint detection and response</b></td><td><b>Auto investigation and remediation</b></td><td><b>Security posture</b></td></tr>
<tr><td>[Hardware based isolation](https://docs.microsoft.com/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows)<br><br>[Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)<br><br>[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)<br><br>[Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)<br><br>[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)<br><br>[Network firewall](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)<br><br>[Attack surface reduction controls](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)</td>
<td>[Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)<br><br>[Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)<br><br>[Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)</td>
<td>[Alerts queue](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)<br><br>[Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)<br><br>[Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)<br><br>[API and SIEM integration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)<br><br>[Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)<br><br>[Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)<br><br>[Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)<br><br>[Advanced detonation and analysis service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)</td>
<td>[Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<br><br>[Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)<br><br>[Manage automated investigations](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)<br><br>[Analyze automated investigation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)</td>
<td>[Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)<br><br>[Reporting and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)</td>
</tr>
</table>"

7
windows/security/information-protection/TOC.md
View File

@ -22,14 +22,13 @@
### [BitLocker Group Policy settings](bitlocker\bitlocker-group-policy-settings.md)
### [BCD settings and BitLocker](bitlocker\bcd-settings-and-bitlocker.md)
### [BitLocker Recovery Guide](bitlocker\bitlocker-recovery-guide-plan.md)
### [Protect BitLocker from pre-boot attacks](bitlocker\protect-bitlocker-from-pre-boot-attacks.md)
#### [Types of attacks for volume encryption keys](bitlocker\types-of-attacks-for-volume-encryption-keys.md)
#### [BitLocker Countermeasures](bitlocker\bitlocker-countermeasures.md)
#### [Choose the Right BitLocker Countermeasure](bitlocker\choose-the-right-bitlocker-countermeasure.md)
### [BitLocker Countermeasures](bitlocker\bitlocker-countermeasures.md)
### [Protecting cluster shared volumes and storage area networks with BitLocker](bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
## [Encrypted Hard Drive](encrypted-hard-drive.md)
## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)
## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)
#### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)

214
windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
View File

@ -7,137 +7,185 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 10/27/2017
ms.date: 09/06/2018
---
# BitLocker Countermeasures
**Applies to**
- Windows 10
Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
BitLocker is part of a strategic approach to securing mobile data through encryption technology. Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computers hard disk to a different computer. Today, BitLocker helps mitigate unauthorized data access on lost or stolen computers before the operating system is started by:
Windows uses technologies including Trusted Platform Module (TPM), Secure Boot, and Measured Boot to help protect BitLocker encryption keys against attacks.
BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology.
Data on a lost or stolen computer is vulnerable.
For example, there could be unauthorized access, either by running a software attack tool against it or by transferring the computers hard disk to a different computer.
- **Encrypting the hard drives on your computer.** For example, you can turn on BitLocker for your operating system drive, a fixed data drive, or a removable data drive (such as a USB flash drive). Turning on BitLocker for your operating system drive encrypts all system files on the operating system drive, including the swap files and hibernation files.
- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computers boot components appear unaltered and the encrypted disk is located in the original computer.
BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started by:
The sections that follow provide more detailed information about the different technologies that Windows uses to protect against attacks on the BitLocker encryption key in four different boot phases: before startup, during pre-boot, during startup, and finally after startup.
- **Encrypting volumes on your computer.** For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computers BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
 
The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 10, Windows 8.1, and Windows 8.
### Protection before startup
For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803, see [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure).
Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM and Secure Boot. Fortunately, many modern computers feature TPM.
## Protection before startup
#### Trusted Platform Module
Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and Secure Boot. Fortunately, many modern computers feature a TPM and Secure Boot.
Software alone isnt sufficient to protect a system. After an attacker has compromised software, the software might be unable to detect the compromise. Therefore, a single successful software compromise results in an untrusted system that might never be detected. Hardware, however, is much more difficult to modify.
### Trusted Platform Module
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer and communicates with the rest of the system through a hardware bus. Physically, TPMs are designed to be tamper-proof. If an attacker tries to physically retrieve data directly from the chip, theyll probably destroy the chip in the process.
By binding the BitLocker encryption key with the TPM and properly configuring the device, its nearly impossible for an attacker to gain access to the BitLocker-encrypted data without obtaining an authorized users credentials. Therefore, computers with a TPM can provide a high level of protection against attacks that attempt to directly retrieve the BitLocker encryption key.
For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview).
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys.
On some platforms, TPM can alternatively be implemented as a part of secure firmware.
BitLocker binds encryption keys with the TPM to ensure that a computer has not been tampered with while the system was offline.
For more info about TPM, see [Trusted Platform Module](https://docs.microsoft.com/windows/device-security/tpm/trusted-platform-module-overview).
#### UEFI and Secure Boot
### UEFI and Secure Boot
No operating system can protect a device when the operating system is offline. For that reason, Microsoft worked closely with hardware vendors to require firmware-level protection against boot and rootkits that might compromise an encryption solutions encryption keys.
Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating systems bootloader.
The UEFI is a programmable boot environment introduced as a replacement for BIOS, which has for the most part remained unchanged for the past 30 years. Like BIOS, PCs start UEFI before any other software; it initializes devices, and UEFI then starts the operating systems bootloader. As part of its introduction into the preoperating system environment, UEFI serves a number of purposes, but one of the key benefits is to protect newer devices against a sophisticated type of malware called a bootkit through the use of its Secure Boot feature.
The UEFI specification defines a firmware execution authentication process called [Secure Boot](https://docs.microsoft.com/windows/security/information-protection/secure-the-windows-10-boot-process).
Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
Recent implementations of UEFI (starting with version 2.3.1) can verify the digital signatures of the devices firmware before running it. Because only the PCs hardware manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI can prevent firmware-based bootkits. Thus, UEFI is the first link in the chain of trust.
By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement.
An unauthorized EFI firmware, EFI boot application, or bootloader cannot run and acquire the BitLocker key.
Secure Boot is the foundation of platform and firmware security and was created to enhance security in the pre-boot environment regardless of device architecture. Using signatures to validate the integrity of firmware images before they are allowed to execute, Secure Boot helps reduce the risk of bootloader attacks. The purpose of Secure Boot is to block untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
With the legacy BIOS boot process, the preoperating system environment is vulnerable to attacks by redirecting bootloader handoff to possible malicious loaders. These loaders could remain undetected to operating system and antimalware software. The diagram in Figure 1 contrasts the BIOS and UEFI startup processes.
### BitLocker and reset attacks
![the bios and uefi startup processes](images/bitlockerprebootprotection-bios-uefi-startup.jpg)
To defend against malicious reset attacks, BitLocker leverages the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory.
**Figure 1.** The BIOS and UEFI startup processes
>[!NOTE]
>This does not protect against physical attacks where an attacker opens the case and attacks the hardware.
With Secure Boot enabled, UEFI, in coordination with the TPM, can examine the bootloader and determine whether its trustworthy. To determine whether the bootloader is trustworthy, UEFI examines the bootloaders digital signature.
Using the digital signature, UEFI verifies that the bootloader was signed using a trusted certificate.
## Security policies
If the bootloader passes these two tests, UEFI knows that the bootloader isnt a bootkit and starts it. At this point, Trusted Boot takes over, and the Windows bootloader, using the same cryptographic technologies that UEFI used to verify the bootloader, then verifies that the Windows system files havent been changed.
The next sections cover pre-boot authentication and DMA policies that can provide additional protection for BitLocker.
Starting with Windows 8, certified devices must meet several requirements related to UEFI-based Secure Boot:
### Pre-boot authentication
- They must have Secure Boot enabled by default.
- They must trust Microsofts certificate (and thus any bootloader Microsoft has signed).
- They must allow the user to configure Secure Boot to trust other signed bootloaders.
- Except for Windows RT devices, they must allow the user to completely disable Secure Boot.
Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible.
The Group Policy setting is [Require additional authentication at startup](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol1arequire-additional-authentication-at-startup) and the corresponding setting in the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems:
BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed.
If Windows cant access the encryption keys, the device cant read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.
- **Use an operating system with a certified bootloader.** Microsoft can analyze and sign non-Microsoft bootloaders so that they can be trusted. The Linux community is using this process to enable Linux to take advantage of
Secure Boot on Windows-certified devices.
- **Configure UEFI to trust your custom bootloader.** Your device can trust a signed, non-certified bootloader that you specify in the UEFI database, allowing you to run any operating system, including homemade operating systems.
- **Turn off Secure Boot.** You can turn off Secure Boot. This does not help protect you from bootkits, however.
To prevent malware from abusing these options, the user has to manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings.
Any device that doesnt require Secure Boot or a similar bootloader-verification technology, regardless of the architecture or operating system, is vulnerable to bootkits, which can be used to compromise the encryption solution.
UEFI is secure by design, but its critical to protect the Secure Boot configuration by using password protection. In addition, although several well-publicized attacks against UEFI have occurred, they were exploiting faulty UEFI implementations. Those attacks are ineffective when UEFI is implemented properly.
For more information about Secure Boot, refer to [Securing the Windows 8.1 Boot Process](https://technet.microsoft.com/windows/dn168167.aspx).
### Protection during pre-boot: Pre-boot authentication
Pre-boot authentication with BitLocker is a process that requires the use of either a Trusted Platform Module (TPM), user input, such as a PIN, or both, depending on hardware and operating system configuration, to authenticate prior to making the contents of the system drive accessible. In the case of BitLocker, BitLocker encrypts the entire drive, including all system files. BitLocker accesses and stores the encryption key in memory only after a pre-boot authentication is completed using one or more of the following options: Trusted Platform Module (TPM), user provides a specific PIN, USB startup key.
If Windows cant access the encryption key, the device cant read or edit the files on the system drive. Even if an attacker takes the disk out of the PC or steals the entire PC, they wont be able to read or edit the files without the encryption key. The only option for bypassing pre-boot authentication is entering the highly complex, 48-digit recovery key.
The BitLocker pre-boot authentication capability is not specifically designed to prevent the operating system from starting: Thats merely a side effect of how BitLocker protects data confidentiality and system integrity. Pre-boot authentication is designed to prevent the encryption key from being loaded to system memory on devices that are vulnerable to certain types of cold boot attacks. Many modern devices prevent an attacker from easily removing the memory, and Microsoft expects those devices to become even more common in the future.
Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key.
This helps mitigate DMA and memory remanence attacks.
On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
- **TPM-only.** Using TPM-only validation does not require any interaction with the user to decrypt and provide access to the drive. If the TPM validation succeeds, the user logon experience is the same as a standard logon. If the TPM is missing or changed or if the TPM detects changes to critical operating system startup files, BitLocker enters its recovery mode, and the user must enter a recovery password to regain access to the data.
- **TPM with startup key.** In addition to the protection that the TPM provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key.
- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN.
- **TPM with startup key and PIN.** In addition to the core component protection that the TPM provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required.
- **TPM-only.** Using TPM-only validation does not require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign in experience is the same as a standard logon. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.
- **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key.
- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN. TPMs also have [anti-hammering protection](https://docs.microsoft.com/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.
- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required.
For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented. These mitigations may be inherent to the device or may come by way of configurations that IT can provision to devices and Windows itself.
In the following Group Policy example, TPM + PIN is required to unlock an operating system drive:
Although effective, pre-boot authentication is inconvenient to users. In addition, if a user forgets their PIN or loses their startup key, theyre denied access to their data until they can contact their organizations support team to obtain a recovery key. Today, most new PCs running Windows 10, Windows 8.1, or Windows 8 provide sufficient protection against DMA attacks without requiring pre-boot authentication. For example, most modern PCs include USB port options (which are not vulnerable to DMA attacks) but do not include FireWire or Thunderbolt ports (which are vulnerable to DMA attacks).
![Pre-boot authentication setting in Group Policy](images/pre-boot-authentication-group-policy.png)
BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy.
Many new mobile devices have the system memory soldered to the motherboard, which helps prevent the cold bootstyle attack, where the system memory is frozen, removed, and then placed into another device. Those devices, and most PCs, can still be vulnerable when booting to a malicious operating system, however.
Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup.
Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
You can mitigate the risk of booting to a malicious operating system:
On the other hand, Pre-boot authentication prompts can be inconvenient to users.
In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organizations support team to obtain a recovery key.
Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
- **Windows 10 (without Secure Boot), Windows 8.1 (without Secure Boot), Windows 8 (without UEFI-based Secure Boot), or Windows 7 (with or without a TPM).** Disable booting from external media, and require a firmware password to prevent the attacker from changing that option.
- **Windows 10, Windows 8.1, or Windows 8 (certified or with Secure Boot).** Password protect the firmware, and do not disable Secure Boot.
To address these issues, you can deploy [BitLocker Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock).
Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention.
It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
### Protection During Startup
### Protecting Thunderbolt and other DMA ports
During the startup process, Windows 10 uses Trusted Boot and Early Launch Antimalware (ELAM) to examine the integrity of every component. The sections that follow describe these technologies in more detail.
There are a few different options to protect DMA ports, such as Thunderbolt™3.
Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default.
This kernel DMA protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
**Trusted Boot**
You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled:
Trusted Boot takes over where UEFI-based Secure Boot leaves off—during the operating system initialization phase. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM driver. If a file has been modified or is not properly signed with a Microsoft signature, Windows detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
![Kernel DMA protection](images/kernel-dma-protection.png)
Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI nor a TPM. However, without Secure Boot, its possible for malware to compromise the startup process prior to Windows starting, at which point Trusted Boot protections could be bypassed or potentially disabled.
If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
**Early Launch Antimalware**
1. Require a password for BIOS changes
2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings
3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607):
Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps dont start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
- MDM: [DataProtection/AllowDirectMemoryAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy
- Group Policy: [Disable new DMA devices when this computer is locked](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#disable-new-dma-devices-when-this-computer-is-locked) (This setting is not configured by default.)
Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete.
For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the “Thunderbolt Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
Windows Defender in Windows 10 supports ELAM, as do Microsoft System Center 2012 Endpoint Protection and non-Microsoft antimalware apps.
## Attack countermeasures
To do this, ELAM loads an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software.
This section covers countermeasures for specific types attacks.
With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy.
ELAM classifies drivers as follows:
### Bootkits and rootkits
- **Good.** The driver has been signed and has not been tampered with.
- **Bad.** The driver has been identified as malware. It is recommended that you not allow known bad drivers to be initialized.
- **Bad but required for boot.** The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
- **Unknown.** This driver has not been attested to by your malware-detection application or classified by the ELAM boot-start driver.
A physically-present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys.
The TPM should observe this installation via PCR measurements, and the BitLocker key will not be released.
This is the default configuration.
While the features listed above protect the Windows boot process from malware threats that could compromise BitLocker security, it is important to note that DMA ports may be enabled during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port related policies that have been configured. This period of time where the encryption key could be exposed to a DMA attack could be less than a minute on recent devices or longer depending on system performance. The use of pre-boot authentication with a PIN can be used to successfully mitigate against an attack.
A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise.
Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks.
Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure).
### Protection After Startup: eliminate DMA availability
### Brute force attacks against a PIN
Require TPM + PIN for anti-hammering protection.
Windows Modern Standbycertified devices do not have DMA ports, eliminating the risk of DMA attacks. On other devices, you can disable FireWire, Thunderbolt, or other ports that support DMA.
### DMA attacks
See [Protecting Thunderbolt and other DMA ports](#protecting-thunderbolt-and-other-dma-ports) earlier in this topic.
### Paging file, crash dump, and Hyberfil.sys attacks
These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives.
It also blocks automatic or manual attempts to move the paging file.
### Memory remanence
Enable Secure Boot and require a password to change BIOS settings.
For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
## Attacker countermeasures
The following sections cover mitigations for different types of attackers.
### Attacker without much skill or with limited physical access
Physical access may be limited by a form factor that does not expose buses and memory.
For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard.
This attacker of opportunity does not use destructive methods or sophisticated forensics hardware/software.
Mitigation:
- Pre-boot authentication set to TPM only (the default)
### Attacker with skill and lengthy physical access
Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software.
Mitigation:
- Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN to help the TPM anti-hammering mitigation).
-And-
- Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This can be set using Group Policy:
- Computer Configuration|Policies|Administrative Templates|Windows Components|File Explorer|Show hibernate in the power options menu
- Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (plugged in)
- Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (on battery)
These settings are **Not configured** by default.
For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol2aallow-enhanced-pins-for-startup) is:
Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption|Operating System Drives|Allow enhanced PINs for startup
This setting is **Not configured** by default.
For secure administrative workstations, Microsoft recommends TPM with PIN protector and disable Standby power management and shut down or hibernate the device.
## See also
- [Types of Attacks for Volume Encryption Keys](types-of-attacks-for-volume-encryption-keys.md)
- [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md)
- [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
- [BitLocker overview](bitlocker-overview.md)
- [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
- [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings)
- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)

138
windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md
View File

@ -1,138 +0,0 @@
---
title: Choose the right BitLocker countermeasure (Windows 10)
description: This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.
ms.assetid: b0b09508-7885-4030-8c61-d91458afdb14
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 10/27/2017
---
# Choose the right BitLocker countermeasure
**Applies to**
- Windows 10
This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.
You can use BitLocker to protect your Windows 10 PCs. Whichever operating system youre using, Microsoft and Windows-certified devices provide countermeasures to address attacks and improve your data security. In most cases, this protection can be implemented without the need for pre-boot authentication.
Tables 1 and 2 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default settings.
<table>
<colgroup>
<col width="20%" />
<col width="25%" />
<col width="55%" />
</colgroup>
<tr>
<td></td>
<td BGCOLOR="#01BCF3">
<p><font color="#FFFFFF"><strong>Windows 8.1<br>without TPM</strong></font></p></td>
<td BGCOLOR="#01BCF3">
<p><font color="#FFFFFF"><strong>Windows 8.1 Certified<br>(with TPM)</strong></font></p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">Bootkits and<br>Rootkits</p></font></td>
<td BGCOLOR="#FED198"><p>Without TPM, boot integrity checking is not available</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings</p></td>
</tr>
<tr class="even">
<td BGCOLOR="FF8C01">
<p><font color="#FFFFFF">Brute Force<br>Sign-in</font></p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout Group Policy</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout and device lockout Group Policy settings</p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">DMA<br>Attacks</p></font></td>
<td BGCOLOR="#99E4FB"><p>If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in</p></td>
<td BGCOLOR="#99E4FB"><p>If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in</p></td>
</tr>
<tr class="even">
<td BGCOLOR="FF8C01">
<p><font color="#FFFFFF">Hyberfil.sys<br>Attacks</font></p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">Memory<br>Remanence<br>Attacks</p></font></td>
<td BGCOLOR="#FED198"><p>Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication</p></td>
<td BGCOLOR="#99E4FB"><p>Password protect the firmware and ensure Secure Boot is enabled. If an attack is viable, consider pre-boot authentication</p></td>
</tr>
</table>
**Table 1.**&nbsp;&nbsp;How to choose the best countermeasures for Windows 8.1<br><br>
<table>
<colgroup>
<col width="20%" />
<col width="25%" />
<col width="55%" />
</colgroup>
<tr>
<td></td>
<td BGCOLOR="#01BCF3">
<p><font color="#FFFFFF"><strong>Windows 10<br>without TPM</strong></font></p></td>
<td BGCOLOR="#01BCF3">
<p><font color="#FFFFFF"><strong>Windows 10 Certified<br>(with TPM)</strong></font></p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">Bootkits and<br>Rootkits</p></font></td>
<td BGCOLOR="#FED198"><p>Without TPM, boot integrity checking is not available</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings</p></td>
</tr>
<tr class="even">
<td BGCOLOR="FF8C01">
<p><font color="#FFFFFF">Brute Force<br>Sign-in</font></p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout Group Policy</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default, and can be improved with account lockout and device lockout Group Policy settings</p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">DMA<br>Attacks</p></font></td>
<td BGCOLOR="#99E4FB"><p>If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; certified devices do not expose vulnerable DMA busses.<br>Can be additionally secured by deploying policy to restrict DMA devices:</p>
<ul>
<li><p><a href="https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#DataProtection_AllowDirectMemoryAccess">DataProtection/AllowDirectMemoryAccess</a></p></li>
<li><p><a href="https://support.microsoft.com/en-us/kb/2516445">Block 1394 and Thunderbolt</a></p></li></ul>
</td>
</tr>
<tr class="even">
<td BGCOLOR="FF8C01">
<p><font color="#FFFFFF">Hyberfil.sys<br>Attacks</font></p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
<td BGCOLOR="#99E4FB"><p>Secure by default; hyberfil.sys secured on encrypted volume</p></td>
</tr>
<tr class="odd">
<td BGCOLOR="#FF8C01">
<p><font color="#FFFFFF">Memory<br>Remanence<br>Attacks</p></font></td>
<td BGCOLOR="#FED198"><p>Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication</p></td>
<td BGCOLOR="#99E4FB"><p>Password protect the firmware and ensure Secure Boot is enabled.<br>The most effective mitigation, which we advise for high-security devices, is to configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.</p></td>
</tr>
</table>
**Table 2.**&nbsp;&nbsp;How to choose the best countermeasures for Windows 10
The latest Modern Standby devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be secure by default too. DMA portbased attacks, which represent the attack vector of choice, are not possible on Modern Standby devices because these port types are prohibited. The inclusion of DMA ports on even non-Modern Standby devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case, DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space. To prevent DMA port usage unless an authorized user is signed in, you can set the DataProtection/AllowDirectMemoryAccess policy by using Mobile Device Management (MDM) or the Group Policy setting **Disable new DMA devices when this computer is locked** (beginning with Windows 10, version 1703). This setting is **Not configured** by default. The path to the Group Policy setting is:
**Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption**
Memory remanence attacks can be mitigated with proper configuration; in cases where the system memory is fixed and non-removable, they are not possible using published techniques. Even in cases where system memory can be removed and loaded into another device, attackers will find the attack vector extremely unreliable, as has been shown in the DRDC Valcartier groups analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)).
Windows 7 PCs share the same security risks as newer devices but are far more vulnerable to DMA and memory remanence attacks, because Windows 7 devices are more likely to include DMA ports, lack support for UEFI-based Secure Boot, and rarely have fixed memory. To eliminate the need for pre-boot authentication on Windows 7 devices, disable the ability to boot to external media, password-protect the BIOS configuration, and disable the DMA ports. If you believe that your devices may be a target of a memory remanence attack, where the system memory may be removed and put into another computer to gain access to its contents, consider testing your devices to determine whether they are susceptible to this type of attack.
In the end, many customers will find that pre-boot authentication improves security only for a shrinking subset of devices within their organization. Microsoft recommends a careful examination of the attack vectors and mitigations
outlined in this document along with an evaluation of your devices before choosing to implement pre-boot authentication, which may not enhance the security of your devices and instead will only compromise the user experience and add to support costs.
## See also
- [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md)
- [BitLocker Countermeasures](bitlocker-countermeasures.md)
- [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
- [BitLocker overview](bitlocker-overview.md)
 
 

BIN
windows/security/information-protection/bitlocker/images/kernel-dma-protection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 263 KiB

BIN
windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.2 MiB

43
windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md
View File

@ -1,43 +0,0 @@
---
title: Protect BitLocker from pre-boot attacks (Windows 10)
description: This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a devices configuration.
ms.assetid: 24d19988-fc79-4c45-b392-b39cba4ec86b
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
---
# Protect BitLocker from pre-boot attacks
**Applies to**
- Windows 10
This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a devices configuration.
BitLocker uses encryption to protect the data on your drive, but BitLocker security is only effective when the encryption key is protected. Many users have relied on pre-boot authentication to protect the operating systems integrity, disk encryption solution (for example, encryption keys), and the PCs data from offline attacks. With pre-boot authentication, users must provide some form of credential before unlocking encrypted volumes and starting
Windows. Typically, they authenticate themselves using a PIN or a USB flash drive as a key.
Full-volume encryption using BitLocker Drive Encryption is vital for protecting data and system integrity on devices running the Windows 10, Windows 8.1, Windows 8, or Windows 7 operating system. It is equally important to protect the BitLocker encryption key. On Windows 7 devices, sufficiently protecting that key often required pre-boot authentication, which many users find inconvenient and complicates device management.
Pre-boot authentication provides excellent startup security, but it inconveniences users and increases IT management costs. Every time the PC is unattended, the device must be set to hibernate (in other words, shut down and powered off); when the computer restarts, users must authenticate before the encrypted volumes are unlocked. This requirement increases restart times and prevents users from accessing remote PCs until they can physically access the computer to authenticate, making pre-boot authentication unacceptable in the modern IT world, where users expect their devices to turn on instantly and IT requires PCs to be constantly connected to the network.
If users lose their USB key or forget their PIN, they cant access their PC without a recovery key. With a properly configured infrastructure, the organizations support will be able to provide the recovery key, but doing so increases support costs, and users might lose hours of productive work time.
Starting with Windows 8, Secure Boot and Windows Trusted Boot startup process ensures operating system integrity, allowing Windows to start automatically while minimizing the risk of malicious startup tools and rootkits. In addition, many modern devices are fundamentally physically resistant to sophisticated attacks against the computers memory, and now Windows authenticates the user before making devices that may represent a threat to the device and encryption keys available for use.
## In this topic
The sections that follow help you understand which PCs still need pre-boot authentication and which can meet your security requirements without the inconvenience of it.
- [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md)
- [BitLocker countermeasures](bitlocker-countermeasures.md)
- [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md)
## See also
- [BitLocker overview](bitlocker-overview.md)
 
 

129
windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md
View File

@ -1,129 +0,0 @@
---
title: Types of attacks for volume encryption keys (Windows 10)
description: There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts.
ms.assetid: 405060a9-2009-44fc-9f84-66edad32c6bc
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 10/27/2017
---
# Types of attacks for volume encryption keys
**Applies to**
- Windows 10
There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) Secure Boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts.
The next few sections describe each type of attack that could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution. After an attacker has compromised a volume encryption key, the attacker can read data from your system drive or even install malware while Windows is offline. Each section begins with a graphical overview of the attacks strengths and weaknesses as well as suggested mitigations.
### Bootkit and rootkit attacks
Rootkits are a sophisticated and dangerous type of malware that runs in kernel mode, using the same privileges as the operating system. Because rootkits have the same or possibly even more rights than the operating system, they can completely hide themselves from Windows and even an antimalware solution. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords, transfer private files, and capture cryptography keys.
Different types of bootkits and rootkits load at different software levels:
- **Kernel level.** Rootkits running at the kernel level have the highest privilege in the operating system. They may be able to inject malicious code or replace portions of the core operating system, including both the kernel and device drivers.
- **Application level.** These rootkits are aimed to replace application binaries with malicious code, such as a Trojan, and can even modify the behavior of existing applications.
- **Library level.** The purpose of library-level rootkits is to hook, patch, or replace system calls with malicious code that can hide the malwares presence.
- **Hypervisor level.** Hypervisor rootkits target the boot sequence. Their primary purpose is to modify the boot sequence to load themselves as a hypervisor.
- **Firmware level.** These rootkits overwrite the PCs BIOS firmware, giving the malware low-level access and potentially the ability to install or hide malware, even if its cleaned or removed from the hard disk.
Regardless of the operating system or encryption method, rootkits have access to confidential data once installed. Application-level rootkits can read any files the user can access, bypassing volume-level encryption. Kernel-, library-, hypervisor-, and firmware-level rootkits have direct access to system files on encrypted volumes and can also retrieve an encryption key from memory.
Windows offers substantial protection from bootkits and rootkits, but it is possible to bypass operating system security when an attacker has physical access to the device and can install the malware to the device while Windows is offline. For example, an attacker might boot a PC from a USB flash drive containing malware that starts before Windows. The malware can replace system files or the PCs firmware or simply start Windows under its control.
To sufficiently protect a PC from boot and rootkits, devices must use pre-boot authentication or Secure Boot, or the encryption solution must use the devices Trusted Platform Module (TPM) as a means of monitoring the integrity of the end-to-end boot process. Pre-boot authentication is available for any device, regardless of the hardware, but because it is inconvenient to users, it should be used only to mitigate threats that are applicable to the device. On devices with Secure Boot enabled, you do not need to use pre-boot authentication to protect against boot and rootkit attacks.
Although password protection of the UEFI configuration is important for protecting a devices configuration and preventing an attacker from disabling Secure Boot, use of a TPM and its Platform Configuration Register (PCR) measurements (PCR7) to ensure that the systems bootloader (whether a Windows or non-Microsoft encryption solution) is tamper free and the first code to start on the device is critical. An encryption solution that doesnt use a devices TPM to protect its components from tampering may be unable to protect itself from bootkit-level infections that could log a users password or acquire encryption keys.
For this reason, when BitLocker is configured on devices that include a TPM, the TPM and its PCRs are always used to secure and confirm the integrity of the preoperating system environment before making encrypted volumes accessible.
Any change to the UEFI configuration invalidates the PCR7 and requires the user to enter the BitLocker recovery key. Because of this feature, its not critical to password-protect your UEFI configuration. But UEFI password protection is a best practice and is still required for systems not using a TPM (such as non-Microsoft alternatives).
### Brute-force Sign-in Attacks
Attackers can find any password if you allow them to guess enough times. The process of trying millions of different passwords until you find the right one is known as a *brute-force sign-in attack*. In theory, an attacker could obtain any password by using this method.
Three opportunities for brute-force attacks exist:
- **Against the pre-boot authenticator.** An attacker could attack the device directly by attempting to guess the users BitLocker PIN or an equivalent authenticator. The TPM mitigates this approach by invoking an anti-hammering lockout capability that requires the user to wait until the lockout period ends or enter the BitLocker recovery key.
- **Against the recovery key.** An attacker could attempt to guess the 48-digit BitLocker recovery key. Even without a lockout period, the key is long enough to make brute-force attacks impractical. Specifically, the BitLocker recovery key has 128 bits of entropy; thus, the average brute-force attack would succeed after 18,446,744,073,709,551,616 guesses. If an attacker could guess 1 million passwords per second, the average brute-force attack would require more than 580,000 years to be successful.
- **Against the operating system sign-in authenticator.** An attacker can attempt to guess a valid user name and password. Windows implements a delay between password guesses, slowing down brute-force attacks. In addition, all recent versions of Windows allow administrators to require complex passwords and password lockouts. Similarly, administrators can use Microsoft Exchange ActiveSync policy or Group Policy to configure Windows 8.1 and Windows 8 to automatically restart and require the user to enter the BitLocker 48-digit recovery key after a specified number of invalid password attempts. When these settings are enabled and users follow best practices for complex passwords, brute-force attacks against the operating system sign-in are impractical.
In general, brute-force sign-in attacks are not practical against Windows when administrators enforce complex passwords and account lockouts.
### Direct Memory Access Attacks
Direct memory access (DMA) allows certain types of hardware devices to communicate directly with a devices system memory. For example, if you use Thunderbolt to connect another device to your computer, the second device automatically has Read and Write access to the target computers memory.
Unfortunately, DMA ports dont use authentication and access control to protect the contents of the computers memory. Whereas Windows can often prevent system components and apps from reading and writing to protected parts of memory, a device can use DMA to read any location in memory, including the location of any encryption keys.
DMA attacks are relatively easy to execute and require little technical skills. Anyone can download a tool from the Internet, such as those made by [Passware](http://www.lostpassword.com/), [ElcomSoft](http://elcomsoft.com/), and
others, and then use a DMA attack to read confidential data from a PCs memory. Because encryption solutions store their encryption keys in memory, they can be accessed by a DMA attack.
Not all port types are vulnerable to DMA attacks. USB in particular does not allow DMA, but devices that have any of the following port types are vulnerable:
- FireWire
- Thunderbolt
- ExpressCard
- PCMCIA
- PCI
- PCI-X
- PCI Express
To perform a DMA attack, attackers typically connect a second PC that is running a memory-scanning tool (for example, Passware, ElcomSoft) to the FireWire or Thunderbolt port of the target computer. When connected, the software
scans the system memory of the target and locates the encryption key. Once acquired, the key can be used to decrypt the drive and read or modify its contents.
A much more efficient form of this attack exists in theory: An attacker crafts a custom FireWire or Thunderbolt device that has the DMA attack logic programmed on it. Now, the attacker simply needs to physically connect the device. If the attacker does not have physical access, they could disguise it as a free USB flash drive and distribute it to employees of a target organization. When connected, the attacking device could use a DMA attack to scan the PCs memory for the encryption key. It could then transmit the key (or any data in the PCs memory) using the PCs Internet connection or its own wireless connection. This type of attack would require an extremely high level of sophistication, because it requires that the attacker create a custom device (devices of these types are not readily available in the marketplace at this time).
Today, one of the most common uses for DMA ports on Windows devices is for developer debugging, a task that some developers need to perform and one that few consumers will ever perform. Because USB; DisplayPort; and other, more secure port types satisfy consumers, most new mobile PCs do not include DMA ports. Microsofts view is that because of the inherent security risks of DMA ports, they do not belong on mobile devices, and Microsoft has prohibited their inclusion on any Modern Standby-certified devices. Modern Standby devices offer mobile phonelike power management and instant-on capabilities; at the time of writing, they are primarily found in Windows tablets.
DMA-based expansion slots are another avenue of attack, but these slots generally appear only on desktop PCs that are designed for expansion. Organizations can use physical security to prevent outside attacks against their desktop PCs. In addition, a DMA attack on the expansion slot would require a custom device; as a result, an attacker would most likely insert an interface with a traditional DMA port (for example, FireWire) into the slot to attack the PC.
To mitigate a port-based DMA attack an administrator can configure policy settings to disable FireWire and other device types that have DMA. Also, many PCs allow those devices to be disabled by using firmware settings. Although the need for pre-boot authentication can be eliminated at the device level or through Windows configuration, the BitLocker pre-boot authentication feature is still available when needed. When used, it successfully mitigates all types of DMA port and expansion slot attacks on any type of device.
### Hiberfil.sys Attacks
The hiberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hiberfil.sys file.
Like the DMA port attack discussed in the previous section, tools are available that can scan the hiberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hiberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it.
In practice, the only reason an attack on hiberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hiberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack.
### Memory Remanence Attacks
A memory remanence attack is a side-channel attack that reads the encryption key from memory after restarting a PC. Although a PCs memory is often considered to be cleared when the PC is restarted, memory chips dont immediately lose their memory when you disconnect power. Therefore, an attacker who has physical access to the PCs memory might be able to read data directly from the memory—including the encryption key.
When performing this type of cold boot attack, the attacker accesses the PCs physical memory and recovers the encryption key within a few seconds or minutes of disconnecting power. This type of attack was demonstrated by researchers at [Princeton University](http://www.youtube.com/watch?v=JDaicPIgn9U). With the encryption key, the attacker would be able to decrypt the drive and access its files.
To acquire the keys, attackers follow this process:
1. Freeze the PCs memory. For example, an attacker can freeze the memory to 50°C by spraying it with aerosol air duster spray.
2. Restart the PC.
3. Instead of restarting Windows, boot to another operating system. Typically, this is done by connecting a bootable flash drive or loading a bootable DVD.
4. The bootable media loads the memory remanence attack tools, which the attacker uses to scan the system memory and locate the encryption keys.
5. The attacker uses the encryption keys to access the drives data.
If the attacker is unable to boot the device to another operating system (for example, if bootable flash drives have been disabled or Secure Boot is enabled), the attacker can attempt to physically remove the frozen memory from the device and attach it to a different, possibly identical device. Fortunately, this process has proven extremely unreliable, as evidenced by the Defence Research and Development Canada (DRDC) Valcartier groups analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)). On an increasing portion of modern devices, this type of attack is not even possible, because memory is soldered directly to the motherboard.
Although Princetons research proved that this type of attack was possible on devices that have removable memory, device hardware has changed since the research was published in 2008:
- Secure Boot prevents the malicious tools that the Princeton attack depends on from running on the target device.
- Windows systems with BIOS or UEFI can be locked down with a password, and booting to a USB drive can be prevented.
- If booting to USB is required on the device, it can be limited to starting trusted operating systems by using Secure Boot.
- The discharge rates of memory are highly variable among devices, and many devices have memory that is completely immune to memory remanence attacks.
- Increased density of memory diminishes their remanence properties and reduces the likelihood that the attack can be successfully executed, even when memory is physically removed and placed in an identical system where the systems configuration may enable booting to the malicious tools.
Because of these factors, this type of attack is rarely possible on modern devices. Even in cases where the risk factors exist on legacy devices, attackers will find the attack unreliable. For detailed info about the practical uses for forensic memory acquisition and the factors that make a computer vulnerable or resistant to memory remanence attacks, read [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078).
The BitLocker pre-boot authentication feature can successfully mitigate memory remanence attacks on most devices, but you can also mitigate such attacks by protecting the system UEFI or BIOS and prevent the PC from booting from external media (such as a USB flash drive or DVD). The latter option is often a better choice, because it provides sufficient protection without inconveniencing users with pre-boot authentication.
## See also
- [BitLocker countermeasures](bitlocker-countermeasures.md)
- [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md)
- [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
- [BitLocker overview](bitlocker-overview.md)

BIN
windows/security/information-protection/images/device-details-tab.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

BIN
windows/security/information-protection/images/kernel-dma-protection-user-experience.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

109
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md Normal file
View File

@ -0,0 +1,109 @@
---
title: Kernel DMA Protection for Thunderbolt™ 3 (Windows 10)
description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: aadake
ms.date: 09/06/2018
---
# Kernel DMA Protection for Thunderbolt™ 3
**Applies to**
- Windows 10
In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.
This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
## Background
PCI devices are DMA-capable, which allows them to read and write to system memory at will, without having to engage the system processor in these operations.
The DMA capability is what makes PCI devices the highest performing devices available today.
These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard.
Access to these devices required the user to turn off power to the system and disassemble the chassis.
Today, this is no longer the case with Thunderbolt™.
Thunderbolt™ technology has provided modern PCs with extensibility that was not available before for PCs.
It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB.
Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks.
Drive-by DMA attacks are attacks that occur while the owner of the system is not present and usually take less than 10 minutes, with simple to moderate attacking tools (affordable, off-the-shelf hardware and software) that do not require the disassembly of the PC.
A simple example would be a PC owner leaves the PC for a quick coffee break, and within the break, and attacker steps in, plugs in a USB-like device and walks away with all the secrets on the machine, or injects a malware that allows them to have full control over the PC remotely.
## How Windows protects against DMA drive-by attacks
Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external devices from starting and performing DMA unless the drivers for these devices support memory isolation (such as DMA-remapping).
Devices with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions.
Devices with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen.
## User experience
![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png)
A device that is incompatible with DMA-remapping will be blocked from starting if the device was plugged in before an authorized user logs in, or while the screen is locked.
Once the system is unlocked, the device driver will be started by the OS, and the device will continue to function normally until the system is rebooted, or the device is unplugged.
The devices will continue to function normally if the user locks the screen or logs out of the system.
## System compatibility
Kernel DMA Protection requires new UEFI firmware support.
This support is anticipated only on newly-introduced, Intel-based systems shipping with Windows 10 version 1803 (not all systems). Virtualization-based Security (VBS) is not required.
To see if a system supports Kernel DMA Protection, check the System Information desktop app (MSINFO32).
Systems released prior to Windows 10 version 1803 do not support Kernel DMA Protection, but they can leverage other DMA attack mitigations as described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
>[!NOTE]
>Kernel DMA Protection is not compatible with other BitLocker DMA attacks countermeasures. It is recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals.
## Enabling Kernel DMA protection
Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required.
**To check if a device supports kernel DMA protection**
1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
2. Check the value of **Kernel DMA Protection**.
![Kernel DMA protection](bitlocker/images/kernel-dma-protection.png)
3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO:
- Reboot into BIOS settings
- Turn on Intel Virtualization Technology.
- Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in BitLocker Countermeasures.
- Reboot system into Windows 10.
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
## Frequently asked questions
### Do in-market systems support Kernel DMA protection for Thunderbolt™ 3?
In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees.
### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?
No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot.
### How can I check if a certain driver supports DMA-remapping?
DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the following Property GUID (highlighted in red in the image below) in the Details tab of a device in Device Manager. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping.
Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
![Kernel DMA protection user experience](images/device-details-tab.png)
### What should I do if the drivers for my Thunderbolt™ 3 peripherals do not support DMA-remapping?
If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality. Details for driver compatibility requirements can be found here (add link to OEM documentation).
### Do Microsoft drivers support DMA-remapping?
In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA-remapping.
### Do drivers for non-PCI devices need to be compatible with DMA-remapping?
No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping.
### How can an enterprise enable the “External device enumeration” policy?
The “External device enumeration” policy controls whether to enumerate external devices that are not compatible with DMA-remapping. Devices that are compatible with DMA-remapping are always enumerated. The policy can be enabled via Group Policy or Mobile Device Management (MDM):
- Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection
- MDM: [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)
## Related topics
- [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md)
- [DmaGuard MDM policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)

4
windows/security/information-protection/tpm/tpm-fundamentals.md
View File

@ -68,7 +68,7 @@ The TPM can be used to protect certificates and RSA keys. The TPM key storage pr
## TPM Cmdlets
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx).
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule/).
## Physical presence interface
@ -144,6 +144,6 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur
## Related topics
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
- [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx)
- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule/)
- [TPM WMI providers](https://msdn.microsoft.com/library/aa376476.aspx)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)

615
windows/security/threat-protection/TOC.md
View File

@ -1,42 +1,24 @@
# [Threat protection](index.md)
## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)
### [Windows Defender Security Center](windows-defender-atp/windows-defender-security-center-atp.md)
####Get started
##### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
##### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
##### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
##### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
##### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
##### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
#### [Onboard machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
##### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md)
##### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
###### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
###### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
###### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
####### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
###### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
##### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
##### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
##### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
##### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
##### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
##### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
#### [Understand the portal ](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
##### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
##### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
##### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
##### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
####Investigate and remediate threats
#####Alerts queue
### [Overview](windows-defender-atp/overview.md)
#### [Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md)
##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md)
###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md)
###### [System isolation](windows-defender-atp/how-hardware-based-containers-help-protect-windows.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
##### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
##### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
##### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
#### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
#### [Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)
##### [Security operations dashboard](windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md)
##### Alerts queue
###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
###### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md)
@ -46,10 +28,7 @@
###### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md)
###### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md)
#####Machines list
##### Machines list
###### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md)
###### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
###### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
@ -77,18 +56,238 @@
####### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
####### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
####### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
######## [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
######## [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
######## [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
####### [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
####### [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
####### [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
###### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
####### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
####### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
#### [Use Automated investigation to investigate and remediate threats](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
#### [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
#### [Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md)
##### [Learn about the automated investigation and remediation dashboard](windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md)
#### [Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md)
##### [Threat analytics](windows-defender-atp/threat-analytics.md)
###### [Threat analytics for Spectre and Meltdown](windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
#### [Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md)
##### [Query data using Advanced hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md)
###### [Advanced hunting reference](windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
###### [Advanced hunting query language best practices](windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
##### [Custom detections](windows-defender-atp/overview-custom-detections.md)
###### [Create custom detections rules](windows-defender-atp/custom-detection-rules.md)
#### [Management and APIs](windows-defender-atp/management-apis.md)
##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
######Actor
####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
######Alerts
####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
#######Domain
######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
######File
####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
######IP
####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
######Machines
####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
######User
####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
##### [Managed service provider provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md)
#### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)
##### [Protect users, data, and devices with conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md)
##### [Microsoft Cloud App Security integration overview](windows-defender-atp/microsoft-cloud-app-security-integration.md)
#### [Portal overview](windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md)
### [Get started](windows-defender-atp/get-started.md)
#### [Minimum requirements](windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md)
#### [Validate licensing and complete setup](windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md)
#### [Preview features](windows-defender-atp/preview-windows-defender-advanced-threat-protection.md)
#### [Data storage and privacy](windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md)
#### [Assign user access to the portal](windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md)
#### [Evaluate Windows Defender ATP](windows-defender-atp/evaluate-atp.md)
#####Evaluate attack surface reduction
###### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
###### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
###### [Exploit protection](windows-defender-exploit-guard/evaluate-exploit-protection.md)
###### [Network Protection](windows-defender-exploit-guard/evaluate-network-protection.md)
###### [Controlled folder access](windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
###### [Attack surface reduction](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
###### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
#### [Access the Windows Defender Security Center Community Center](windows-defender-atp/community-windows-defender-advanced-threat-protection.md)
### [Configure and manage capabilities](windows-defender-atp/onboard.md)
#### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md)
##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md)
###### [Confguration settings](windows-defender-application-guard/configure-wd-app-guard.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
###### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md)
####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md)
###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
##### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
##### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
###### [Customize controlled folder access](windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
##### [Attack surface reduction controls](windows-defender-exploit-guard/enable-attack-surface-reduction.md)
###### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
#### [Configure next generation protection](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
##### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
##### [Antivirus compatibility](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
##### [Deploy, manage updates, and report on antivirus](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
###### [Report on antivirus protection](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
###### [Manage updates and apply baselines](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
####### [Manage protection and definition updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
##### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage antivirus in your business](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
##### [Manage scans and remediation](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage next generation protection in your business](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
###### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
#### [Configure Secure score dashboard security controls](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md)
#### Management and API support
##### [Onboard machines](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md)
###### [Onboard previous versions of Windows](windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md)
###### [Onboard Windows 10 machines](windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md)
####### [Onboard machines using Group Policy](windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
####### [Onboard machines using System Center Configuration Manager](windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
####### [Onboard machines using Mobile Device Management tools](windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
######## [Onboard machines using Microsoft Intune](windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
####### [Onboard machines using a local script](windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md)
####### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
###### [Onboard servers](windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md)
###### [Onboard non-Windows machines](windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
###### [Run a detection test on a newly onboarded machine](windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md)
###### [Run simulated attacks on machines](windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md)
###### [Configure proxy and Internet connectivity settings](windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md)
###### [Troubleshoot onboarding issues](windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
####### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
##### API for custom alerts
###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
###### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
####### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md)
####### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md)
####### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md)
####### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md)
####### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md)
####### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
####API and SIEM support
##### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
###### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md)
@ -97,264 +296,120 @@
###### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
###### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md)
##### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md)
###### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
###### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md)
###### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md)
###### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md)
###### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md)
###### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
###### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
#######Actor
######## [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
######## [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
#######Alerts
######## [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
######## [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
######## [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
######## [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
########Domain
######### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
######### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
######### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
######### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
#######File
######## [Block file](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
######## [Get FileActions collection](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
######## [Unblock file](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
##### Reporting
###### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
#######IP
######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
#######Machines
######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
######## [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
######## [Get FileMachineAction object](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
######## [Get FileMachineActions collection](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
######## [Get MachineAction object](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
######## [Get MachineActions collection](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
######## [Get package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
######## [Request sample](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
######## [Stop and quarantine file](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
##### Role-based access control
###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md)
####### [Create and manage roles](windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md)
####### [Create and manage machine groups](windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md)
######## [Create and manage machine tags](windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md)
##### [Configure managed security service provider (MSSP) support](windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md)
#### Configure Microsoft threat protection integration
##### [Configure conditional access](windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md)
##### [Configure Microsoft Cloud App Security integration](windows-defender-atp/microsoft-cloud-app-security-config.md)
#######User
######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
######## [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
####Reporting
##### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
#### [Configure Windows Defender Security Center settings](windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md)
##### General
###### [Update data retention settings](windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md)
###### [Configure alert notifications](windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md)
###### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
###### [Enable Secure score security controls](windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md)
###### [Configure advanced features](windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md)
####Check service health and sensor state
##### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
##### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
##### Permissions
###### [Use basic permissions to access the portal](windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md)
###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md)
####### [Create and manage roles](windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md)
####### [Create and manage machine groups](windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md)
######## [Create and manage machine tags](windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md)
####[Configure Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
#####General
###### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
###### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
###### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
###### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
###### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
#####Permissions
###### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
###### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
#####APIs
###### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
###### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
##### APIs
###### [Enable Threat intel](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
#####Rules
###### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md)
###### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
###### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
###### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
###### [Manage suppression rules](windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md)
###### [Manage automation allowed/blocked](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
###### [Manage automation file uploads](windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
###### [Manage automation folder exclusions](windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
#####Machine management
###### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
###### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
###### [Onboarding machines](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md)
###### [Offboarding machines](windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md)
#### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
#### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
##### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
#### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
### [Windows Defender Antivirus](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
#### [Windows Defender AV in the Windows Defender Security app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
#### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
#### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
##### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
##### [Configure Windows Defender Security Center time zone settings](windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md)
#### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
### [Troubleshoot Windows Defender ATP](windows-defender-atp/troubleshoot-wdatp.md)
####Troubleshoot sensor state
##### [Check sensor state](windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md)
##### [Fix unhealthy sensors](windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
##### [Inactive machines](windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
##### [Misconfigured machines](windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
##### [Review sensor events and errors on machines with Event Viewer](windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md)
##### [Check service health](windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md)
#### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
##### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
###### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
##### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
###### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
##### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
###### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
###### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
###### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
###### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
####Troubleshoot attack surface reduction
##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
#### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
###### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
###### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
###### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
###### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
###### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
##### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
##### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md)
###### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md)
###### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md)
###### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md)
#### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
##### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
###### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
##### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
##### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
##### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
##### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
##### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
##### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
#### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
##### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
##### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
###### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
### [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md)
#### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
##### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
##### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md)
#### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
##### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
##### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
##### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
##### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
###### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
##### [Memory integrity](windows-defender-exploit-guard\memory-integrity.md)
###### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
###### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md)
#### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
##### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
##### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
##### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
##### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
#### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
##### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
##### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
##### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
#### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
##### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
##### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
##### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
### [Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)
#### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
#### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
#### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
#### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
#### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
#### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
## [Security intelligence](intelligence/index.md)
### [Understand malware & other threats](intelligence/understanding-malware.md)
#### [Prevent malware infection](intelligence/prevent-malware-infection.md)
#### [Malware names](intelligence/malware-naming.md)
#### [Coin miners](intelligence/coinminer-malware.md)
#### [Exploits and exploit kits](intelligence/exploits-malware.md)
#### [Macro malware](intelligence/macro-malware.md)
#### [Phishing](intelligence/phishing.md)
#### [Ransomware](intelligence/ransomware-malware.md)
#### [Rootkits](intelligence/rootkits-malware.md)
#### [Supply chain attacks](intelligence/supply-chain-malware.md)
#### [Tech support scams](intelligence/support-scams.md)
#### [Trojans](intelligence/trojans-malware.md)
#### [Unwanted software](intelligence/unwanted-software.md)
#### [Worms](intelligence/worms-malware.md)
### [How Microsoft identifies malware and PUA](intelligence/criteria.md)
### [Submit files for analysis](intelligence/submission-guide.md)
### [Safety Scanner download](intelligence/safety-scanner-download.md)
### [Industry collaboration programs](intelligence/cybersecurity-industry-partners.md)
#### [Virus information alliance](intelligence/virus-information-alliance-criteria.md)
#### [Microsoft virus initiative](intelligence/virus-initiative-criteria.md)
#### [Coordinated malware eradication](intelligence/coordinated-malware-eradication.md)
### [Information for developers](intelligence/developer-info.md)
#### [Software developer FAQ](intelligence/developer-faq.md)
#### [Software developer resources](intelligence/developer-resources.md)
## More Windows 10 security
## Other security features
### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md)
#### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md)
#### [Hide Windows Security app notifications](windows-defender-security-center/wdsc-hide-notifications.md)
#### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center\wdsc-windows-10-in-s-mode.md)
#### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center/wdsc-windows-10-in-s-mode.md)
#### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md)
#### [Account protection](windows-defender-security-center\wdsc-account-protection.md)
#### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md)
#### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md)
#### [Device security](windows-defender-security-center\wdsc-device-security.md)
#### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md)
#### [Family options](windows-defender-security-center\wdsc-family-options.md)
#### [Account protection](windows-defender-security-center/wdsc-account-protection.md)
#### [Firewall and network protection](windows-defender-security-center/wdsc-firewall-network-protection.md)
#### [App and browser control](windows-defender-security-center/wdsc-app-browser-control.md)
#### [Device security](windows-defender-security-center/wdsc-device-security.md)
#### [Device performance and health](windows-defender-security-center/wdsc-device-performance-health.md)
#### [Family options](windows-defender-security-center/wdsc-family-options.md)
### [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
#### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
### [SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
#### [SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
#### [Set up and use SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
@ -438,7 +493,7 @@
####### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md)
####### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md)
####### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md)
####### [Event 4764 S: A groups type was changed.](auditing/event-4764.md)
####### [Event 4764 S: A group<EFBFBD>s type was changed.](auditing/event-4764.md)
####### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md)
###### [Audit User Account Management](auditing/audit-user-account-management.md)
####### [Event 4720 S: A user account was created.](auditing/event-4720.md)

1
windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
View File

@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: brianlic-msft
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
View File

@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: brianlic-msft
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/advanced-security-auditing.md
View File

@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: brianlic-msft
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
View File

@ -5,6 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
View File

@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: brianlic-msft
ms.date: 07/25/2018
---

1
windows/security/threat-protection/auditing/audit-account-lockout.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 07/16/2018
---

1
windows/security/threat-protection/auditing/audit-application-generated.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-application-group-management.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-audit-policy-change.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-authentication-policy-change.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-authorization-policy-change.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-certification-services.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-computer-account-management.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-credential-validation.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-detailed-file-share.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-directory-service-access.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-directory-service-changes.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-directory-service-replication.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-distribution-group-management.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-dpapi-activity.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-file-share.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-file-system.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-group-membership.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-handle-manipulation.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-ipsec-driver.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-kernel-object.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-logoff.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 07/16/2018
---

1
windows/security/threat-protection/auditing/audit-logon.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-network-policy-server.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-other-account-logon-events.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-other-account-management-events.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-other-object-access-events.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 05/29/2017
---

1
windows/security/threat-protection/auditing/audit-other-policy-change-events.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-other-system-events.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-pnp-activity.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

1
windows/security/threat-protection/auditing/audit-process-creation.md
View File

@ -6,6 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: Mir0sh
ms.date: 04/19/2017
---

Some files were not shown because too many files have changed in this diff Show More