deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-25 23:33:35 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into MTE_premiereEOD

Browse Source
This commit is contained in:
Dolcita Montemayor
2020-05-29 09:43:23 -07:00
parent 57c1056fa1 9d01da6940
commit abeea20b05
124 changed files with 3617 additions and 1084 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -14,11 +14,13 @@ ms.collection: M365-identity-device-management
ms.topic: article
ms.reviewer:
---
# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
```powershell
# Script to find out if machine is Device Guard compliant
# requires driver verifier on system.
# Script to find out if a machine is Device Guard compliant.
# The script requires a driver verifier present on the system.
param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier)
$path = "C:\DGLogs\"
@ -36,7 +38,7 @@ $DGVerifySuccess = New-Object System.Text.StringBuilder
$Sys32Path = "$env:windir\system32"
$DriverPath = "$env:windir\system32\drivers"
#generated by certutil -encode
#generated by certutil -encode
$SIPolicy_Encoded = "BQAAAA43RKLJRAZMtVH2AW5WMHbk9wcuTBkgTbfJb0SmxaI0BACNkAgAAAAAAAAA
HQAAAAIAAAAAAAAAAAAKAEAAAAAMAAAAAQorBgEEAYI3CgMGDAAAAAEKKwYBBAGC
NwoDBQwAAAABCisGAQQBgjc9BAEMAAAAAQorBgEEAYI3PQUBDAAAAAEKKwYBBAGC
@ -114,7 +116,7 @@ function LogAndConsoleSuccess($message)
function LogAndConsoleError($message)
{
Write-Host $message -foregroundcolor "Red"
Write-Host $message -foregroundcolor "Red"
Log $message
}
@ -132,16 +134,16 @@ function IsExempted([System.IO.FileInfo] $item)
Log $cert.ToString()
return 0
}
}
}
function CheckExemption($_ModName)
{
$mod1 = Get-ChildItem $Sys32Path $_ModName
$mod2 = Get-ChildItem $DriverPath $_ModName
if($mod1)
{
{
Log "NonDriver module" + $mod1.FullName
return IsExempted($mod1)
return IsExempted($mod1)
}
elseif($mod2)
{
@ -184,15 +186,15 @@ function CheckFailedDriver($_ModName, $CIStats)
}
if($Result.Contains("PASS"))
{
$CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null
$CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null
}
elseif($FailingStat.Trim().Contains("execute-write"))
{
$FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
$FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
}
else
{
$FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
$FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
}
Log "Result: " $Result
}
@ -204,7 +206,7 @@ function ListCIStats($_ModName, $str1)
{
Log "String := " $str1
Log "Warning! CI Stats are missing for " $_ModName
return
return
}
$temp_str1 = $str1.Substring($i1)
$CIStats = $temp_str1.Substring(0).Trim()
@ -245,7 +247,7 @@ function ListDrivers($str)
}
$DriverScanCompletedMessage = "Completed scan. List of Compatible Modules can be found at " + $LogFile
LogAndConsole $DriverScanCompletedMessage
LogAndConsole $DriverScanCompletedMessage
if($FailingModules.Length -gt 0 -or $FailingExecuteWriteCheck.Length -gt 0 )
{
@ -254,7 +256,7 @@ function ListDrivers($str)
{
LogAndConsoleError $WarningMessage
}
else
else
{
LogAndConsoleWarning $WarningMessage
}
@ -321,7 +323,7 @@ function ListSummary()
}
else
{
LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n"
LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n"
if(!$HVCI -and !$DG)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 2 /f '
@ -336,56 +338,56 @@ function ListSummary()
function Instantiate-Kernel32 {
try
try
{
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
public static class Kernel32
{
[DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)]
public static extern IntPtr LoadLibrary(
[MarshalAs(UnmanagedType.LPStr)]string lpFileName);
[DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]
public static extern IntPtr GetProcAddress(
IntPtr hModule,
string procName);
}
"@
}
catch
{
Log $_.Exception.Message
Log $_.Exception.Message
LogAndConsole "Instantiate-Kernel32 failed"
}
}
function Instantiate-HSTI {
try
try
{
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Net;
public static class HstiTest3
{
[DllImport("hstitest.dll", CharSet = CharSet.Unicode)]
public static extern int QueryHSTIdetails(
ref HstiOverallError pHstiOverallError,
public static extern int QueryHSTIdetails(
ref HstiOverallError pHstiOverallError,
[In, Out] HstiProviderErrorDuple[] pHstiProviderErrors,
ref uint pHstiProviderErrorsCount,
byte[] hstiPlatformSecurityBlob,
ref uint pHstiPlatformSecurityBlobBytes);
[DllImport("hstitest.dll", CharSet = CharSet.Unicode)]
public static extern int QueryHSTI(ref bool Pass);
public static extern int QueryHSTI(ref bool Pass);
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct HstiProviderErrorDuple
{
@ -397,7 +399,7 @@ function Instantiate-HSTI {
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 4096)]
internal string ErrorString;
}
[FlagsAttribute]
public enum HstiProviderErrors : int
{
@ -425,8 +427,8 @@ function Instantiate-HSTI {
BlobVersionMismatch = 0x00000080,
PlatformSecurityVersionMismatch = 0x00000100,
ProviderError = 0x00000200
}
}
}
"@
@ -434,9 +436,9 @@ function Instantiate-HSTI {
$FuncHandle = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTIdetails")
$FuncHandle2 = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTI")
if ([System.IntPtr]::Size -eq 8)
if ([System.IntPtr]::Size -eq 8)
{
#assuming 64 bit
#assuming 64 bit
Log "`nKernel32::LoadLibrary 64bit --> 0x$("{0:X16}" -f $LibHandle.ToInt64())"
Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())"
}
@ -450,7 +452,7 @@ function Instantiate-HSTI {
$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize)
[byte[]]$blob = New-Object byte[] $blobByteSize
[HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount
[HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount
$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize)
$string = $null
$blob | foreach { $string = $string + $_.ToString("X2")+"," }
@ -479,7 +481,7 @@ function Instantiate-HSTI {
LogAndConsoleError $ErrorMessage
$DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null
}
else
else
{
LogAndConsoleWarning $ErrorMessage
$DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null
@ -487,9 +489,9 @@ function Instantiate-HSTI {
}
}
catch
catch
{
LogAndConsoleError $_.Exception.Message
LogAndConsoleError $_.Exception.Message
LogAndConsoleError "Instantiate-HSTI failed"
}
}
@ -613,10 +615,10 @@ function ExecuteCommandAndLog($_cmd)
$CmdOutput = Invoke-Expression $_cmd | Out-String
Log "Output: $CmdOutput"
}
catch
catch
{
Log "Exception while exectuing $_cmd"
Log $_.Exception.Message
Log $_.Exception.Message
}
@ -676,7 +678,7 @@ function CheckDriverCompat
verifier.exe /flags 0x02000000 /all /log.code_integrity
LogAndConsole "Enabling Driver Verifier and Rebooting system"
Log $verifier_state
Log $verifier_state
LogAndConsole "Please re-execute this script after reboot...."
if($AutoReboot)
{
@ -692,7 +694,7 @@ function CheckDriverCompat
else
{
LogAndConsole "Driver verifier already enabled"
Log $verifier_state
Log $verifier_state
ListDrivers($verifier_state.Trim().ToLowerInvariant())
}
}
@ -700,23 +702,23 @@ function IsDomainController
{
$_isDC = 0
$CompConfig = Get-WmiObject Win32_ComputerSystem
foreach ($ObjItem in $CompConfig)
foreach ($ObjItem in $CompConfig)
{
$Role = $ObjItem.DomainRole
Log "Role=$Role"
Switch ($Role)
Switch ($Role)
{
0 { Log "Standalone Workstation" }
1 { Log "Member Workstation" }
2 { Log "Standalone Server" }
3 { Log "Member Server" }
4
4
{
Log "Backup Domain Controller"
$_isDC=1
break
}
5
5
{
Log "Primary Domain Controller"
$_isDC=1
@ -735,7 +737,7 @@ function CheckOSSKU
Log "OSNAME:$osname"
$SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home")
$HLKAllowed = @("microsoft windows 10 pro")
foreach ($SKUent in $SKUarray)
foreach ($SKUent in $SKUarray)
{
if($osname.ToString().Contains($SKUent.ToLower()))
{
@ -762,7 +764,7 @@ function CheckOSSKU
}
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f '
}
else
else
{
LogAndConsoleError "This PC edition is Unsupported for Device Guard"
$DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null
@ -773,14 +775,14 @@ function CheckOSSKU
function CheckOSArchitecture
{
$OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower()
Log $OSArch
if($OSArch.Contains("64-bit"))
Log $OSArch
if($OSArch -match ("^64\-?\s?bit"))
{
LogAndConsoleSuccess "64 bit archictecture"
LogAndConsoleSuccess "64 bit architecture"
}
elseif($OSArch.Contains("32-bit"))
elseif($OSArch -match ("^32\-?\s?bit"))
{
LogAndConsoleError "32 bit archictecture"
LogAndConsoleError "32 bit architecture"
$DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null
}
else
@ -878,7 +880,7 @@ function CheckTPM
function CheckSecureMOR
{
$isSecureMOR = CheckDGFeatures(4)
Log "isSecureMOR= $isSecureMOR "
Log "isSecureMOR= $isSecureMOR "
if($isSecureMOR -eq 1)
{
LogAndConsoleSuccess "Secure MOR is available"
@ -904,7 +906,7 @@ function CheckSecureMOR
function CheckNXProtection
{
$isNXProtected = CheckDGFeatures(5)
Log "isNXProtected= $isNXProtected "
Log "isNXProtected= $isNXProtected "
if($isNXProtected -eq 1)
{
LogAndConsoleSuccess "NX Protector is available"
@ -921,7 +923,7 @@ function CheckNXProtection
function CheckSMMProtection
{
$isSMMMitigated = CheckDGFeatures(6)
Log "isSMMMitigated= $isSMMMitigated "
Log "isSMMMitigated= $isSMMMitigated "
if($isSMMMitigated -eq 1)
{
LogAndConsoleSuccess "SMM Mitigation is available"
@ -938,15 +940,15 @@ function CheckSMMProtection
function CheckHSTI
{
LogAndConsole "Copying HSTITest.dll"
try
try
{
$HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded)
[System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded)
}
catch
catch
{
LogAndConsole $_.Exception.Message
LogAndConsole $_.Exception.Message
LogAndConsole "Copying and loading HSTITest.dll failed"
}
@ -959,7 +961,7 @@ function PrintToolVersion
LogAndConsole ""
LogAndConsole "###########################################################################"
LogAndConsole ""
LogAndConsole "Readiness Tool Version 3.7.1 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
LogAndConsole ""
LogAndConsole "###########################################################################"
LogAndConsole ""
@ -1030,7 +1032,7 @@ if(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -a
}
$user = [Security.Principal.WindowsIdentity]::GetCurrent();
$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
if(!$TestForAdmin)
{
@ -1065,7 +1067,7 @@ if($Ready)
{
Log "_CGState: $_CGState"
PrintCGDetails $_CGState
if($_CGState)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f'
@ -1077,28 +1079,28 @@ if($Ready)
}
elseif($DG)
{
Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
PrintHVCIDetails $_HVCIState
PrintConfigCIDetails $_ConfigCIState
PrintConfigCIDetails $_ConfigCIState
if($_ConfigCIState -and $_HVCIState)
{
LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running."
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f'
}
else
{
LogAndConsoleWarning "Not all services are running."
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f'
}
}
else
else
{
Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
PrintCGDetails $_CGState
PrintHVCIDetails $_HVCIState
PrintConfigCIDetails $_ConfigCIState
@ -1147,7 +1149,7 @@ if($Enable)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f'
}
else
else
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f'
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f'
@ -1158,8 +1160,8 @@ if($Enable)
{
if(!$HVCI -and !$CG)
{
if(!$SIPolicyPath)
{
if(!$SIPolicyPath)
{
Log "Writing Decoded SIPolicy.p7b"
$SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded)
[System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded)
@ -1182,7 +1184,7 @@ if($Enable)
if(!$_isRedstone)
{
LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately"
#Enable/Disable IOMMU seperately
#Enable/Disable IOMMU separately
ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart'
}
$CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String
@ -1251,7 +1253,7 @@ if($Disable)
if(!$_isRedstone)
{
LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately"
#Enable/Disable IOMMU seperately
#Enable/Disable IOMMU separately
ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart'
}
$CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String
@ -1270,7 +1272,7 @@ if($Disable)
}
#set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS
#these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always
#these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always
#this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS
$FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random
Log "FreeDrive=$FreeDrive"
@ -1314,7 +1316,7 @@ if($Capable)
}
$_StepCount = 1
if(!$CG)
{
{
LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== "
$_StepCount++
CheckDriverCompat
@ -1323,15 +1325,15 @@ if($Capable)
LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== "
$_StepCount++
CheckSecureBootState
if(!$HVCI -and !$DG -and !$CG)
{
{
#check only if sub-options are absent
LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== "
$_StepCount++
CheckHSTI
}
LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== "
$_StepCount++
CheckOSArchitecture
@ -1345,11 +1347,11 @@ if($Capable)
CheckVirtualization
if(!$HVCI -and !$DG)
{
{
LogAndConsole " ====================== Step $_StepCount TPM version ====================== "
$_StepCount++
CheckTPM
LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== "
$_StepCount++
CheckSecureMOR
@ -1358,11 +1360,11 @@ if($Capable)
LogAndConsole " ====================== Step $_StepCount NX Protector ====================== "
$_StepCount++
CheckNXProtection
LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== "
$_StepCount++
CheckSMMProtection
LogAndConsole " ====================== End Check ====================== "
LogAndConsole " ====================== Summary ====================== "
@ -1371,7 +1373,6 @@ if($Capable)
}
# SIG # Begin signature block
## REPLACE
# SIG # End signature block

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -63,7 +63,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in
Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below.
The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca).
* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
* The certificate Subject section should contain the directory path of the server object (the distinguished name).
@ -71,7 +71,7 @@ The minimum required enterprise certificate authority that can be used with Wind
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
* The certificate template must have an extension that has the BMP data value "DomainController".
* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
* The domain controller certificate must be installed in the local computer's certificate store.

4
windows/security/information-protection/windows-information-protection/limitations-with-wip.md
View File

@ -145,8 +145,8 @@ This table provides info about the most common problems you might encounter whil
> [!NOTE]
> When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files.
> [!NOTE]
> Chromium-based versions of Microsoft Edge (versions since 79) don't fully support WIP yet. The functionality could be partially enabled by going to the local page **edge://flags/#edge-dataprotection** and setting the **Windows Information Protection** flag to **enabled**.
> [!NOTE]
> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

2
windows/security/threat-protection/auditing/event-4624.md
View File

@ -230,7 +230,7 @@ This event generates when a logon session is created (on destination machine). I
**Network Information:**
- **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed.
- **Workstation Name** \[Type = UnicodeString\]**:** machine name to which logon attempt was performed.
- **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.

2
windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
View File

@ -76,7 +76,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
* URL - wildcard supported
* Command line - wildcard supported
3. Select the **Trigerring IOC**.
3. Select the **Triggering IOC**.
4. Specify the action and scope on the alert. <br>
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and machine timeline and will appear as resolved across Microsoft Defender ATP APIs. <br><br> Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs.

2
windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
View File

@ -40,7 +40,7 @@ For more information about onboarding methods, see the following articles:
- [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
- [Configure machine proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy)
## On-premise machines
## On-premises machines
- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
- [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)

3
windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
View File

@ -144,6 +144,9 @@ Appendix section in this document for the URLs Whitelisting or on
[Microsoft
Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server).
> [!NOTE]
> For a detailed list of URLs that need to be whitelisted, please see [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus).
**Manual static proxy configuration:**
- Registry based configuration

2
windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
View File

@ -82,7 +82,7 @@ When a local setting is greyed out, it indicates that a GPO currently controls t
### Command-line tools
This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. For more info, type **fsutil behavior set symlinkevalution /?** at the command prompt.
This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. For more info, type **fsutil behavior set symlinkevaluation /?** at the command prompt.
## Security considerations

5
windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 06/27/2019
ms.date: 05/29/2020
---
# Domain member: Maximum machine account password age
@ -42,8 +42,7 @@ For more information, see [Machine Account Password Process](https://techcommuni
### Best practices
1. We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer is turned on after being offline more than 30 days, the Netlogon service notices the password age and initiates a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer does not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and then configure the value for this policy setting to a greater number of days.
We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
### Location

12
windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
View File

@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 05/14/2019
ms.date: 05/29/2020
---
# Manage Packaged Apps with Windows Defender Application Control
@ -65,8 +65,10 @@ Below are the list of steps you can follow to block one or more packaged apps in
1. Get the app identifier for an installed package
```powershell
$package = Get-AppxPackage -name <example_app>
$package = Get-AppxPackage -name *<example_app>*
```
Where the name of the app is surrounded by asterisks, for example &ast;windowsstore&ast;
2. Make a rule by using the New-CIPolicyRule cmdlet
```powershell
@ -119,9 +121,9 @@ If the app you intend to block is not installed on the system you are using the
3. Copy the GUID in the URL for the app
- Example: the GUID for the Microsoft To-Do app is 9nblggh5r558
- https://www.microsoft.com/p/microsoft-to-do-list-task-reminder/9nblggh5r558?activetab=pivot:overviewtab
- `https://www.microsoft.com/p/microsoft-to-do-list-task-reminder/9nblggh5r558?activetab=pivot:overviewtab`
4. Use the GUID in the following REST query URL to retrieve the identifiers for the app
- Example: for the Microsoft To-Do app, the URL would be https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblggh5r558/applockerdata
- Example: for the Microsoft To-Do app, the URL would be `https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblggh5r558/applockerdata`
- The URL will return:
```
@ -141,4 +143,4 @@ The method for allowing specific packaged apps is similar to the method outlined
$Rule = New-CIPolicyRule -Package $package -allow
```
Since a lot of system apps are packaged apps, it is generally advised that customers rely on the sample policies in C:\Windows\schemas\CodeIntegrity\ExamplePolicies to help allow all inbox apps by the Store signature already included in the policies and control apps with deny rules.
Since a lot of system apps are packaged apps, it is generally advised that customers rely on the sample policies in `C:\Windows\schemas\CodeIntegrity\ExamplePolicies` to help allow all inbox apps by the Store signature already included in the policies and control apps with deny rules.

12
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
View File

@ -14,7 +14,7 @@ author: denisebmsft
ms.reviewer: isbrahm
ms.author: deniseb
manager: dansimp
ms.date: 04/15/2020
ms.date: 05/26/2020
ms.custom: asr
---
@ -43,12 +43,12 @@ Windows 10 includes two technologies that can be used for application control de
## In this section
| Topic | Description |
| - | - |
| [WDAC and AppLocker Overview](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
| [WDAC and AppLocker Feature Availability](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
| Article | Description |
| --- | --- |
| [WDAC and AppLocker Overview](wdac-and-applocker-overview.md) | This article describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
| [WDAC and AppLocker Feature Availability](feature-availability.md) | This article lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
## See also
## Related articles
- [WDAC design guide](windows-defender-application-control-design-guide.md)
- [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)

8
windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 10/17/2017
ms.date: 05/27/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -53,9 +53,9 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|Name|Supported versions|Description|Options|
|-----------|------------------|-----------|-------|
|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<br/>-Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<br/><br/>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. **Note:** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.<br><br>**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.<br><br>**Note**<br>Network printers must be published by Active Directory to work in Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. **Note:** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.<br><br>**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard.<br><br>**Note**<br>This policy is no longer supported in the 2004 update and later.|
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br><br>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Turn on Windows Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Windows Defender Application Guard only for Microsoft Edge<br/>- Enable Windows Defender Application Guard only for Microsoft Office<br/>- Enable Windows Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.|
|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.<br><br>**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.|

1
windows/security/threat-protection/windows-security-baselines.md
View File

@ -22,6 +22,7 @@ ms.reviewer:
- Windows 10
- Windows Server
- Microsoft 365 Apps for enterprise
- Microsoft Edge
## Using security baselines in your organization