diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md index b79f14ce2b..857b972b43 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md +++ b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md @@ -23,7 +23,7 @@ ms.sitesec: library You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md). -The information in this topic only covers HTTP protocol. We strongly recommend that you use HTTP protocol instead of file protocol due to increased performance. +The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance. **How Internet Explorer 11 looks for an updated site list** diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png index e386b956fc..14079ffd7c 100644 Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png and b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png differ diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png index dd547ed5f2..3c32b1af1a 100644 Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png and b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png differ diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md index 41c029dc92..90264579ae 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md @@ -23,8 +23,8 @@ ms.sitesec: library Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser. -**Note**
-We recommend that you store and download your website list from a secure web sever (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employee’s computers so if the centralized file location is unavailable, they can still use Enterprise Mode. +>[!NOTE] +>We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode. **To turn on Enterprise Mode using Group Policy** @@ -45,7 +45,7 @@ Turning this setting on also requires you to create and store a site list. For m ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png) - - **HTTP location**: `"SiteList"="http://localhost:8080/sites.xml"` + - **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"` - **Local network:** `"SiteList"="\\network\shares\sites.xml"` diff --git a/windows/access-protection/access-control/microsoft-accounts.md b/windows/access-protection/access-control/microsoft-accounts.md index 4b54894c21..01efb97d0a 100644 --- a/windows/access-protection/access-control/microsoft-accounts.md +++ b/windows/access-protection/access-control/microsoft-accounts.md @@ -14,20 +14,12 @@ ms.pagetype: security This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization. -Microsoft sites, services, and properties such as Windows Live, MSN, Xbox LIVE, Zune, Windows Phone, and computers running Windows 10, Windows 8.1, Windows 8, and Windows RT use a Microsoft account as a mean of identifying users. Microsoft account is the name for what was previously called Windows Live ID. It has user-defined secrets associated with it, and it consists of a unique email address and a password. +Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a mean of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password. -There are some benefits and considerations when using Microsoft accounts in the enterprise. For more information, see [Microsoft account in the enterprise](#bkmk-msaccountintheenterprise) later in this topic. - -When a user signs in with a Microsoft account, their device is connected to cloud services, and many of the settings, preferences, and apps associated with that user account can roam between devices. - -**Note**   -This content applies to the operating system versions that are designated in the **Applies To** list at the beginning of this topic. - -  +When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices. ## How a Microsoft account works - The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Windows Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials. When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed. @@ -35,19 +27,17 @@ When users sign in to websites that are enabled to use a Microsoft account, a ti **Important**   Local Windows account functionality has not been removed, and it is still an option to use in managed environments. -  - ### How Microsoft accounts are created -To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. If a user tries to create multiple Microsoft accounts with the same IP address, they are stopped. +To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. A user who tries to create multiple Microsoft accounts with the same IP address is stopped. -Microsoft accounts are not designed to be created in batches, for example, for a group of domain users within your enterprise. +Microsoft accounts are not designed to be created in batches, such as for a group of domain users within your enterprise. There are two methods for creating a Microsoft account: - **Use an existing email address**. - Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal password. + Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal passwords. - **Sign up for a Microsoft email address**. @@ -118,13 +108,46 @@ Depending on your IT and business models, introducing Microsoft accounts into yo ### Restrict the use of the Microsoft account -If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain. +The following Group Policy settings help control the use of Microsoft accounts in the enterprise: -The default for this setting is **Disabled**, which enables users to use their Microsoft accounts on devices that are joined to your domain. Other options in the setting can: +- [Block all consumer Microsoft account user authentication](#block-all-consumer-microsoft-account-user-authentication) +- [Accounts: Block Microsoft accounts](#accounts-block-microsoft-accounts) -1. Prevent users from creating new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. +#### Block all consumer Microsoft account user authentication -2. Prevent users with an existing Microsoft account from signing in to Windows. Selecting this option might make it impossible for an existing administrator to sign in to a computer and manage the system. +This setting controls whether users can provide Microsoft accounts for authentication for applications or services. + +If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. +This applies both to existing users of a device and new users who may be added. + +However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. +It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. + +If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. +By default, this setting is **Disabled**. + +This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications. + +The path to this setting is: + +Computer Configuration\Administrative Templates\Windows Components\Microsoft account + +#### Accounts: Block Microsoft accounts + +This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. + +There are two options if this setting is enabled: + +- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts). +- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**. + +This setting does not affect adding a Microsoft account for application authentication. For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as **Mail**, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services). + +By default, this setting is **Not defined**. + +The path to this setting is: + +Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options ### Configure connected accounts @@ -135,8 +158,6 @@ Users can disconnect a Microsoft account from their domain account at any time a **Note**   Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. In these situations, the account owner should disconnect the account. -  - ### Provision Microsoft accounts in the enterprise Microsoft accounts are private user accounts. There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. Enterprises should use domain accounts. diff --git a/windows/access-protection/change-history-for-access-protection.md b/windows/access-protection/change-history-for-access-protection.md index 84f9f86663..98eb8cc435 100644 --- a/windows/access-protection/change-history-for-access-protection.md +++ b/windows/access-protection/change-history-for-access-protection.md @@ -11,6 +11,11 @@ author: brianlic-msft # Change history for access protection This topic lists new and updated topics in the [Access protection](index.md) documentation. +## August 2017 +|New or changed topic |Description | +|---------------------|------------| +|[Microsoft accounts](access-control/microsoft-accounts.md) |Revised to cover new Group Policy setting in Windows 10, version 1703, named **Block all consumer Microsoft account user authentication**.| + ## March 2017 |New or changed topic |Description | |---------------------|------------| diff --git a/windows/application-management/media/gpp-hklm.png b/windows/application-management/media/gpp-hklm.png new file mode 100644 index 0000000000..6e73a3b078 Binary files /dev/null and b/windows/application-management/media/gpp-hklm.png differ diff --git a/windows/application-management/media/gpp-per-user-services.png b/windows/application-management/media/gpp-per-user-services.png new file mode 100644 index 0000000000..6d2d181d93 Binary files /dev/null and b/windows/application-management/media/gpp-per-user-services.png differ diff --git a/windows/application-management/media/gpp-svc-disabled.png b/windows/application-management/media/gpp-svc-disabled.png new file mode 100644 index 0000000000..ba082cec1b Binary files /dev/null and b/windows/application-management/media/gpp-svc-disabled.png differ diff --git a/windows/application-management/media/gpp-svc-start.png b/windows/application-management/media/gpp-svc-start.png new file mode 100644 index 0000000000..6966b6453f Binary files /dev/null and b/windows/application-management/media/gpp-svc-start.png differ diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index b3a1073cd1..88844a4f78 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -1,6 +1,6 @@ --- -title: Per User services in Windows 10 and Windows Server 2016 -description: Learn about Per User services introduced in Windows 10. +title: Per-user services in Windows 10 and Windows Server 2016 +description: Learn about per-user services introduced in Windows 10. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,23 +10,23 @@ author: lizap ms.date: 08/11/2017 --- -# Per User services in Windows 10 and Windows Server 2016 +# Per-user services in Windows 10 and Windows Server 2016 -Per User services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account - this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks. +Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account - this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks. > [!NOTE] -> Per User services are only in available in Windows Server if you have installed the Desktop Experience. If you are running a Server Core or Nano Server installation, you won't see these services. +> Per-user services are only in available in Windows Server if you have installed the Desktop Experience. If you are running a Server Core or Nano Server installation, you won't see these services. -You can't prevent Per User services from being created but you *can* "disable" them by configuring the template service, used in the creation of Per User services, to create these services in a stopped and disabled state. You do this by setting the template service's start value to "disabled." +You can't prevent per-user services from being created, but you can configure the template service to create them in a stopped and disabled state. You do this by setting the template service's **Startup Type** to **Disabled**. > [!IMPORTANT] -> If you change the template service's start value, make sure you carefully test that change prior to rolling it out in your production environment. Because this change requires editing the registry, there could be unforeseen consequences that you need to understand and accept. +> If you change the template service's Startup Type, make sure you carefully test that change prior to rolling it out in your production environment. -Use the following information to understand Per User services, disable the template service start value, and manage Per User services through Group Policy and security templates. +Use the following information to understand per-user services, change the template service Startup Type, and manage per-user services through Group Policy and security templates. ## Per User services -Windows 10 and Windows Server 2016 (with the Desktop Experience) have the following Per User services. The template services are located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. +Windows 10 and Windows Server 2016 (with the Desktop Experience) have the following per-user services. The template services are located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Before you disable any of these services, review the **Description** column in this table to understand the implications, including dependent apps that will no longer work correctly. @@ -39,30 +39,30 @@ Before you disable any of these services, review the **Description** column in t | UserDataSvc | User Data Access | Manual | UnistoreSvc | Provides apps access to structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly. | | WpnUserService | Windows Push Notifications User Service | Manual | | Hosts Windows notification platform, which provides support for local and push notifications. Supported notifications are tile, toast, and raw. | -## Disable Per User services +## Disable per-user services -The template service isn't displayed in Services console (services.msc) so you need to edit the registry directly, either with Group Policy or a scripted solution, to disable a Per User service. +The template service isn't displayed in the Services console (services.msc) so you need to edit the registry directly, either with Group Policy or a scripted solution, to disable a per-user service. > [!NOTE] -> Remember, disabling a Per User service simply means that it is created in a stopped and disabled state. When the user signs out, the Per User service is removed. +> Disabling a per-user service simply means that it is created in a stopped and disabled state. When the user signs out, the per-user service is removed. -You can't manage all of the Per User service templates services using normal Group Policy management methods. Because the Per User services aren't displayed in the Services management console, they're also not displayed in the Group Policy Services policy editor UI. +You can't manage all of the per-user service templates services using normal Group Policy management methods. Because the per-user services aren't displayed in the Services management console, they're also not displayed in the Group Policy Services policy editor UI. -Additionally there are four template services that can't be managed with a security template: +Additionally, there are four template services that can't be managed with a security template: - PimIndexMaintenanceSvc - UnistoreSvc - UserDataSvc - WpnUserService -In light of these restrictions, you can use the following methods to manage Per User services template services: +In light of these restrictions, you can use the following methods to manage per-user services template services: -- A combination of a security template and a script or Group Policy preference registry policy -- Group Policy preference for all of the services +- A combination of a security template and a script or Group Policy preferences registry policy +- Group Policy preferences for all of the services - A script for all of the services ### Manage template services using a security template -You can manage the CDPUserSvc and OneSyncSvc Per User services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). See [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings) for more information. +You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). See [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings) for more information. device-security/security-policy-settings/administer-security-policy-settings @@ -78,13 +78,31 @@ Revision=1 "CDPUserSVC".4,"" ``` +### Manage template services using Group Policy preferences + +If a per-user services can't be disabled using a the security template, you can disable it by using Group Policy preferences. + +1. On Windows Server domaion controller or Windows 10 computer that has the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/en-us/download/details.aspx?id=45520) installed, click **Start**, type GPMC.MSC and press **Enter** to open the **Group Policy Management Console**. +2. Create a new Group Policy object (GPO) or use an existing GPO. +3. Right-click the GPO and click **Edit** to launch the Group Policy object Editor. +4. Depending on how you want to target the Group Policy, under **Computer configuration** or **User configuration** browse to Preferences\Windows Settings\Registry. +5. Right-click Registry > New > Registry Item. + ![Group Policy preferences disabling per-user services](media/gpp-per-user-services.png) +6. Make sure that HKEY_Local_Machine is selected for Hive and then click the ellipses button next to the Key Path field. + ![Choose HKLM](media/gpp-hklm.png) +7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**. + ![Select Start](media/gpp-svc-start.png) +8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**. + ![Startup Type is Disabled](media/gpp-svc-disabled.png) +9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8. + ### Manage template services by modifying the Windows image -If you're using custom images to deploy Windows, you can modify the Start value for the template services as part of the normal imaging process. +If you're using custom images to deploy Windows, you can modify the Startup Type for the template services as part of the normal imaging process. -### Use a script to manage Per User services +### Use a script to manage per-user services -You can create a script to change the start setting for the Per User services. Then use Group Policy or another management solution to deploy the script in your environment. +You can create a script to change the Startup Type for the per-user services. Then use Group Policy or another management solution to deploy the script in your environment. Sample script using [sc.exe](https://technet.microsoft.com/library/cc990290%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396): @@ -99,11 +117,11 @@ Sample script using the [Set-Service PowerShell cmdlet](https://technet.microsof Set-Service -StartupType Disabled ``` -## View Per User services in the Services console (services.msc) +## View per-user services in the Services console (services.msc) -As mentioned you can't view the template services in the Services console, but you can see the user-specific Per User services - they are displayed using the _LUID format (where LUID is the locally unique identifier). +As mentioned you can't view the template services in the Services console, but you can see the user-specific per-user services - they are displayed using the _LUID format (where LUID is the locally unique identifier). -For example, you might see the following Per User services listed in the Services console: +For example, you might see the following per-user services listed in the Services console: - CPDUserSVC_443f50 - ContactData_443f50 diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index c1c33e5921..45e1aa1d54 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -178,6 +178,9 @@ The following diagram shows the DevDetail configuration service provider managem **DeviceHardwareData**

Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device. +> [!Note] +> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information. +

Supported operation is Get. ## Related topics diff --git a/windows/client-management/mdm/images/mdm-enrollment-disable-policy.png b/windows/client-management/mdm/images/mdm-enrollment-disable-policy.png new file mode 100644 index 0000000000..0f9dc0d872 Binary files /dev/null and b/windows/client-management/mdm/images/mdm-enrollment-disable-policy.png differ diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 4a733d2da7..1dbb44551e 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 08/11/2017 --- # Mobile device enrollment @@ -59,26 +59,30 @@ The following topics describe the end-to-end enrollment process using various au > - Any fixed URIs that are passed during enrollment > - Specific formatting of any value unless otherwise noted, such as the format of the device ID. + +## Enrollment support for domain-joined devices   +Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device. -## Prevent MDM enrollments +## Disable MDM enrollments -Starting in Windows 10, version 1607, to prevent MDM enrollments for domain-joined PCs, you can set the following Group Policy: +Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. + +![Disable MDM enrollment policy in GP Editor](images/mdm-enrollment-disable-policy.png) + +Here is the corresponding registry key: Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM Value: DisableRegistration -Using the GP editor, the path is Computer configuration > Administrative Templates > Windows Components > MDM > Disable MDM Enrollment. - ## Enrollment scenarios not supported - The following scenarios do not allow MDM enrollments: - Built-in administrator accounts on Windows desktop cannot enroll into MDM. -- Standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -> **System** -> **About**. +- Prior to Windows 10, version 1709, standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. Only admin users can enroll. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -> **System** -> **About**. Starting in Windows 10, version 1709, standard users can enroll in MDM. - Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed. ## Enrollment migration diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index faf1bef99e..7d908c4910 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,11 +10,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/10/2017 +ms.date: 08/11/2017 --- # What's new in MDM enrollment and management + > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -1327,6 +1328,17 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware +[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md) +

Added new step-by-step guide to enable ADMX-backed policies.

+ + +[Mobile device enrollment](mobile-device-enrollment.md) +

Added the following statement:

+
    +
  • Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
    • +
+ + [CM\_CellularEntries CSP](cm-cellularentries-csp.md)

Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.

diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md index 6030e8a054..cb46edf710 100644 --- a/windows/device-security/change-history-for-device-security.md +++ b/windows/device-security/change-history-for-device-security.md @@ -14,14 +14,14 @@ This topic lists new and updated topics in the [Device security](index.md) docum ## August 2017 |New or changed topic |Description | |---------------------|------------| - | [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. | - +| [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. | +| [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) | Revised description | ## July 2017 |New or changed topic |Description | |---------------------|------------| - | [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. | +| [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. | ## May 2017 diff --git a/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md index cc479c5bc2..b2a0c2025c 100644 --- a/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md @@ -18,11 +18,13 @@ Describes the best practices, location, values, management, and security conside ## Reference -This policy setting prevents users from adding new Microsoft accounts on a device. +This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. -If you click the **Users can’t add Microsoft accounts** setting option, users will not be able to switch a local account to a Microsoft account, or connect a domain account to a Microsoft account to drive sync, roaming, or other background services. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. Users will still be able to add app-specific Microsoft accounts for use with consumer apps. To block this use, turn off the ability to install consumer apps or the Store. +There are two options if this setting is enabled: -If you click the **Users can’t add or log on with Microsoft accounts** setting option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator to log on to a computer and manage the system. +- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts). + +- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. @@ -36,7 +38,7 @@ By default, this setting is not defined on domain controllers and disabled on st ### Best practices - By disabling or not configuring this policy setting on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This provides a convenient option for your users. -- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. +- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to use the **Settings** app to add new connected accounts. ### Location diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index fd9171827c..f482e0b44e 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -147,6 +147,13 @@ ### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md) ### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md) +##[Windows Defender Application Guard](windows-defender-application-guard\wd-app-guard-overview.md) +###[System requirements for Windows Defender Application Guard](windows-defender-application-guard\reqs-wd-app-guard.md) +###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard\install-wd-app-guard.md) +###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard\configure-wd-app-guard.md) +###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard\test-scenarios-wd-app-guard.md) +###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md) + ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) ### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md) #### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) diff --git a/windows/threat-protection/index.md b/windows/threat-protection/index.md index 885e4d9279..a98bb34278 100644 --- a/windows/threat-protection/index.md +++ b/windows/threat-protection/index.md @@ -17,6 +17,7 @@ Learn more about how to help protect against threats in Windows 10 and Windows |[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.| |[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.| |[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.| +|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.| |[Windows Defender Smart​Screen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.| |[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.| |[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.| diff --git a/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md new file mode 100644 index 0000000000..d755f805cf --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -0,0 +1,44 @@ +--- +title: Configure the Group Policy settings for Windows Defender Application Guard (Windows 10) +description: Learn about the available Group Policy settings for Windows Defender Application Guard. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Configure Windows Defender Application Guard policy settings + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. + +Application Guard uses both network isolation and application-specific settings. + +### Network isolation settings +These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. + +>[!NOTE] +>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. + + +|Policy name|Supported versions|Description| +|-----------|------------------|-----------| +|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| +|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| +|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| + +### Application-specific settings +These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard. + +|Name|Supported versions|Description|Options| +|-----------|------------------|-----------|-------| +|Configure Windows Defender Application Guard clipboard settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
  • Disable the clipboard functionality completely when Virtualization Security is enabled.
  • Enable copying of certain content from Application Guard into Microsoft Edge.
  • Enable copying of certain content from Microsoft Edge into Application Guard.

    **Important**
    Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Windows Defender Application Guard print settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
  • Enable Application Guard to print into the XPS format.
  • Enable Application Guard to print into the PDF format.
  • Enable Application Guard to print to locally attached printers.
  • Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard.| +|Allow Persistence|At least Windows 10 Enterprise|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**Note**
If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
  1. Open a command-line program and navigate to Windows/System32.
  2. Type `wdagtool.exe cleanup`.
    The container environment is reset, retaining only the employee-generated data.
  3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
    The container environment is reset, including discarding all employee-generated data.
| +|Turn On/Off Windows Defender Application Guard (WDAG)|At least Windows 10 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.

**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.| + diff --git a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md new file mode 100644 index 0000000000..9590883c59 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -0,0 +1,42 @@ +--- +title: Frequently asked questions - Windows Defender Application Guard (Windows 10) +description: Learn about the commonly asked questions and answers for Windows Defender Application Guard. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Frequently asked questions - Windows Defender Application Guard + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. + +## Frequently Asked Questions + +| | | +|---|----------------------------| +|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?| +|**A:** |It's not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.| +
+ +| | | +|---|----------------------------| +|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?| +|**A:** |Depending on your organization's settings, employees can copy and paste images and text (.bmp) to and from the isolated container.| +
+ +| | | +|---|----------------------------| +|**Q:** |Why don't employees see their Favorites in the Application Guard Edge session?| +|**A:** |To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.| +
+ +| | | +|---|----------------------------| +|**Q:** |Why aren’t employees able to see their Extensions in the Application Guard Edge session?| +|**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.| diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png new file mode 100644 index 0000000000..6f2bb5afcf Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png new file mode 100644 index 0000000000..f1391f862c Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png new file mode 100644 index 0000000000..e0bedcd7cd Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png new file mode 100644 index 0000000000..357be9c65b Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png new file mode 100644 index 0000000000..25c22912a5 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png new file mode 100644 index 0000000000..48aa702feb Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png new file mode 100644 index 0000000000..56acb4be53 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png new file mode 100644 index 0000000000..c5e7982909 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png new file mode 100644 index 0000000000..01f4eb6359 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png new file mode 100644 index 0000000000..3fe617b8ed Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png b/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png new file mode 100644 index 0000000000..a946325c66 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png b/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png new file mode 100644 index 0000000000..877b707030 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png b/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png new file mode 100644 index 0000000000..5172022256 Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png differ diff --git a/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md new file mode 100644 index 0000000000..35440f46f5 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -0,0 +1,54 @@ +--- +title: Prepare and install Windows Defender Application Guard (Windows 10) +description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Prepare and install Windows Defender Application Guard + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +## Prepare to install Windows Defender Application Guard +Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. + +- **Standalone mode.** Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the Application Guard in standalone mode testing scenario. + +- **Enterprise-managed mode.** You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container. + +The following diagram shows the flow between the host PC and the isolated container. +![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png) + +## Install Application Guard +Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. + +**To install by using the Control Panel** +1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**. + + ![Windows Features, turning on Windows Defender Application Guard](images/turn-windows-features-on.png) + +2. Select the check box next to **Windows Defender Application Guard** and then click **OK**. + + Application Guard and its underlying dependencies are all installed. + +**To install by using PowerShell** +1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**. + +2. Right-click **Windows PowerShell**, and then click **Run as administrator**. + + Windows PowerShell opens with administrator credentials. + +3. Type the following command: + + ``` + Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard + ``` +4. Restart the device. + + Application Guard and its underlying dependencies are all installed. + diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md new file mode 100644 index 0000000000..70a3c9c370 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -0,0 +1,35 @@ +--- +title: System requirements for Windows Defender Application Guard (Windows 10) +description: Learn about the system requirements for installing and running Windows Defender Application Guard. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# System requirements for Windows Defender Application Guard + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. + +## Hardware requirements +Your environment needs the following hardware to run Application Guard. + +|Hardware|Description| +|--------|-----------| +|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).| +|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

**-AND-**

One of the following virtualization extensions for VBS:

VT-x (Intel)

**-OR-**

AMD-V| +|Hardware memory|4 GB minimum, 8 GB recommended| + +## Software requirements +Your environment needs the following hardware to run Application Guard. + +|Software|Description| +|--------|-----------| +|Operating system|Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)| +|Browser|Microsoft Edge and Internet Explorer| +|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)

**-OR-**

[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)

**-OR-**

[Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md new file mode 100644 index 0000000000..2f4e2d3e77 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -0,0 +1,157 @@ +--- +title: Testing scenarios using Windows Defender Application Guard in your business or organization (Windows 10) +description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Testing scenarios using Windows Defender Application Guard in your business or organization + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization. + +## Application Guard in standalone mode +You can see how an employee would use standalone mode with Application Guard. + +**To test Application Guard in Standalone mode** + +1. Download the latest Windows Insider Program build (15257 or later). + +2. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide. + +3. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu. + + ![New Application Guard window setting option](images/appguard-new-window.png) + +4. Wait for Application Guard to set up the isolated environment. + + >[!NOTE] + >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. + +5. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues. + + ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) + +## Application Guard in Enterprise-managed mode +How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode. + +### Install, set up, and turn on Application Guard +Before you can use Application Guard in enterprise mode, you must install a version of Windows 10 that includes the functionality. Then, you must use Group Policy to set up the required settings. + +1. Download the latest Windows Insider Program build (15257 or later). + +2. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide. + +3. Restart the device and then start Microsoft Edge. + +4. Set up the Network Isolation settings in Group Policy: + + a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**. + + b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting. + + c. For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box. + + ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png) + + d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting. + + e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box. + + ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png) + +5. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn On/Off Windows Defender Application Guard (WDAG)** setting. + +6. Click **Enabled**. + + ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png) + + >[!NOTE] + >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. + +7. Start Microsoft Edge and type _www.microsoft.com_. + + After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard. + + ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png) + +8. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists. + + After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. + + ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) + +### Customize Application Guard +Application Guard lets you specify your configuration, allowing you to create the proper balance between isolation-based security and productivity for your employees. + +Application Guard provides the following default behavior for your employees: + +- No copying and pasting between the host PC and the isolated container. + +- No printing from the isolated container. + +- No data persistence from one isolated container to another isolated container. + +You have the option to change each of these settings to work with your enterprise from within Group Policy. + +**To change the copy and paste options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**. + +2. Click **Enabled**. + + ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png) + +3. Choose how the clipboard works: + + - Copy and paste from the isolated session to the host PC + + - Copy and paste from the host PC to the isolated session + + - Copy and paste both directions + +4. Choose what can be copied: + + - **1.** Only text can be copied between the host PC and the isolated container. + + - **2.** Only images can be copied between the host PC and the isolated container. + + - **3.** Both text and images can be copied between the host PC and the isolated container. + +5. Click **OK**. + +**To change the print options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings. + +2. Click **Enabled**. + + ![Group Policy editor Print options](images/appguard-gp-print.png) + +3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing. + +4. Click **OK**. + +**To change the data persistence options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting. + +2. Click **Enabled**. + + ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png) + +3. Open Microsoft Edge and browse to an untrusted, but safe URL. + + The website opens in the isolated session. + +4. Add the site to your **Favorites** list and then close the isolated session. + +5. Log out and back on to your device, opening Microsoft Edge in Application Guard again. + + The previously added site should still appear in your **Favorites** list. + + >[!NOTE] + >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
  1. Open a command-line program and navigate to Windows/System32.
  2. Type `wdagtool.exe cleanup`.
    The container environment is reset, retaining only the employee-generated data.
  3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
    The container environment is reset, including discarding all employee-generated data.
diff --git a/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md new file mode 100644 index 0000000000..54ee20cd47 --- /dev/null +++ b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -0,0 +1,45 @@ +--- +title: Windows Defender Application Guard (Windows 10) +description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Windows Defender Application Guard overview + +**Applies to:** +- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later) + +The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. + +Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. + + +## What is Application Guard and how does it work? +Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. + +If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials. + +![Hardware isolation diagram](images/appguard-hardware-isolation.png) + +### What types of devices should use Application Guard? +Application Guard has been created to target 3 types of enterprise systems: + +- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. + +- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network. + +- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools like Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home. + +## In this section +|Topic |Description | +|------|------------| +|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard. | +|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization. | +|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.| +|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.| +|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.| \ No newline at end of file diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md index 16465baf1b..25be0c5cdc 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -342,14 +342,14 @@ If you're running into compatibility issues where your app is incompatible with ### Manage the WIP-protection level for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. +We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). |Mode |Description | |-----|------------| -|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|