deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'WDAC-Docs' of https://github.com/jsuther1974/windows-docs-pr into WDAC-Docs

Browse Source
This commit is contained in:
jsuther1974 2022-08-12 09:30:45 -07:00
commit b2f55c1dc7
176 changed files with 1661 additions and 1356 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
windows/security/identity-protection/access-control/access-control.md
View File

@ -2,23 +2,23 @@
title: Access Control Overview (Windows 10)
description: Access Control Overview
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/18/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
---
# Access Control Overview
**Applies to**
- Windows 10
- Windows Server 2016
This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.
## <a href="" id="bkmk-over"></a>Feature description

23
windows/security/identity-protection/access-control/local-accounts.md
View File

@ -2,25 +2,26 @@
title: Local Accounts (Windows 10)
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 06/17/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Local Accounts
**Applies to**
- Windows 11
- Windows 10
- Windows Server 2019
- Windows Server 2016
This reference article for IT professionals describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server.
## <a href="" id="about-local-user-accounts-"></a>About local user accounts
@ -116,13 +117,13 @@ In addition, the guest user in the Guest account shouldn't be able to view the e
The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the users invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user's invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
**Security considerations**
The SIDs that pertain to the default HelpAssistant account include:
- SID: S-1-5-&lt;domain&gt;-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services are called Terminal Services.
- SID: S-1-5-&lt;domain&gt;-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services.
- SID: S-1-5-&lt;domain&gt;-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.

16
windows/security/identity-protection/configure-s-mime.md
View File

@ -1,15 +1,17 @@
---
title: Configure S/MIME for Windows
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them.
ms.reviewer:
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
@ -25,7 +27,7 @@ S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an
Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys.
Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipient(s) whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email.
Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipients whose encryption certificate is not available, the app will prompt you to remove these recipients before sending the email.
## About digital signatures
@ -80,7 +82,7 @@ When you receive an encrypted message, the mail app will check whether there is
## Install certificates from a received message
When you receive a signed email, the app provide feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person.
When you receive a signed email, the app provides a feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person.
1. Open a signed email.
@ -89,4 +91,4 @@ When you receive a signed email, the app provide feature to install correspondin
3. Tap **Install.**
:::image type="content" alt-text="message security information." source="images/installcert.png":::
 
 

16
windows/security/identity-protection/credential-guard/additional-mitigations.md
View File

@ -3,13 +3,13 @@ title: Additional mitigations
description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard.
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
ms.reviewer:
---
# Additional mitigations
@ -18,7 +18,7 @@ Windows Defender Credential Guard can provide mitigation against attacks on deri
## Restricting domain users to specific domain-joined devices
Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
### Kerberos armoring
@ -32,7 +32,7 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
### Protecting domain-joined device secrets
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on to devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
Domain-joined device certificate authentication has the following requirements:
- Devices' accounts are in Windows Server 2012 domain functional level or higher.
@ -96,13 +96,13 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
.\set-IssuancePolicyToGroupLink.ps1 IssuancePolicyName:"<name of issuance policy>" groupOU:"<Name of OU to create>" groupName:”<name of Universal security group to create>"
```
### Restricting user sign on
### Restricting user sign-on
So we now have completed the following:
- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
- Mapped that policy to a universal security group or claim
- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
Authentication policies have the following requirements:
- User accounts are in a Windows Server 2012 domain functional level or higher domain.

24
windows/security/identity-protection/credential-guard/credential-guard-considerations.md
View File

@ -3,23 +3,23 @@ title: Advice while using Windows Defender Credential Guard (Windows)
description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows.
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/31/2017
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Considerations when using Windows Defender Credential Guard
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, aren't supported.
@ -80,8 +80,8 @@ Domain user sign-in on a domain-joined device after clearing a TPM for as long a
|Credential Type | Windows version | Behavior
|---|---|---|
| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. |
| Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected.
| Password | Windows 10 v1703 | If the user signed-in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected.
| Password | Windows 10 v1709 or later | If the user signed in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected.
| Password | Windows 10 v1703 | If the user signed in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected.
| Password | Windows 10 v1607 or earlier | Existing user DPAPI protected data is unusable. User DPAPI is able to protect new data.
Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.

21
windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
View File

@ -3,24 +3,23 @@ title: How Windows Defender Credential Guard works
description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# How Windows Defender Credential Guard works
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.

22
windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
View File

@ -3,24 +3,22 @@ title: Windows Defender Credential Guard - Known issues (Windows)
description: Windows Defender Credential Guard - Known issues in Windows Enterprise
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 01/26/2022
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Windows Defender Credential Guard: Known issues
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements).
The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4):

22
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -3,9 +3,10 @@ title: Manage Windows Defender Credential Guard (Windows)
description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
ms.author: v-tappelgate
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
@ -13,17 +14,14 @@ ms.topic: article
ms.custom:
- CI 120967
- CSSTroubleshooting
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Manage Windows Defender Credential Guard
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
## Enable Windows Defender Credential Guard
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.

24
windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
View File

@ -3,23 +3,23 @@ title: Windows Defender Credential Guard protection limits & mitigations (Window
description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use.
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Windows Defender Credential Guard protection limits and mitigations
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
in the Deep Dive into Windows Defender Credential Guard video series.
@ -123,13 +123,13 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
.\set-IssuancePolicyToGroupLink.ps1 IssuancePolicyName:"<name of issuance policy>" groupOU:"<Name of OU to create>" groupName:”<name of Universal security group to create>"
```
#### Restricting user sign on
#### Restricting user sign-on
So we now have completed the following:
- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
- Mapped that policy to a universal security group or claim
- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
Authentication policies have the following requirements:
- User accounts are in a Windows Server 2012 domain functional level or higher domain.

21
windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
View File

@ -3,23 +3,22 @@ title: Windows Defender Credential Guard protection limits (Windows)
description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Windows Defender Credential Guard protection limits
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
- Software that manages credentials outside of Windows feature protection

20
windows/security/identity-protection/credential-guard/credential-guard-requirements.md
View File

@ -3,25 +3,25 @@ title: Windows Defender Credential Guard Requirements (Windows)
description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.date: 12/27/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Windows Defender Credential Guard: Requirements
## Applies to
- Windows 11
- Windows 10
- Windows Server 2019
- Windows Server 2016
For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
## Hardware and software requirements

9
windows/security/identity-protection/credential-guard/credential-guard-scripts.md
View File

@ -3,18 +3,17 @@ title: Scripts for Certificate Issuance Policies in Windows Defender Credential
description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows.
ms.prod: m365-security
ms.localizationpriority: medium
author: dulcemontemayor
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 08/17/2017
ms.reviewer:
---
# Windows Defender Credential Guard: Scripts for Certificate Authority Issuance Policies
Here is a list of scripts mentioned in this topic.
## <a href="" id="bkmk-getscript"></a>Get the available issuance policies on the certificate authority

22
windows/security/identity-protection/credential-guard/credential-guard.md
View File

@ -1,28 +1,28 @@
---
title: Protect derived domain credentials with Windows Defender Credential Guard (Windows)
description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
ms.reviewer:
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.date: 03/10/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Protect derived domain credentials with Windows Defender Credential Guard
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
Introduced in Windows 10 Enterprise and Windows Server 2016, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
By enabling Windows Defender Credential Guard, the following features and solutions are provided:

21
windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -3,23 +3,22 @@ title: Windows Defender Device Guard and Windows Defender Credential Guard hardw
description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script
ms.prod: m365-security
ms.localizationpriority: medium
author: SteveSyfuhs
ms.author: stsyfuhs
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
```powershell
# Script to find out if a machine is Device Guard compliant.
# The script requires a driver verifier present on the system.

17
windows/security/identity-protection/enterprise-certificate-pinning.md
View File

@ -1,23 +1,22 @@
---
title: Enterprise Certificate Pinning
description: Enterprise certificate pinning is a Windows feature for remembering; or pinning a root issuing certificate authority, or end entity certificate to a given domain name.
author: dulcemontemayor
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.prod: m365-security
ms.technology: windows-sec
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# Enterprise Certificate Pinning
**Applies to**
- Windows 10
Enterprise certificate pinning is a Windows feature for remembering, or pinning a root issuing certificate authority or end entity certificate to a given domain name.
Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
@ -99,7 +98,7 @@ The **Certificate** element can have the following attributes.
| **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as: <br>- single certificate <br>- p7b <br>- sst <br> These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory, or Base64 must be present). |
| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory, or Base64 must be present). |
| **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as: <br>- single certificate <br>- p7b <br> - sst <br> This allows the certificates to be included in the XML file without a file directory dependency. <br> Note: <br> You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory, or Base64 must be present). |
| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule. <br>If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this elements certificates.<br> If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.<br> For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.|
| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule. <br>If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this elements certificates.<br> If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and excludes the certificate(s) from the Pin Rule in the generated CTL.<br> For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.|
#### Site element
@ -107,7 +106,7 @@ The **Site** element can have the following attributes.
| Attribute | Description | Required |
|-----------|-------------|----------|
| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows: <br>- If the DNS name has a leading "*", it's removed. <br>- Non-ASCII DNS name is converted to ASCII Puny Code. <br>- Upper case ASCII characters are converted to lower case. <br>If the normalized name has a leading ".", then, wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.|
| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows: <br>- If the DNS name has a leading "*", it's removed. <br>- Non-ASCII DNS name is converted to ASCII Puny Code. <br>- Upper case ASCII characters are converted to lower case. <br>If the normalized name has a leading ".", then wildcard left-hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.|
| **AllSubdomains** | By default, wildcard left-hand label matching is restricted to a single left-hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.<br>For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.|
### Create a Pin Rules Certificate Trust List

10
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -2,9 +2,9 @@
title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process.
ms.prod: m365-security
author: mapalko
ms.author: prsriva
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
@ -32,7 +32,7 @@ The distributed systems on which these technologies were built involved several
Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment does not need a premium Azure Active Directory subscription.
You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.
If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
@ -87,7 +87,7 @@ The minimum required Enterprise certificate authority that can be used with Wind
The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory.
Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect.
Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect.
### Section Review

13
windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
View File

@ -2,12 +2,11 @@
title: How Windows Hello for Business works (Windows)
description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
ms.prod: m365-security
author: mapalko
ms.localizationpriority: high
ms.author: mapalko
author: paolomatarazzo
ms.author: paoloma
ms.date: 10/16/2017
ms.reviewer:
manager: dansimp
manager: aaroncz
ms.topic: article
appliesto:
- ✅ <b>Windows 10</b>
@ -56,14 +55,14 @@ Containers can contain several types of key material:
- An authentication key, which is always an asymmetric publicprivate key pair. This key pair is generated during registration. It must be unlocked each time its accessed, by using either the users PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
- Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. Theyre available whenever the users container is unlocked.
- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP key). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
- The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831498(v=ws.11)). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
- The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that dont have or need a PKI.
## How keys are protected
Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. Theres a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that dont have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. Theres a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that dont have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
@ -72,7 +71,7 @@ Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protect
When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. Its important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesnt require explicit validation through a user gesture, and the key material isnt exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. Its important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesnt require explicit validation through a user gesture, and the key material isnt exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication anytime a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
For example, the authentication process for Azure Active Directory works like this:

11
windows/security/identity-protection/index.md
View File

@ -2,18 +2,21 @@
title: Identity and access management (Windows 10)
description: Learn more about identity and access protection technologies in Windows.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 02/05/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# Identity and access management
Learn more about identity and access management technologies in Windows 10.
Learn more about identity and access management technologies in Windows 10 and Windows 11.
| Section | Description |
|-|-|

7
windows/security/identity-protection/password-support-policy.md
View File

@ -1,16 +1,15 @@
---
title: Technical support policy for lost or forgotten passwords
description: Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so.
ms.reviewer: kaushika
manager: kaushika
ms.custom:
- CI ID 110060
- CSSTroubleshoot
ms.author: v-tappelgate
ms.prod: m365-security
author: Teresa-Motiv
ms.topic: article
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.date: 11/20/2019
---

13
windows/security/identity-protection/remote-credential-guard.md
View File

@ -2,22 +2,21 @@
title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10)
description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 01/12/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
---
# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
**Applies to**
- Windows 10
- Windows Server 2016
Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device.

19
windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
View File

@ -2,20 +2,23 @@
title: Smart Card and Remote Desktop Services (Windows)
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Smart Card and Remote Desktop Services
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
The content in this topic applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic. In these versions, smart card redirection logic and **WinSCard** API are combined to support multiple redirected sessions into a single process.
@ -60,7 +63,7 @@ When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services
### Remote Desktop Services and smart card sign-in
Remote Desktop Services enable users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.
Remote Desktop Services enables users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.
In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.

18
windows/security/identity-protection/smart-cards/smart-card-architecture.md
View File

@ -2,20 +2,24 @@
title: Smart Card Architecture (Windows)
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Smart Card Architecture
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture.
Authentication is a process for verifying the identity of an object or person. When you authenticate an object, such as a smart card, the goal is to verify that the object is genuine. When you authenticate a person, the goal is to verify that you are not dealing with an imposter.
@ -118,7 +122,7 @@ The global data cache is hosted in the Smart Cards for Windows service. Windows
The PIN cache protects the user from entering a PIN every time the smart card is unauthenticated. After a smart card is authenticated, it will not differentiate among host-side applications—any application can access private data on the smart card.
To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications cannot communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it require multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times.
To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications cannot communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it requires multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times.
The following example illustrates how this works. In this scenario, there are two applications: Outlook and Internet Explorer. The applications use smart cards for different purposes.

16
windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
View File

@ -2,20 +2,24 @@
title: Certificate Propagation Service (Windows)
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 08/24/2021
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Certificate Propagation Service
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
The certificate propagation service activates when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).

16
windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
View File

@ -2,20 +2,24 @@
title: Certificate Requirements and Enumeration (Windows)
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Certificate Requirements and Enumeration
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
When a smart card is inserted, the following steps are performed.

15
windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
View File

@ -2,21 +2,26 @@
title: Smart Card Troubleshooting (Windows)
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: ardenw
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Smart Card Troubleshooting
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
Debugging and tracing smart card issues requires a variety of tools and approaches. The following sections provide guidance about tools and approaches you can use.

60
windows/security/identity-protection/smart-cards/smart-card-events.md
View File

@ -2,51 +2,47 @@
title: Smart Card Events (Windows)
description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Smart Card Events
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
A number of events can be used to monitor smart card activities on a computer, including installation, use, and errors. The following sections describe the events and information that can be used to manage smart cards in an organization.
- [Smart card reader name](#smart-card-reader-name)
- [Smart card warning events](#smart-card-warning-events)
- [Smart card error events](#smart-card-error-events)
- [Smart card Plug and Play events](#smart-card-plug-and-play-events)
- [Smart card reader name](#smart-card-reader-name)
- [Smart card warning events](#smart-card-warning-events)
- [Smart card error events](#smart-card-error-events)
- [Smart card Plug and Play events](#smart-card-plug-and-play-events)
## Smart card reader name
The Smart Card resource manager does not use the device name from Device Manager to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver.
The Smart Card resource manager doesn't use the device name from Device Manager to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver.
The following three attributes are used to construct the smart card reader name:
- Vendor name
- Interface device type
- Device unit
- Vendor name
- Interface device type
- Device unit
The smart card reader device name is constructed in the form &lt;*VendorName*&gt; &lt;*Type*&gt; &lt;*DeviceUnit*&gt;. For example 'Contoso Smart Card Reader 0' is constructed from the following information:
- Vendor name: Contoso
- Interface device type: Smart Card Reader
- Device unit: 0
- Vendor name: Contoso
- Interface device type: Smart Card Reader
- Device unit: 0
## Smart card warning events
@ -54,8 +50,8 @@ The smart card reader device name is constructed in the form &lt;*VendorName*&gt
| **Event ID** | **Warning Message** | **Description** |
|--------------|---------|--------------------------------------------------------------------------------------------|
| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the resource manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command could not to be canceled. This can leave the smart card reader in an unusable state until it is removed from the computer or the computer is restarted.<br><br>%1 = Windows error code<br>%2 = Smart card reader name<br>%3 = IOCTL being canceled<br>%4 = First 4 bytes of the command that was sent to the smart card |
| 619 | Smart Card Reader '%2' has not responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader has not responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader does not respond for 150 seconds. This can leave the smart card reader in an unusable state until it is removed from the computer or the computer is restarted.<br><br>%1 = Number of seconds the IOCTL has been waiting<br>%2 = Smart card reader name<br>%3 = IOCTL sent<br>%4 = First 4 bytes of the command that was sent to the smart card |
| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the resource manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command could not be canceled. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.<br><br>%1 = Windows error code<br>%2 = Smart card reader name<br>%3 = IOCTL being canceled<br>%4 = First 4 bytes of the command that was sent to the smart card |
| 619 | Smart Card Reader '%2' hasn't responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader hasn't responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader doesn't respond for 150 seconds. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.<br><br>%1 = Number of seconds the IOCTL has been waiting<br>%2 = Smart card reader name<br>%3 = IOCTL sent<br>%4 = First 4 bytes of the command that was sent to the smart card |
## Smart card error events
@ -67,7 +63,7 @@ The smart card reader device name is constructed in the form &lt;*VendorName*&gt
| 205 | Reader object has duplicate name: %1 | There are two smart card readers that have the same name. Remove the smart card reader that is causing this error message.<br>%1 = Name of the smart card reader that is duplicated |
| 206 | Failed to create global reader change event. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
| 401 | Reader shutdown exception from eject smart card command | A smart card reader could not eject a smart card while the smart card reader was shutting down. |
| 406 | Reader object cannot Identify Device | A smart card reader did not properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader will not be recognized by the service until it is removed from the computer and reinserted or until the computer is restarted. |
| 406 | Reader object cannot Identify Device | A smart card reader did not properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader will not be recognized by the service until it's removed from the computer and reinserted or until the computer is restarted. |
| 502 | Initialization of Service Status Critical Section failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
| 504 | Resource Manager cannot create shutdown event flag:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.<br>%1 = Windows error code |
| 506 | Smart Card Resource Manager failed to register service:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.<br>%1 = Windows error code |
@ -95,10 +91,10 @@ The smart card reader device name is constructed in the form &lt;*VendorName*&gt
| 609 | Reader monitor failed to create overlapped event:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.<br>%1 = Windows error code |
| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1  If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.<br>%1 = Windows error code<br>%2 = Name of the smart card reader<br>%3 = IOCTL that was sent<br>%4 = First 4 bytes of the command sent to the smart card <br> These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. You might also see this error if your eSIM is recognized as a smartcard controller.|
| 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. |
| 612 | Reader insertion monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.<br>%1 = Windows error code |
| 615 | Reader removal monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.<br>%1 = Windows error code |
| 616 | Reader monitor '%2' received uncaught error code:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.<br>%1 = Windows error code<br>%2 = Reader name |
| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.<br>%1 = Smart card reader name |
| 612 | Reader insertion monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.<br>%1 = Windows error code |
| 615 | Reader removal monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.<br>%1 = Windows error code |
| 616 | Reader monitor '%2' received uncaught error code:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.<br>%1 = Windows error code<br>%2 = Reader name |
| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.<br>%1 = Smart card reader name |
| 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. |
| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.<br>%1 = Windows error code <br>These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. |
| 622 | Server Control failed to access stop event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.<br>%1 = Windows error code |

40
windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
View File

@ -2,20 +2,24 @@
title: Smart Card Group Policy and Registry Settings (Windows)
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 11/02/2021
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Smart Card Group Policy and Registry Settings
Applies to: Windows 10, Windows 11, Windows Server 2016 and above
This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers.
@ -89,7 +93,7 @@ The following table lists the default values for these GPO settings. Variations
### Allow certificates with no extended key usage certificate attribute
You can use this policy setting to allow certificates without an enhanced key usage (EKU) set to be used for sign in.
You can use this policy setting to allow certificates without an enhanced key usage (EKU) set to be used for sign-in.
> [!NOTE]
> Enhanced key usage certificate attribute is also known as extended key usage.
@ -145,9 +149,9 @@ When this setting isn't turned on, the feature is not available.
### Allow signature keys valid for Logon
You can use this policy setting to allow signature keybased certificates to be enumerated and available for sign in.
You can use this policy setting to allow signature keybased certificates to be enumerated and available for sign-in.
When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen.
When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen.
When this setting isn't turned on, certificates available on the smart card with a signature-only key aren't listed on the sign-in screen.
@ -160,7 +164,7 @@ When this setting isn't turned on, certificates available on the smart card with
### Allow time invalid certificates
You can use this policy setting to permit certificates that are expired or not yet valid to be displayed for sign in.
You can use this policy setting to permit certificates that are expired or not yet valid to be displayed for sign-in.
> [!NOTE]
> Before Windows Vista, certificates were required to contain a valid time and to not expire. For a certificate to be used, it must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer.
@ -178,7 +182,7 @@ When this policy setting isn't turned on, certificates that are expired or not y
### Allow user name hint
You can use this policy setting to determine whether an optional field appears during sign in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user.
You can use this policy setting to determine whether an optional field appears during sign-in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user.
When this policy setting is turned on, users see an optional field where they can enter their username or username and domain.
@ -191,7 +195,7 @@ When this policy setting isn't turned on, users don't see this optional field.
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None |
| Notes and resources | |
### Configure root certificate clean up
### Configure root certificate clean-up
You can use this policy setting to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate.
@ -251,17 +255,17 @@ This policy setting is applied to the computer after the [Allow time invalid cer
### Force the reading of all certificates from the smart card
You can use this policy setting to manage how Windows reads all certificates from the smart card for sign in. During sign in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card.
You can use this policy setting to manage how Windows reads all certificates from the smart card for sign-in. During sign-in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card.
When this policy setting is turned on, Windows attempts to read all certificates from the smart card, regardless of the CSP feature set.
When this policy setting is turned on, Windows attempts to read all certificates from the smart card, regardless of the CSP feature set.
When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign in.
When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign-in.
| **Item** | **Description** |
|--------------------------------------|----------------------------------------------------------------------------|
| Registry key | **ForceReadingAllCertificates** |
| Default values | No changes per operating system versions<br>Disabled and not configured are equivalent |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None<br><br>**Important**: Enabling this policy setting can adversely impact performance during the sign in process in certain situations. |
| Policy management | Restart requirement: None<br>Sign off requirement: None<br>Policy conflicts: None<br><br>**Important**: Enabling this policy setting can adversely impact performance during the sign-in process in certain situations. |
| Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. |
### Notify user of successful smart card driver installation
@ -299,12 +303,12 @@ When this setting isn't turned on, Credential Manager can return plaintext PINs.
### Reverse the subject name stored in a certificate when displaying
You can use this policy setting to control the way the subject name appears during sign in.
You can use this policy setting to control the way the subject name appears during sign-in.
> [!NOTE]
> To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
When this policy setting is turned on, the subject name during sign in appears reversed from the way that it's stored in the certificate.
When this policy setting is turned on, the subject name during sign-in appears reversed from the way that it's stored in the certificate.
When this policy setting isnt turned on, the subject name appears the same as its stored in the certificate.

15
windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
View File

@ -2,21 +2,26 @@
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: ardenw
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# How Smart Card Sign-in Works in Windows
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use:
- [Smart Card Architecture](smart-card-architecture.md): Learn about enabling communications with smart cards and smart card readers, which can be different according to the vendor that supplies them.

18
windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
View File

@ -2,20 +2,24 @@
title: Smart Card Removal Policy Service (Windows)
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Smart Card Removal Policy Service
Applies To: Windows 10, Windows 11, Windows Server 2016
This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
@ -26,7 +30,7 @@ The smart card removal policy service is applicable when a user has signed in wi
The numbers in the previous figure represent the following actions:
1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign in was initiated.
1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
2. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.

16
windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
View File

@ -2,20 +2,24 @@
title: Smart Cards for Windows Service (Windows)
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Smart Cards for Windows Service
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions.
The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it manages smart card readers and application interactions on the computer. It is fully compliant with the specifications set by the PC/SC Workgroup. For information about these specifications, see the [PC/SC Workgroup Specifications website](https://pcscworkgroup.com/).

16
windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
View File

@ -2,20 +2,24 @@
title: Smart Card Tools and Settings (Windows)
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Smart Card Tools and Settings
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
This section of the Smart Card Technical Reference contains information about the following:

16
windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
View File

@ -2,20 +2,24 @@
title: Smart Card Technical Reference (Windows)
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: ardenw
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Smart Card Technical Reference
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
The Smart Card Technical Reference describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows. This document also contains information about tools that information technology (IT) developers and administrators can use to troubleshoot, debug, and deploy smart card-based strong authentication in the enterprise.
## Audience

19
windows/security/identity-protection/user-account-control/how-user-account-control-works.md
View File

@ -1,26 +1,27 @@
---
title: How User Account Control works (Windows)
description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
ms.reviewer:
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/23/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# How User Account Control works
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
## UAC process and interactions

20
windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
View File

@ -2,25 +2,25 @@
title: User Account Control Group Policy and registry key settings (Windows)
description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# User Account Control Group Policy and registry key settings
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
## Group Policy settings
There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings).

19
windows/security/identity-protection/user-account-control/user-account-control-overview.md
View File

@ -1,26 +1,27 @@
---
title: User Account Control (Windows)
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
ms.reviewer:
ms.prod: m365-security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.date: 09/24/2011
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# User Account Control
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.

20
windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
View File

@ -1,27 +1,27 @@
---
title: User Account Control security policy settings (Windows)
description: You can use security policies to configure how User Account Control works in your organization.
ms.reviewer:
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: sulahiri
manager: aaroncz
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 09/24/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# User Account Control security policy settings
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
## User Account Control: Admin Approval Mode for the Built-in Administrator account

10
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
View File

@ -2,14 +2,16 @@
title: Deploy Virtual Smart Cards (Windows 10)
description: This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
---
# Deploy Virtual Smart Cards

12
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
View File

@ -2,20 +2,20 @@
title: Evaluate Virtual Smart Card Security (Windows 10)
description: This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
---
# Evaluate Virtual Smart Card Security
Applies To: Windows 10, Windows Server 2016
This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
## Virtual smart card non-exportability details

12
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
View File

@ -2,20 +2,20 @@
title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10)
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
---
# Get Started with Virtual Smart Cards: Walkthrough Guide
Applies To: Windows 10, Windows Server 2016
This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
Virtual smart cards are a technology from Microsoft, which offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering.

12
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
View File

@ -2,20 +2,20 @@
title: Virtual Smart Card Overview (Windows 10)
description: Learn more about the virtual smart card technology that was developed by Microsoft. Find links to additional topics about virtual smart cards.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 10/13/2017
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
---
# Virtual Smart Card Overview
Applies To: Windows 10, Windows Server 2016
This topic for IT professional provides an overview of the virtual smart card technology that was developed by Microsoft and includes [links to additional topics](#see-also) to help you evaluate, plan, provision, and administer virtual smart cards.
**Did you mean…**

12
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
View File

@ -2,20 +2,20 @@
title: Tpmvscmgr (Windows 10)
description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
---
# Tpmvscmgr
Applies To: Windows 10, Windows Server 2016
The Tpmvscmgr command-line tool allows users with Administrative credentials to create and delete TPM virtual smart cards on a computer. For examples of how this command can be used, see [Examples](#examples).
## Syntax

12
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
View File

@ -2,20 +2,20 @@
title: Understanding and Evaluating Virtual Smart Cards (Windows 10)
description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
---
# Understanding and Evaluating Virtual Smart Cards
Applies To: Windows 10, Windows Server 2016
This topic for the IT professional describes the virtual smart card technology that was developed by Microsoft; suggests how it can fit into your authentication design; and provides links to additional resources that you can use to design, deploy, and troubleshoot virtual smart cards.
Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.

12
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
View File

@ -2,20 +2,20 @@
title: Use Virtual Smart Cards (Windows 10)
description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 10/13/2017
ms.reviewer:
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows Server 2016</b>
---
# Use Virtual Smart Cards
Applies To: Windows 10, Windows Server 2016
This topic for the IT professional describes requirements for virtual smart cards, how to use virtual smart cards, and tools that are available to help you create and manage them.
## Requirements, restrictions, and limitations

11
windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
View File

@ -2,12 +2,15 @@
title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11)
description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.localizationpriority: medium
ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
manager: aaroncz
ms.reviewer: pesmith
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# How to configure Diffie Hellman protocol over IKEv2 VPN connections

11
windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
View File

@ -2,11 +2,14 @@
title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11)
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.prod: m365-security
author: dansimp
author: paolomatarazzo
ms.date: 03/22/2022
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: paoloma
ms.reviewer: pesmith
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# How to use Single Sign-On (SSO) over VPN and Wi-Fi connections

15
windows/security/identity-protection/vpn/vpn-authentication.md
View File

@ -2,20 +2,19 @@
title: VPN authentication options (Windows 10 and Windows 11)
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.prod: m365-security
author: dansimp
author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: paoloma
ms.reviewer: pesmith
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# VPN authentication options
**Applies to**
- Windows 10
- Windows 11
In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).
Windows supports a number of EAP authentication methods.

15
windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
View File

@ -2,20 +2,19 @@
title: VPN auto-triggered profile options (Windows 10 and Windows 11)
description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource.
ms.prod: m365-security
author: dansimp
author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: paoloma
ms.reviewer: pesmith
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# VPN auto-triggered profile options
**Applies to**
- Windows 10
- Windows 11
In Windows 10 and Windows 11, a number of features have been added to auto-trigger VPN so users wont have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules:
- App trigger

15
windows/security/identity-protection/vpn/vpn-conditional-access.md
View File

@ -2,22 +2,23 @@
title: VPN and conditional access (Windows 10 and Windows 11)
description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps.
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
ms.reviewer:
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: pesmith
manager: aaroncz
ms.localizationpriority: medium
ms.date: 09/23/2021
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# VPN and conditional access
>Applies to: Windows 10 and Windows 11
The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
>[!NOTE]
>Conditional Access is an Azure AD Premium feature.
>Conditional Access is an Azure AD Premium feature.
Conditional Access Platform components used for Device Compliance include the following cloud-based services:

15
windows/security/identity-protection/vpn/vpn-connection-type.md
View File

@ -2,20 +2,19 @@
title: VPN connection types (Windows 10 and Windows 11)
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.prod: m365-security
author: dansimp
author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 08/23/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: paoloma
ms.reviewer: pesmith
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# VPN connection types
**Applies to**
- Windows 10
- Windows 11
Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organizations private network.
There are many options for VPN clients. In Windows 10 and Windows 11, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured.

17
windows/security/identity-protection/vpn/vpn-guide.md
View File

@ -2,22 +2,19 @@
title: Windows VPN technical guide (Windows 10 and Windows 11)
description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment.
ms.prod: m365-security
author: dansimp
author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 02/21/2022
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: paoloma
ms.reviewer: pesmith
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# Windows VPN technical guide
**Applies to**
- Windows 10
- Windows 11
This guide will walk you through the decisions you will make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10 and Windows 11.
To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](/mem/intune/configuration/vpn-settings-windows-10).

15
windows/security/identity-protection/vpn/vpn-name-resolution.md
View File

@ -2,20 +2,19 @@
title: VPN name resolution (Windows 10 and Windows 11)
description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server.
ms.prod: m365-security
author: dansimp
author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: paoloma
ms.reviewer: pesmith
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# VPN name resolution
**Applies to**
- Windows 10
- Windows 11
When the VPN client connects to the VPN server, the VPN client receives the client IP address. The client may also receive the IP address of the Domain Name System (DNS) server and the IP address of the Windows Internet Name Service (WINS) server.
The name resolution setting in the VPN profile configures how name resolution should work on the system when VPN is connected. The networking stack first looks at the Name Resolution Policy table (NRPT) for any matches and tries a resolution in the case of a match. If no match is found, the DNS suffix on the most preferred interface based on the interface metric is appended to the name (in the case of a short name) and a DNS query is sent out on the preferred interface. If the query times out, the DNS suffix search list is used in order and DNS queries are sent on all interfaces.

12
windows/security/identity-protection/vpn/vpn-office-365-optimization.md
View File

@ -3,14 +3,16 @@ title: Optimizing Office 365 traffic for remote workers with the native Windows
description: tbd
ms.prod: m365-security
ms.topic: article
author: kelleyvice-msft
ms.localizationpriority: medium
ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
ms.author: jajo
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.reviewer: pesmith
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# Optimizing Office 365 traffic for remote workers with the native Windows 10 and Windows 11 VPN client
This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 and Windows 11 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling.

16
windows/security/identity-protection/vpn/vpn-profile-options.md
View File

@ -1,22 +1,20 @@
---
title: VPN profile options (Windows 10 and Windows 11)
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
ms.reviewer:
manager: dansimp
manager: aaroncz
ms.prod: m365-security
author: dansimp
ms.author: dansimp
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: pesmith
ms.localizationpriority: medium
ms.date: 05/17/2018
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# VPN profile options
**Applies to**
- Windows 10
- Windows 11
Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
>[!NOTE]

16
windows/security/identity-protection/vpn/vpn-routing.md
View File

@ -2,20 +2,18 @@
title: VPN routing decisions (Windows 10 and Windows 10)
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.prod: m365-security
author: dansimp
author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: paoloma
ms.reviewer: pesmith
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# VPN routing decisions
**Applies to**
- Windows 10
- Windows 11
Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection.
## Split tunnel configuration

16
windows/security/identity-protection/vpn/vpn-security-features.md
View File

@ -2,21 +2,19 @@
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters.
ms.prod: m365-security
author: dansimp
author: paolomatarazzo
ms.localizationpriority: medium
ms.date: 07/21/2022
ms.reviewer:
manager: dansimp
ms.author: dansimp
manager: aaroncz
ms.author: paoloma
ms.reviewer: pesmith
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# VPN security features
**Applies to**
- Windows 10
- Windows 11
## Hyper-V based containers and VPN
Windows supports different kinds of Hyper-V based containers. This support includes, but isn't limited to, Microsoft Defender Application Guard and Windows Sandbox. When you use 3rd party VPN solutions, these Hyper-V based containers may not be able to seamlessly connect to the internet. Additional configurational changes might be needed to resolve connectivity issues.

13
windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
View File

@ -1,22 +1,21 @@
---
title: Windows Credential Theft Mitigation Guide Abstract
description: Provides a summary of the Windows credential theft mitigation guide.
ms.reviewer:
ms.prod: m365-security
author: dansimp
ms.author: dansimp
manager: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# Windows Credential Theft Mitigation Guide Abstract
**Applies to**
- Windows 10
This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:

6
windows/security/includes/improve-request-performance.md
View File

@ -3,12 +3,12 @@ title: Improve request performance
description: Improve request performance
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
---
>[!TIP]

6
windows/security/includes/machineactionsnote.md
View File

@ -3,9 +3,9 @@ title: Perform a Machine Action via the Microsoft Defender for Endpoint API
description: This page focuses on performing a machine action via the Microsoft Defender for Endpoint API.
ms.date: 08/28/2017
ms.reviewer:
manager: dansimp
ms.author: macapara
author: mjcaparas
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.prod: m365-security
---

6
windows/security/includes/microsoft-defender-api-usgov.md
View File

@ -3,10 +3,10 @@ title: Microsoft Defender for Endpoint API URIs for US Government
description: Microsoft Defender for Endpoint API URIs for US Government
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
ms.author: macapara
author: mjcaparas
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.localizationpriority: medium
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
---

5
windows/security/includes/microsoft-defender.md
View File

@ -4,8 +4,9 @@ description: A note in regard to important Microsoft 365 Defender guidance.
ms.date:
ms.reviewer:
manager: dansimp
ms.author: dansimp
author: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.prod: m365-security
ms.topic: include
---

6
windows/security/includes/prerelease.md
View File

@ -3,9 +3,9 @@ title: Microsoft Defender for Endpoint Pre-release Disclaimer
description: Disclaimer for pre-release version of Microsoft Defender for Endpoint.
ms.date: 08/28/2017
ms.reviewer:
manager: dansimp
ms.author: macapara
author: mjcaparas
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.prod: m365-security
---

18
windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
View File

@ -2,28 +2,30 @@
title: Add Production Devices to the Membership Group for a Zone (Windows)
description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Add Production Devices to the Membership Group for a Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.

18
windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
View File

@ -2,28 +2,30 @@
title: Add Test Devices to the Membership Group for a Zone (Windows)
description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected.
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Add Test Devices to the Membership Group for a Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete. We also recommend that you initially deploy the rules to a few devices only to be sure that the correct GPOs are being processed by each device.

18
windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
View File

@ -2,28 +2,30 @@
title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows)
description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO).
ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Appendix A: Sample GPO Template Files for Settings Used in this Guide
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).

18
windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
View File

@ -2,28 +2,30 @@
title: Assign Security Group Filters to the GPO (Windows)
description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers.
ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Assign Security Group Filters to the GPO
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.

18
windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
View File

@ -2,27 +2,29 @@
title: Basic Firewall Policy Design (Windows)
description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design.
ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Basic Firewall Policy Design
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but don't have a host-based firewall enabled on each device in the organization.

12
windows/security/threat-protection/windows-firewall/best-practices-configuring.md
View File

@ -6,14 +6,20 @@ ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: maccruz
author: schmurky
ms.author: paoloma
author: paolomatarazzo
ms.localizationpriority: medium
manager: dansimp
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Best practices for configuring Windows Defender Firewall

18
windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
View File

@ -2,28 +2,30 @@
title: Boundary Zone GPOs (Windows)
description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Boundary Zone GPOs
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section.

20
windows/security/threat-protection/windows-firewall/boundary-zone.md
View File

@ -2,28 +2,30 @@
title: Boundary Zone (Windows)
description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security.
ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Boundary Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
In most organizations, some devices can receive network traffic from devices that aren't part of the isolated domain, and therefore can't authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.

18
windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
View File

@ -2,28 +2,30 @@
title: Certificate-based Isolation Policy Design Example (Windows)
description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security.
ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Certificate-based Isolation Policy Design Example
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).

18
windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
View File

@ -2,28 +2,30 @@
title: Certificate-based Isolation Policy Design (Windows)
description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design.
ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Certificate-based isolation policy design
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.

18
windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
View File

@ -2,28 +2,30 @@
title: Change Rules from Request to Require Mode (Windows)
description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices.
ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Change Rules from Request to Require Mode
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Don't change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that aren't part of the isolated domain.

18
windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
View File

@ -2,28 +2,30 @@
title: Checklist Configuring Basic Firewall Settings (Windows)
description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall.
ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Checklist: Configuring Basic Firewall Settings
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules.

18
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
View File

@ -2,28 +2,30 @@
title: Checklist Configuring Rules for an Isolated Server Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain.
ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Checklist: Configuring Rules for an Isolated Server Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that isn't part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).

18
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
View File

@ -2,28 +2,30 @@
title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows)
description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that isn't part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).

18
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
View File

@ -2,28 +2,30 @@
title: Checklist Configuring Rules for the Boundary Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Checklist: Configuring Rules for the Boundary Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.

18
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
View File

@ -2,28 +2,30 @@
title: Checklist Configuring Rules for the Encryption Zone (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Checklist: Configuring Rules for the Encryption Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.

18
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
View File

@ -2,28 +2,30 @@
title: Checklist Configuring Rules for the Isolated Domain (Windows)
description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Checklist: Configuring Rules for the Isolated Domain
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.

18
windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
View File

@ -2,28 +2,30 @@
title: Checklist Creating Group Policy Objects (Windows)
description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS.
ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Checklist: Creating Group Policy Objects
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the end by making GPO assignments as easy as dropping a device into a membership group.

18
windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
View File

@ -2,28 +2,30 @@
title: Checklist Creating Inbound Firewall Rules (Windows)
description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Checklist: Creating Inbound Firewall Rules
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This checklist includes tasks for creating firewall rules in your GPOs.

18
windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
View File

@ -2,28 +2,30 @@
title: Checklist Creating Outbound Firewall Rules (Windows)
description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security.
ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Checklist: Creating Outbound Firewall Rules
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This checklist includes tasks for creating outbound firewall rules in your GPOs.

18
windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
View File

@ -2,28 +2,30 @@
title: Create Rules for Standalone Isolated Server Zone Clients (Windows)
description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone
ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone.

18
windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
View File

@ -2,28 +2,30 @@
title: Checklist Implementing a Basic Firewall Policy Design (Windows)
description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation.
ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Checklist: Implementing a Basic Firewall Policy Design
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.

18
windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
View File

@ -2,28 +2,30 @@
title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows)
description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design.
ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Checklist: Implementing a Certificate-based Isolation Policy Design
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.

18
windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
View File

@ -2,28 +2,30 @@
title: Checklist Implementing a Domain Isolation Policy Design (Windows)
description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design.
ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Checklist: Implementing a Domain Isolation Policy Design
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.

18
windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
View File

@ -2,28 +2,30 @@
title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows)
description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists.
ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Checklist: Implementing a Standalone Server Isolation Policy Design
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This checklist contains procedures for creating a server isolation policy design that isn't part of an isolated domain. For information on the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).

18
windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
View File

@ -2,28 +2,30 @@
title: Configure Authentication Methods (Windows)
description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security.
ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Configure Authentication Methods
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone.

18
windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
View File

@ -2,28 +2,30 @@
title: Configure Data Protection (Quick Mode) Settings (Windows)
description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone.
ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Configure Data Protection (Quick Mode) Settings
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone.

18
windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
View File

@ -2,28 +2,30 @@
title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows)
description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network.
ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Configure Group Policy to Autoenroll and Deploy Certificates
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate.

18
windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
View File

@ -2,28 +2,30 @@
title: Configure Key Exchange (Main Mode) Settings (Windows)
description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security.
ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Configure Key Exchange (Main Mode) Settings
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic.

14
windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
View File

@ -2,20 +2,26 @@
title: Configure the Rules to Require Encryption (Windows)
description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that don't use encryption for zones that require encryption.
ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Configure the Rules to Require Encryption

18
windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
View File

@ -2,28 +2,30 @@
title: Configure the Windows Defender Firewall Log (Windows)
description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC.
ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Configure the Windows Defender Firewall with Advanced Security Log
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in.

18
windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
View File

@ -2,25 +2,27 @@
title: Configure the Workstation Authentication Template (Windows)
description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations.
ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.reviewer: jekrynit
manager: aaroncz
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
author: paolomatarazzo
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Configure the Workstation Authentication Certificate Template
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.

18
windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
View File

@ -2,28 +2,30 @@
title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows)
description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Blocked
ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.

18
windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
View File

@ -2,28 +2,30 @@
title: Confirm That Certificates Are Deployed Correctly (Windows)
description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations.
ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: securit
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Confirm That Certificates Are Deployed Correctly
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices.

18
windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
View File

@ -2,28 +2,30 @@
title: Copy a GPO to Create a New GPO (Windows)
description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices.
ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Copy a GPO to Create a New GPO
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in.

18
windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
View File

@ -2,28 +2,30 @@
title: Create a Group Account in Active Directory (Windows)
description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console.
ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Create a Group Account in Active Directory
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console.

18
windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
View File

@ -2,28 +2,30 @@
title: Create a Group Policy Object (Windows)
description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group.
ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Create a Group Policy Object
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
To create a new GPO, use the Active Directory Users and Computers MMC snap-in.

18
windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
View File

@ -2,28 +2,30 @@
title: Create an Authentication Exemption List Rule (Windows)
description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies.
ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Create an Authentication Exemption List Rule
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies.

14
windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
View File

@ -2,20 +2,26 @@
title: Create an Authentication Request Rule (Windows)
description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate.
ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359
ms.reviewer:
ms.author: dansimp
ms.reviewer: jekrynit
ms.author: paoloma
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
manager: dansimp
author: paolomatarazzo
manager: aaroncz
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/07/2021
ms.technology: windows-sec
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
- ✅ <b>Windows Server 2016</b>
- ✅ <b>Windows Server 2019</b>
- ✅ <b>Windows Server 2022</b>
---
# Create an Authentication Request Rule

Some files were not shown because too many files have changed in this diff Show More