Merged PR 15200: TIMNA public preview updates

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md

@@ -11,7 +11,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 03/25/2019
+ms.date: 04/11/2019
 ---
 
 # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@@ -23,12 +23,19 @@ ms.date: 03/25/2019
 
 Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune only manages the apps on a user's personal device.
 
->[!NOTE]
->If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**). the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. MAM supports only one user per device.  
+## Differences between MDM and MAM for WIP
+
+- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
+- MAM supports only one user per device.  
+- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md) 
+- MAM has additional **Access** settings for Windows Hello for Business
+- MAM can [selectively wipe company data](https://docs.microsoft.com/intune/apps-selective-wipe) from a user's personal device
+- MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses)
+- An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. 
 
 ## Prerequisites
 
-Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. 
+Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). 
 
 ## Configure the MDM or MAM provider
 
@@ -602,6 +609,70 @@ Optionally, if you don’t want everyone in your organization to be able to shar
 >[!NOTE]
 >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic.
 
+### Configure Windows Hello for Business for MAM
+If you created a WIP policy for MAM, you can turn on Windows Hello for Business, letting your employees use it as a sign-in method for their devices.
+
+**To turn on and configure Windows Hello for Business**
+
+1.	From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
+
+    The **Advanced settings** blade appears.
+
+2.	Choose to turn on and configure the Windows Hello for Business settings:
+
+    ![Microsoft Intune, Choose to use Windows Hello for Business](images/wip-azure-access-options.png)
+
+    - **Use Windows Hello for Business as a method for signing into Windows.** Turns on Windows Hello for Business. The options are:
+    
+        - **On.** Turns on Windows Hello For Business for anyone assigned to this policy.
+     
+        - **Off.** Turns off Windows Hello for Business.
+    
+    - **Set the minimum number of characters required for the PIN.** Enter a numerical value (4-127 characters) for how many characters must be used to create a valid PIN. Default is 4 characters.
+    
+    - **Configure the use of uppercase letters in the Windows Hello for Business PIN.** Lets you decide whether uppercase letters can be used in a valid PIN. The options are:
+
+        - **Allow the use of uppercase letters in PIN.** Lets an employee use uppercase letters in a valid PIN.
+        
+        - **Require the use of at least one uppercase letter in PIN.** Requires an employee to use at least 1 uppercase letter in a valid PIN.
+        
+        - **Do not allow the use of uppercase letters in PIN.** Prevents an employee from using uppercase letters in a valid PIN.
+
+    - **Configure the use of lowercase letters in the Windows Hello for Business PIN.** Lets you decide whether lowercase letters can be used in a valid PIN. The options are:
+        
+        - **Allow the use of lowercase letters in PIN.** Lets an employee use lowercase letters in a valid PIN.
+        
+        - **Require the use of at least one lowercase letter in PIN.** Requires an employee to use at least 1 lowercase letter in a valid PIN.
+        
+        - **Do not allow the use of lowercase letters in PIN.** Prevents an employee from using lowercase letters in a valid PIN.
+
+    - **Configure the use of special characters in the Windows Hello for Business PIN.** Lets you decide whether special characters can be used in a valid PIN. The options are:
+
+        - **Allow the use of special characters in PIN.** Lets an employee use special characters in a valid PIN.
+        
+        - **Require the use of at least one special character in PIN.** Requires an employee to use at least 1 special character in a valid PIN.
+        
+        - **Do not allow the use of special characters in PIN.** Prevents an employee from using special characters in a valid PIN.
+
+    - **Specify the period of time (in days) that a PIN can be used before the system requires the user to change it.** Enter a numerical value (0-730 days) for how many days can pass before a PIN must be changed. If you enter a value of 0, the PIN never expires.
+
+    - **Specify the number of past PINs that can be associated to a user account that can't be reused.** Enter a numerical value (0-50 days) for how many days can pass before an employee can reuse a previous PIN. If you enter a value of 0, a PINs can be reused immediately and past PINs aren't stored.
+        
+        >[!NOTE]
+        >PIN history is not preserved through a PIN reset.
+
+    - **Number of authentication failures allowed before the device will be wiped.** Enter a numerical value for how many times the PIN can be incorrectly entered before wiping the device of corporate data. If you enter a value of 0, the device is never wiped, regardless of the number of incorrect PIN entries.<p>This setting has different behavior for mobile devices and desktops.
+
+        - **On mobile devices.** When an employee reaches the value set here, the device is wiped of corporate data.
+
+        - **On desktop devices.** When an employee reaches the value set here, the desktop is put into BitLocker recovery mode, instead of being wiped. You must have BitLocker installed on the device or this setting is ignored.
+
+    - **Maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked.** Enter a numerical value for how many days can pass before a PIN must be changed. If you enter a value of 0, the device never becomes PIN or password locked while idle.
+
+        >[!NOTE]
+        >You can set this value to be anything; however, it can't be longer than the time specified by the **Settings** app. If you exceed the maximum timeout value, this setting is ignored.
+
+
 ## Related topics
 
 - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)

windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md

@@ -13,7 +13,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/26/2019
+ms.date: 04/11/2019
 ---
 
 # How Windows Information Protection (WIP) protects a file that has a sensitivity label 
@@ -34,8 +34,6 @@ Microsoft information protection technologies include:
 
 - [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP. 
 
-- [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365.
-
 - [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services.
 
 - [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization.

windows/security/threat-protection/TOC.md

@@ -1018,23 +1018,17 @@
 ###### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md)
 ###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md)
 
+### [Windows security guidance for enterprises](windows-security-configuration-framework/windows-security-compliance.md)
 
-### [Windows security compliance](windows-security-configuration-framework/windows-security-compliance.md)
 #### [Windows security baselines](windows-security-configuration-framework/windows-security-baselines.md)
 ##### [Security Compliance Toolkit](windows-security-configuration-framework/security-compliance-toolkit-10.md)
 ##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md)
-#### [Windows SECCON framework](windows-security-configuration-framework/windows-security-configuration-framework.md)
-##### [SECCON 1 enterprise administrator security](windows-security-configuration-framework/level-1-enterprise-administrator-security.md)
-##### [SECCON 2 enterprise dev/ops security](windows-security-configuration-framework/level-2-enterprise-devops-security.md)
-##### [SECCON 3 enterprise VIP security](windows-security-configuration-framework/level-3-enterprise-vip-security.md)
-##### [SECCON 4 enterprise high security](windows-security-configuration-framework/level-4-enterprise-high-security.md)
-##### [SECCON 5 enterprise security](windows-security-configuration-framework/level-5-enterprise-security.md)
-####Windows Security Blog Posts
-##### [Sticking with Well-Known and Proven Solutions](windows-security-configuration-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md)
-##### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-configuration-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md)
-##### [Configuring Account Lockout](windows-security-configuration-framework/windows-security-blog/configuring-account-lockout.md)
-##### [Blocking Remote Use of Local Accounts](windows-security-configuration-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md)
-##### [Dropping the “Untrusted Font Blocking” setting](windows-security-configuration-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md)
+#### [Windows security configuration framework](windows-security-configuration-framework/windows-security-configuration-framework.md)
+##### [Level 5 enterprise security](windows-security-configuration-framework/level-5-enterprise-security.md)
+##### [Level 4 enterprise high security](windows-security-configuration-framework/level-4-enterprise-high-security.md)
+##### [Level 3 enterprise VIP security](windows-security-configuration-framework/level-3-enterprise-vip-security.md)
+##### [Level 2 enterprise dev/ops workstation](windows-security-configuration-framework/level-2-enterprise-devops-security.md)
+##### [Level 1 enterprise administrator workstation](windows-security-configuration-framework/level-1-enterprise-administrator-security.md)
 
 ### [MBSA removal and alternatives](mbsa-removal-and-guidance.md)
 

windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md

@@ -75,6 +75,8 @@ To effectively build queries that span multiple tables, you need to understand t
 | Ipv4Dhcp | string | IPv4 address of DHCP server |
 | Ipv6Dhcp | string | IPv6 address of DHCP server |
 | IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
+| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
+| IsWindowsInfoProtectionApplied | boolean | Indicates whether Windows Information Protection (WIP) policies apply to the file |
 | LocalIP | string | IP address assigned to the local machine used during communication |
 | LocalPort | int | TCP port on the local machine used during communication |
 | LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
@@ -114,6 +116,8 @@ To effectively build queries that span multiple tables, you need to understand t
 | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
 | Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
+| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
+| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
 | SHA1 | string | SHA-1 of the file that the recorded action was applied to |
 | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
 | RegistryMachineTag | string | Machine tag added through the registry |

windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md

@@ -37,12 +37,9 @@ You can define the conditions for when entities are identified as malicious or s
 ## Create an allowed or blocked list
 1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.  
 
-2. Select the tab of the type of entity you'd like to create an exclusion for. You can choose any of the following entities: 
-   - File hash
-   - Certificate
-   - IP address
+2. Select the tab of the type of entity you'd like to create an exclusion for. Currently, you can add a rule for certificates. 
 
-3. Click **Add system exclusion**.
+3. Select **Add allowed/blocked list rule**.
 
 4. For each attribute specify the exclusion type, details, and their corresponding required values.
     

windows/security/threat-protection/windows-firewall/TOC.md

@@ -95,6 +95,7 @@
 #### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
 #### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
 #### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
+#### [Create Windows Firewall rules in Intune](create-windows-firewall-rules-in-intune.md)
 #### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
 #### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
 #### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)

windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md

@@ -0,0 +1,140 @@
+---
+title: Create Windows Firewall rules in Intune (Windows 10)
+description: Explains how to create Windows Firewall rules in Intune
+ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: tewchen
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+
+# Create Windows Firewall rules in Intune
+
+**Applies to**
+-   Windows 10
+
+>[!IMPORTANT]
+>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+To get started, open Device Configuration in Intune, then create a new profile. 
+Choose Windows 10 as the platform, and Endpoint Protection as the profile type. 
+Select Windows Defender Firewall. 
+Add a firewall rule to this new Endpoint Protection profile using the Add button at the bottom of the blade. 
+
+![Windows Defender Firewall in Intune](images/windows-firewall-intune.png)
+
+>[!IMPORTANT]
+>A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it.
+
+## Firewall rule components
+
+Following table has description for each field.
+
+
+| Property | Type | Description |
+|----------|------|-------------|
+| DisplayName | String | The display name of the rule. Does not need to be unique. |
+| Description | String | The description of the rule. |
+| PackageFamilyName | String | The package family name of a Microsoft Store application that's affected by the firewall rule. |
+| FilePath | String | The full file path of an app that's affected by the firewall rule. |
+| FullyQualifiedBinaryName | String | The fully qualified binary name. |
+| ServiceName | String | The name used in cases when a service, not an application, is sending or receiving traffic. |
+| Protocol | Nullable Integer - default value is null which maps to All | 0-255 number representing the [IP protocol](https://www.wikipedia.org/wiki/List_of_IP_protocol_numbers) (TCP = 6, UDP = 17).  If not specified, the default is All. |
+| LocalPortRanges | String array | List of local port ranges. For example, "100-120", "200", "300-320". If not specified, the default is All. |
+| RemotePortRanges | String array | List of remote port ranges. For example, "100-120", "200", "300-320". If not specified, the default is All. |
+| LocalAddressRanges | String array | List of local addresses covered by the rule. Valid tokens include:<br>- "\*" indicates any local address. If present, this must be the only token included.<br>- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.<br>- A valid IPv6 address.<br>- An IPv4 address range in the format of "start address - end address" with no spaces included.<br>- An IPv6 address range in the format of "start address - end address" with no spaces included.<br>Default is any address. |
+| RemoteAddressRanges | String array | List of tokens specifying the remote addresses covered by the rule.Tokens are case insensitive. Valid tokens include:<br>- "\*" indicates any remote address. If present, this must be the only token included.<br>- "Defaultgateway"<br>- "DHCP"<br>- "DNS"<br>- "WINS"<br>- "Intranet"<br>- "RmtIntranet"<br>- "Internet"<br>- "Ply2Renders"<br>- "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.<br>- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.<br>- A valid IPv6 address.<br>- An IPv4 address range in the format of "start address - end address" with no spaces included.<br>- An IPv6 address range in the format of "start address - end address" with no spaces included.<br>Default is any address. |
+| ProfileTypes | WindowsFirewallNetworkProfileTypes | Specifies the profiles to which the rule belongs. If not specified, the default is All. |
+| Action| StateManagementSetting | The action the rule enforces. If not specified, the default is Allowed. |
+| TrafficDirection | WindowsFirewallRuleTrafficDirectionType | The traffic direction that the rule is enabled for. If not specified, the default is Out. |
+| InterfaceTypes | WindowsFirewallRuleInterfaceTypes | The interface types of the rule. |
+| EdgeTraversal | StateManagementSetting | Indicates whether edge traversal is enabled or disabled for this rule.<br>The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.<br>New rules have the EdgeTraversal property disabled by default. |
+| LocalUserAuthorizations | String | Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format. |
+
+
+## Application
+Control connections for an app or program. 
+Apps and programs can be specified either file path, package family name, or Windows service short name. 
+
+The file path of an app is its location on the client device. 
+For example, C:\Windows\System\Notepad.exe. 
+[Learn more](https://aka.ms/intunefirewallfilepathrule) 
+
+Package family names can be retrieved by running the Get-AppxPackage command from PowerShell. 
+[Learn more](https://aka.ms/intunefirewallPackageNameFromPowerShell) 
+
+Windows service short names are used in cases when a service, not an application, is sending or receiving traffic. 
+Default ia All. 
+
+[Learn more](https://aka.ms/intunefirewallServiceNameRule)
+
+## Protocol
+Select the protocol for this port rule. Transport layer protocols—TCP and UDP—allow you to specify ports or port ranges. For custom protocols, enter a number between 0 and 255 representing the IP protocol. 
+
+Default is Any. 
+
+[Learn more](https://aka.ms/intunefirewallprotocolrule)
+
+## Local ports
+Comma separated list of ranges. For example, *100-120,200,300-320*. Default is All. 
+
+[Learn more](https://aka.ms/intunefirewalllocalportrule)
+
+## Remote ports
+Comma separated list of ranges. For example, *100-120,200,300-320*. Default is All. 
+
+[Learn more](https://aka.ms/intunefirewallremoteportrule)
+
+## Local addresses
+Comma separated list of local addresses covered by the rule. Valid tokens include:
+- \* indicates any local address. If present, this must be the only token included. 
+- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask default is  255.255.255.255. 
+- A valid IPv6 address. 
+- An IPv4 address range in the format of "start address - end address" with no spaces included. 
+- An IPv6 address range in the format of "start address - end address" with no spaces included. Default is Any address. 
+
+[Learn more](https://aka.ms/intunefirewalllocaladdressrule)
+
+## Remote addresses
+List of comma separated tokens specifying the remote addresses covered by the rule. Tokens are case insensitive. Valid tokens include:
+- \* indicates any remote address. If present, this must be the only token included. 
+- Defaultgateway 
+- DHCP 
+- DNS 
+- WINS 
+- Intranet (supported on Windows versions 1809+) 
+- RmtIntranet (supported on Windows versions 1809+) 
+- Internet (supported on Windows versions 1809+) 
+- Ply2Renders (supported on Windows versions 1809+) 
+- LocalSubnet indicates any local address on the local subnet. 
+- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. 
+- A valid IPv6 address. 
+- An IPv4 address range in the format of "start address - end address" with no spaces included. 
+- An IPv6 address range in the format of "start address - end address" with no spaces included. 
+
+Default is Any address. 
+
+[Learn more](https://aka.ms/intunefirewallremotaddressrule)
+
+## Edge traversal (coming soon)
+Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. 
+
+[Learn more](https://aka.ms/intunefirewalledgetraversal)
+
+## Authorized users
+Specifies the list of authorized local users for this rule. A list of authorized users cannot be specified if the rule being authored is targeting a Windows service. Default is all users. 
+
+[Learn more](https://aka.ms/intunefirewallauthorizedusers)
+
+## Configuring firewall rules programmatically
+
+Coming soon.
+
+