From 0ef901195f4364ce818e624699196049fe5775d7 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 25 Apr 2021 23:14:23 +0500 Subject: [PATCH 01/15] Update hello-hybrid-aadj-sso-cert.md --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index da0e139923..3bcde4eec9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -679,6 +679,11 @@ Sign-in a workstation with access equivalent to a _domain user_. 10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. 11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. + + > [!Note] + > If the distinguished names contain scpecial characters ("+", ",", ";" or "="), put quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. + > If the distinguished names length is more than 64 characters, name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement) + 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile. @@ -712,4 +717,4 @@ You have successfully completed the configuration. Add users that need to enrol > * Install and Configure the NDES Role > * Configure Network Device Enrollment Services to work with Microsoft Intune > * Download, Install, and Configure the Intune Certificate Connector -> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile) \ No newline at end of file +> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile) From 33f51de4962c7468947f1f9e030ebba2a2eae5e6 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 27 Apr 2021 14:09:24 +0500 Subject: [PATCH 02/15] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 3bcde4eec9..37b51d0f58 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -680,7 +680,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. 11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. - > [!Note] + > [!NOTE] > If the distinguished names contain scpecial characters ("+", ",", ";" or "="), put quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. > If the distinguished names length is more than 64 characters, name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement) From 84a64b71fa3ab330f7bdb7927e92720ea32277a4 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 27 Apr 2021 14:09:33 +0500 Subject: [PATCH 03/15] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 37b51d0f58..ef4f0465c4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -681,7 +681,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. > [!NOTE] - > If the distinguished names contain scpecial characters ("+", ",", ";" or "="), put quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. + > If the distinguished name contains special characters like plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. > If the distinguished names length is more than 64 characters, name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement) 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. From 8cf38b6fcac09a95c54e88fc9976c2b91111410f Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 27 Apr 2021 14:09:38 +0500 Subject: [PATCH 04/15] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index ef4f0465c4..090085514e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -682,7 +682,7 @@ Sign-in a workstation with access equivalent to a _domain user_. > [!NOTE] > If the distinguished name contains special characters like plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. - > If the distinguished names length is more than 64 characters, name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement) + > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement). 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. From 61270ecfed2161180818a7098aadb9deeb96d670 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 26 Jul 2021 17:40:56 -0700 Subject: [PATCH 05/15] Edited select-type and event-id documents. - select-type-of-rules-to-create: added option 20 to table 1. - event-id-explanations: Added a new System Integrity Policy Options table for event ID 3099. --- .../event-id-explanations.md | 29 +++++++++++++++++++ .../select-types-of-rules-to-create.md | 1 + 2 files changed, 30 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 6ac3422250..2d450b1c94 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -86,6 +86,35 @@ To enable 3090 allow events, and 3091 and 3092 events, you must instead create a reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 ``` +## System Integrity Policy Options +Below are the policy options in event 3099. + +| Bit Address | Policy Rule Option | +|-------|------| +| 2 | Enabled:UMCI | +| 3 | Enabled:Boot Menu Protection | +| 4 | Enabled:Intelligent Security Graph Authorization | +| 5 | Enabled:Invalidate EAs on Reboot | +| 7 |Required:WHQL | +| 8 | Enabled:Developer Dynamic Code Security | +| 9 | Enabled: No Revalidation Upon Refresh | +| 10 | Enabled:Allow Supplemental Policies | +| 11 | Disabled:Runtime FilePath Rule Protection | +| 13 | Enabled: Revoked Expired As Unsigned | +| 16 |Enabled:Audit Mode (Default) | +| 17 | Disabled:Flight Signing | +| 18 | Enabled:Inherit Default Policy | +| 19 | Enabled:Unsigned System Integrity Policy (Default) | +| 20 | Enabled:Dynamic Code Security | +| 21 | Required:EV Signers | +| 22 | Enabled:Boot Audit on Failure | +| 23 | Enabled:Advanced Boot Options Menu | +| 24 | Disabled:Script Enforcement | +| 25 | Required:Enforce Store Applications | +| 26 | Enabled: Host Policy Enforcement | +| 27 |Enabled:Managed Installer | +| 28 |Enabled:Update Policy No Reboot | + ## Appendix A list of other relevant event IDs and their corresponding description. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 794cefca57..0d7b426112 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -70,6 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No | | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No | +| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with an expired and/or revoked certificates as "Unsigned binaries" for user mode process/components under enterprise signing scenarios. | No | ## Windows Defender Application Control file rule levels From 5a52a3bd439485aaaea3ae0095582ec5d2db1186 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 27 Jul 2021 16:20:28 -0700 Subject: [PATCH 06/15] Added the suggested feedback to select-types-of-rules and event-id-explanations documents. --- .../event-id-explanations.md | 16 ++++++++-------- .../select-types-of-rules-to-create.md | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 2d450b1c94..e3ae7a65ba 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -87,7 +87,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x ``` ## System Integrity Policy Options -Below are the policy options in event 3099. +The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options). | Bit Address | Policy Rule Option | |-------|------| @@ -95,13 +95,13 @@ Below are the policy options in event 3099. | 3 | Enabled:Boot Menu Protection | | 4 | Enabled:Intelligent Security Graph Authorization | | 5 | Enabled:Invalidate EAs on Reboot | -| 7 |Required:WHQL | +| 7 | Required:WHQL | | 8 | Enabled:Developer Dynamic Code Security | -| 9 | Enabled: No Revalidation Upon Refresh | +| 9 | Enabled:No Revalidation Upon Refresh | | 10 | Enabled:Allow Supplemental Policies | | 11 | Disabled:Runtime FilePath Rule Protection | -| 13 | Enabled: Revoked Expired As Unsigned | -| 16 |Enabled:Audit Mode (Default) | +| 13 | Enabled:Revoked Expired As Unsigned | +| 16 | Enabled:Audit Mode (Default) | | 17 | Disabled:Flight Signing | | 18 | Enabled:Inherit Default Policy | | 19 | Enabled:Unsigned System Integrity Policy (Default) | @@ -111,9 +111,9 @@ Below are the policy options in event 3099. | 23 | Enabled:Advanced Boot Options Menu | | 24 | Disabled:Script Enforcement | | 25 | Required:Enforce Store Applications | -| 26 | Enabled: Host Policy Enforcement | -| 27 |Enabled:Managed Installer | -| 28 |Enabled:Update Policy No Reboot | +| 26 | Enabled:Host Policy Enforcement | +| 27 | Enabled:Managed Installer | +| 28 | Enabled:Update Policy No Reboot | ## Appendix A list of other relevant event IDs and their corresponding description. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 0d7b426112..8f9b6ac45d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -70,7 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No | | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No | -| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with an expired and/or revoked certificates as "Unsigned binaries" for user mode process/components under enterprise signing scenarios. | No | +| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with expired and/or revoked certificates as "Unsigned binaries" for user-mode process/components under enterprise signing scenarios. | No | ## Windows Defender Application Control file rule levels From 20f3b55c1616b754a0a1fd8620bfd30511831146 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 2 Aug 2021 10:07:49 -0700 Subject: [PATCH 07/15] Updated the last of the suggestions. --- .../event-id-explanations.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index e3ae7a65ba..ff7f78475a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -96,8 +96,6 @@ The WDAC policy rule-option values can be derived from the "Options" field in th | 4 | Enabled:Intelligent Security Graph Authorization | | 5 | Enabled:Invalidate EAs on Reboot | | 7 | Required:WHQL | -| 8 | Enabled:Developer Dynamic Code Security | -| 9 | Enabled:No Revalidation Upon Refresh | | 10 | Enabled:Allow Supplemental Policies | | 11 | Disabled:Runtime FilePath Rule Protection | | 13 | Enabled:Revoked Expired As Unsigned | @@ -111,7 +109,6 @@ The WDAC policy rule-option values can be derived from the "Options" field in th | 23 | Enabled:Advanced Boot Options Menu | | 24 | Disabled:Script Enforcement | | 25 | Required:Enforce Store Applications | -| 26 | Enabled:Host Policy Enforcement | | 27 | Enabled:Managed Installer | | 28 | Enabled:Update Policy No Reboot | From 9aa2be7ebddbdf0c9908a4db134eec8a4becacc5 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 9 Aug 2021 11:44:55 +0500 Subject: [PATCH 08/15] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 090085514e..aa4eeb348a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -681,7 +681,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. > [!NOTE] - > If the distinguished name contains special characters like plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. + > If the distinguished name contains special characters like a plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement). 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. From 036de85d1818004a91cde78ae0152d5fdda0ddd0 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 9 Aug 2021 11:45:03 +0500 Subject: [PATCH 09/15] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index aa4eeb348a..b8ce7af3da 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -682,7 +682,7 @@ Sign-in a workstation with access equivalent to a _domain user_. > [!NOTE] > If the distinguished name contains special characters like a plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. - > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement). + > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement). 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. From f15dc57cec8e7faf3b315edd31f31cbd39f81ec6 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 9 Aug 2021 11:56:00 -0600 Subject: [PATCH 10/15] Raise acro score sync PR: https://github.com/MicrosoftDocs/windows-docs-pr/pull/5480 --- .../event-id-explanations.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index ff7f78475a..185e7af3d1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -91,26 +91,26 @@ The WDAC policy rule-option values can be derived from the "Options" field in th | Bit Address | Policy Rule Option | |-------|------| -| 2 | Enabled:UMCI | -| 3 | Enabled:Boot Menu Protection | -| 4 | Enabled:Intelligent Security Graph Authorization | -| 5 | Enabled:Invalidate EAs on Reboot | -| 7 | Required:WHQL | -| 10 | Enabled:Allow Supplemental Policies | -| 11 | Disabled:Runtime FilePath Rule Protection | -| 13 | Enabled:Revoked Expired As Unsigned | -| 16 | Enabled:Audit Mode (Default) | -| 17 | Disabled:Flight Signing | -| 18 | Enabled:Inherit Default Policy | -| 19 | Enabled:Unsigned System Integrity Policy (Default) | -| 20 | Enabled:Dynamic Code Security | -| 21 | Required:EV Signers | -| 22 | Enabled:Boot Audit on Failure | -| 23 | Enabled:Advanced Boot Options Menu | -| 24 | Disabled:Script Enforcement | -| 25 | Required:Enforce Store Applications | -| 27 | Enabled:Managed Installer | -| 28 | Enabled:Update Policy No Reboot | +| 2 | `Enabled:UMCI` | +| 3 | `Enabled:Boot Menu Protection` | +| 4 | `Enabled:Intelligent Security Graph Authorization` | +| 5 | `Enabled:Invalidate EAs on Reboot` | +| 7 | `Required:WHQL` | +| 10 | `Enabled:Allow Supplemental Policies` | +| 11 | `Disabled:Runtime FilePath Rule Protection` | +| 13 | `Enabled:Revoked Expired As Unsigned` | +| 16 | `Enabled:Audit Mode (Default)` | +| 17 | `Disabled:Flight Signing` | +| 18 | `Enabled:Inherit Default Policy` | +| 19 | `Enabled:Unsigned System Integrity Policy (Default)` | +| 20 | `Enabled:Dynamic Code Security` | +| 21 | `Required:EV Signers` | +| 22 | `Enabled:Boot Audit on Failure` | +| 23 | `Enabled:Advanced Boot Options Menu` | +| 24 | `Disabled:Script Enforcement` | +| 25 | `Required:Enforce Store Applications` | +| 27 | `Enabled:Managed Installer` | +| 28 | `Enabled:Update Policy No Reboot` | ## Appendix A list of other relevant event IDs and their corresponding description. From b299fca18a551f536ccb9cbddf7a655ea4decfe6 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 9 Aug 2021 11:57:38 -0600 Subject: [PATCH 11/15] Fix Warning Sync PR https://github.com/MicrosoftDocs/windows-docs-pr/pull/5480 --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 185e7af3d1..d9a41c8eff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -87,7 +87,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x ``` ## System Integrity Policy Options -The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options). +The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](/select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options). | Bit Address | Policy Rule Option | |-------|------| From 948b041f1eb568b1961e715c01e127fb369d5b6a Mon Sep 17 00:00:00 2001 From: gkomatsu Date: Mon, 9 Aug 2021 11:04:48 -0700 Subject: [PATCH 12/15] Update bulk-enrollment-using-windows-provisioning-tool.md Changed terms ICD -> WCD. Changed link from ADK to Microsoft Store Added Windows 11. Added bullet "Bulk Token creation is not supported with federated accounts." to notes --- ...ollment-using-windows-provisioning-tool.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index b9f88dc916..b3466dc27f 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,6 +1,6 @@ --- title: Bulk enrollment -description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10. +description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11. MS-HAID: - 'p\_phdevicemgmt.bulk\_enrollment' - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool' @@ -18,7 +18,7 @@ ms.date: 06/26/2017 # Bulk enrollment -Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 desktop and mobile devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario. +Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario. ## Typical use cases @@ -37,12 +37,13 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro > - Bulk enrollment does not work in Intune standalone environment. > - Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console. > - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. +> - Bulk Token creation is not supported with federated accounts. ## What you need - Windows 10 devices -- Windows Imaging and Configuration Designer (ICD) tool - To get the ICD tool, download the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information about the ICD tool, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows ICD](/windows/configuration/provisioning-packages/provisioning-install-icd). +- Windows Configuration Designer (WCD) tool + To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd). - Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.) - Wi-Fi credentials, computer name scheme, and anything else required by your organization. @@ -50,14 +51,14 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro ## Create and apply a provisioning package for on-premises authentication -Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. +Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. -1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +1. Open the WCD tool. 2. Click **Advanced Provisioning**. ![icd start page](images/bulk-enrollment7.png) 3. Enter a project name and click **Next**. -4. Select **All Windows editions**, since Provisioning CSP is common to all Windows 10 editions, then click **Next**. +4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**. 5. Skip **Import a provisioning package (optional)** and click **Finish**. 6. Expand **Runtime settings** > **Workplace**. 7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**. @@ -70,7 +71,7 @@ Using the ICD, create a provisioning package using the enrollment information re - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - **Secret** - Password For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). - Here is the screenshot of the ICD at this point. + Here is the screenshot of the WCD at this point. ![bulk enrollment screenshot](images/bulk-enrollment.png) 9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). 10. When you are done adding all the settings, on the **File** menu, click **Save**. @@ -90,12 +91,12 @@ Using the ICD, create a provisioning package using the enrollment information re ## Create and apply a provisioning package for certificate authentication -Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. +Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. -1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +1. Open the WCD tool. 2. Click **Advanced Provisioning**. 3. Enter a project name and click **Next**. -4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows 10 editions. +4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions. 5. Skip **Import a provisioning package (optional)** and click **Finish**. 6. Specify the certificate. 1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**. @@ -129,8 +130,7 @@ Using the ICD, create a provisioning package using the enrollment information re Here's the list of topics about applying a provisioning package: - [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) - topic in Technet. -- [Apply a package to a Windows 10 desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN -- [Apply a package to a Windows 10 Mobile image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_mobile_image) - topic in MSDN. +- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN - [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below ## Apply a package from the Settings menu From b901354412a69437adb848bf5df7ba6a1c3c7b50 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 9 Aug 2021 11:26:56 -0700 Subject: [PATCH 13/15] Update bulk-enrollment-using-windows-provisioning-tool.md --- .../mdm/bulk-enrollment-using-windows-provisioning-tool.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index b3466dc27f..4df0e51619 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,6 +1,6 @@ --- title: Bulk enrollment -description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11. +description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and Windows 11. MS-HAID: - 'p\_phdevicemgmt.bulk\_enrollment' - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool' From 5e7ce5d47057923098b21c8474b9b3f8745d1415 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 9 Aug 2021 12:34:41 -0600 Subject: [PATCH 14/15] fix staging Sync PR: https://github.com/MicrosoftDocs/windows-docs-pr/pull/5487 --- .../mdm/bulk-enrollment-using-windows-provisioning-tool.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 4df0e51619..1b84316554 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -43,6 +43,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro - Windows 10 devices - Windows Configuration Designer (WCD) tool + To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd). - Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.) - Wi-Fi credentials, computer name scheme, and anything else required by your organization. From ed55b1a5eb132967fd09b50d5c86647a1df73b5e Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 9 Aug 2021 12:46:55 -0600 Subject: [PATCH 15/15] Fix formatting Sync PR https://github.com/MicrosoftDocs/windows-docs-pr/pull/5487 --- .../bulk-enrollment-using-windows-provisioning-tool.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 1b84316554..4fabdbc971 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -41,11 +41,11 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro ## What you need -- Windows 10 devices -- Windows Configuration Designer (WCD) tool +- Windows 10 devices. +- Windows Configuration Designer (WCD) tool. To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd). -- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.) +- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.). - Wi-Fi credentials, computer name scheme, and anything else required by your organization. Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain. @@ -73,7 +73,8 @@ Using the WCD, create a provisioning package using the enrollment information re - **Secret** - Password For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). Here is the screenshot of the WCD at this point. - ![bulk enrollment screenshot](images/bulk-enrollment.png) + + ![bulk enrollment screenshot](images/bulk-enrollment.png) 9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). 10. When you are done adding all the settings, on the **File** menu, click **Save**. 11. On the main menu click **Export** > **Provisioning package**.