diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-38.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-38.png deleted file mode 100644 index 7ee23eda5d..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-38.png and /dev/null differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-39.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-39.png deleted file mode 100644 index a1ca65c3f4..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-39.png and /dev/null differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-40.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-40.png deleted file mode 100644 index 87f685d460..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-40.png and /dev/null differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-41.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-41.png deleted file mode 100644 index 1832454fbc..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-41.png and /dev/null differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-42.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-42.png deleted file mode 100644 index c85e74d141..0000000000 Binary files a/windows/client-management/mdm/images/unifiedenrollment-rs1-42.png and /dev/null differ diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 1c9ca9aba5..f74caeda09 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -12,7 +12,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 11/15/2017 +ms.date: 11/19/2020 --- # MDM enrollment of Windows 10-based devices @@ -248,33 +248,6 @@ To create a local account and connect the device: After you complete the flow, your device will be connected to your organization’s MDM. - -### Connect to MDM on a phone (enroll in device management) - -1. Launch the Settings app, and then select **Accounts**. - - ![phone settings](images/unifiedenrollment-rs1-38.png) - -2. Select **Access work or school**. - - ![phone settings](images/unifiedenrollment-rs1-39.png) - -3. Select the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). - - ![access work or school page](images/unifiedenrollment-rs1-40.png) - -4. Enter your work email address. - - ![enter your email address](images/unifiedenrollment-rs1-41.png) - -5. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. - - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - -6. After you complete the flow, your device will be connected to your organization’s MDM. - - ![completed mdm enrollment](images/unifiedenrollment-rs1-42.png) - ### Help with connecting personally-owned devices There are a few instances where your device may not be able to connect to work. diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index c72bdf03e9..4c6e0b8880 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -10,11 +10,11 @@ ms.sitesec: library ms.localizationpriority: high audience: ITPro author: linque1 -ms.author: obezeajo +ms.author: robsize manager: robsize ms.collection: M365-security-compliance ms.topic: article -ms.date: 7/7/2020 +ms.date: 12/1/2020 --- # Manage connections from Windows 10 operating system components to Microsoft services diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index a26f59d1ed..9c201ba4ac 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -1,6 +1,6 @@ --- title: Block untrusted fonts in an enterprise (Windows 10) -description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. +description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature. ms.assetid: a3354c8e-4208-4be6-bc19-56a572c361b4 ms.reviewer: manager: dansimp @@ -23,7 +23,7 @@ ms.localizationpriority: medium > Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). -To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. +To help protect your company from attacks which may originate from untrusted or attacker-controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. ## What does this mean for me? Blocking untrusted fonts helps improve your network and employee protection against font-processing-related attacks. By default, this feature is not turned on. @@ -33,7 +33,10 @@ There are 3 ways to use this feature: - **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging. -- **Audit.** Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.

**Note**
If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues. +- **Audit.** Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log. + + > [!NOTE] + > If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues. - **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts). @@ -56,7 +59,7 @@ Use Group Policy or the registry to turn this feature on, off, or to use audit m **To turn on and use the Blocking Untrusted Fonts feature through Group Policy** 1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`. -2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**: +2. Click **Enabled** to turn the feature on, and then click one of the following **Mitigation Options**: - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. @@ -137,9 +140,9 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa **To fix your apps by excluding processes** -1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`.

For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. +1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`.

For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. -2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic. +2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature), earlier in this article. ## Related content diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md index 3ab82897fa..fd7da12f88 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md @@ -50,14 +50,14 @@ To have your company listed as a partner in the in-product partner page, you wil 4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. Wait for at least 10 days for the review process to be done. 5. If you use a multi-tenant Azure AD approach, we will need the Azure AD application name to track usage of the application. 6. Include the User-Agent field in each API call made to Microsoft Defender for Endpoint public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA). - Follow these steps: - 1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP-integrated product with the version of the product that includes this integration. - - ISV Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}` - - Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{TenantID}` - 2. Set the User-Agent field in each HTTP request header to the name based on the above nomenclature. - For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0` + - Set the User-Agent field in each HTTP request header to the name based on the Following nomenclature. + - `MsdePartner-{CompanyName}-{ProductName}/{Version}` + + - For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0` + + - For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). Partnerships with Microsoft Defender for Endpoint help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender for Endpoint partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together. diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md index 6948f7a392..f0439ebf7f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md @@ -42,7 +42,7 @@ It's important to understand the following requirements prior to creating indica - This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). - The Antimalware client version must be 4.18.1901.x or later. - Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019. -- The virus and threat protection definitions must be up-to-date. +- The virus and threat protection definitions must be up to date. - This feature currently supports entering .CER or .PEM (Base64 ASCII) encoding based certificates. >[!IMPORTANT] diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index 68c6dfd43f..733c2fdbd1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -37,7 +37,7 @@ ms.topic: conceptual ## Configure compliance policy against jailbroken devices -To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you setup the following compliance policy on Intune. +To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune. > [!NOTE] > Currently Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. Some data like your corporate email id and corporate profile picture (if available) will be exposed to the attacker on the jailbroken device. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index cb1c7d7be7..319d2756e1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -56,7 +56,7 @@ The following table summarizes the steps you would need to take to deploy and ma | [Grant full disk access to Microsoft Defender for Endpoint](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc | | [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A | | [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 | -| [Microsoft Defender for Endpoint configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)

**Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav | +| [Microsoft Defender for Endpoint configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)

**Note:** If you are planning to run a third-party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav | | [Configure Microsoft Defender for Endpoint and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray | ## Download installation and onboarding packages diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index d9e0d8d50b..c1ccd042f6 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements: -1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case sensitive. +1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case-sensitive. The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is fewer than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Havens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "havens" as a substring anywhere in the password.